Skip to content

Latest commit

 

History

History
26 lines (18 loc) · 1.08 KB

README.md

File metadata and controls

26 lines (18 loc) · 1.08 KB
Raw

ASXtoMP3ConverterSOFexploit

ASX to MP3 Converter 1.82.50 SOF exploit

Software: https://www.exploit-db.com/apps/b7c8c2a232e1d4a959c43970a877a799-ASXtoMP3Converter.exe
Date: 02 Oct 2022
Thanks to codingo for the reference (https://github.com/codingo/OSCP-2/blob/master/Exploits/ATMC_v1.82.50.py)
Author: Dylan Jenkins
Based on PoC by the totally real person: Ivan Ivanovic Ivanov
Reference: https://www.exploit-db.com/exploits/38382/
Tested on: Windows 2k3
EIP Offset: 249, note that the EIP seems to change depending on the logged in user or some other factors I couldn't work out
Bad Chars: x00\x09\x0a\x1a
Return Address | dll: 0x1003789d ("\xFF\xEF", JMP ESP) | MSA2Multility03.dll
Usage: Open ASX to MP3 Converter application > load evil asx file

Scripts:

  1. asxmp3_EIPoffset.py > determine required EIP offset
  2. asxmp3_controlEIP.py > prove that EIP offset is correct
  3. asxmp3_calcexploit.py > prove exploit works by launching calc.exe
  4. ASXtoMP3ConverterSOFexploit.py > Full exploit to execute reverse shell