Title: Free Audio Video Pack 2.22.0.0 - Binary Planting
Date: 2020-1-27
Author: Nir Yehoshua
Product: http://www.pazera-software.com/files/FreeAudioVideoPack.7z
Tested on: Microsoft Windows 10 x64 [eng]
The Loading:
0x776B4C80 - FreeAudioVideoPack.exe used "LdrLoadDll" function to load binary with the following parameters:
# Type Name Value
1 PWSTR SearchPath 16385
2 PULONG DllCharacteristics 0x0019eda0 = 0
3 PUNICODE_STRING Name 0x0019edb0 = { Length = 24, MaximumLength = 26, Buffer = 0x75a25d60 }
4 PVOID* BaseAddress 0x0019eda4 = 0x72e40000 "C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.18362.418_none_2e73e95e27897f63\comctl32.dll"
NTSTATUS Return STATUS_SUCCESS
The Vulnerability:
The intresting function starts at 0x760A4BC2, FreeAudioVideoPack.exe didn't verifing the binaries in "C:\Users\%user%\Desktop\FreeAudioVideoPack\apps\".
A potential attacker can replace the legitimate binaries in with malicious binaries and run it under FreeAudioVideoPack.exe virtual memory space:
760A4BC2 | 55 | push ebp |
760A4BC3 | 8BEC | mov ebp,esp |
760A4BC5 | 6A FF | push FFFFFFFF |
760A4BC7 | 68 D0741976 | push windows.storage.761974D0 |
760A4BCC | 64:A1 00000 | mov eax,dword ptr fs:[0] |
760A4BD2 | 50 | push eax |
760A4BD3 | 83EC 64 | sub esp,64 |
760A4BD6 | A1 541A4B76 | mov eax,dword ptr ds:[764B1A54] |
760A4BDB | 33C5 | xor eax,ebp |
760A4BDD | 8945 F0 | mov dword ptr ss:[ebp-10],eax |
760A4BE0 | 53 | push ebx |
760A4BE1 | 56 | push esi |
760A4BE2 | 57 | push edi |
760A4BE3 | 50 | push eax |
760A4BE4 | 8D45 F4 | lea eax,dword ptr ss:[ebp-C] |
760A4BE7 | 64:A3 00000 | mov dword ptr fs:[0],eax |
760A4BED | 8BD9 | mov ebx,ecx |
760A4BEF | 8B45 0C | mov eax,dword ptr ss:[ebp+C] |
760A4BF2 | 8B55 20 | mov edx,dword ptr ss:[ebp+20] |
760A4BF5 | 8B4D 18 | mov ecx,dword ptr ss:[ebp+18] |
760A4BF8 | 8B75 1C | mov esi,dword ptr ss:[ebp+1C] |
760A4BFB | 8B7D 08 | mov edi,dword ptr ss:[ebp+8] |
760A4BFE | 8945 A0 | mov dword ptr ss:[ebp-60],eax |
760A4C01 | 837D A0 00 | cmp dword ptr ss:[ebp-60],0 |
760A4C05 | 8B45 10 | mov eax,dword ptr ss:[ebp+10] |
760A4C08 | 8945 9C | mov dword ptr ss:[ebp-64],eax |
760A4C0B | 8B45 14 | mov eax,dword ptr ss:[ebp+14] |
760A4C0E | 8955 98 | mov dword ptr ss:[ebp-68],edx |
760A4C11 | 8B55 24 | mov edx,dword ptr ss:[ebp+24] |
760A4C14 | 8945 94 | mov dword ptr ss:[ebp-6C],eax |
760A4C17 | 894D 90 | mov dword ptr ss:[ebp-70],ecx |
760A4C1A | 8975 D8 | mov dword ptr ss:[ebp-28],esi |
760A4C1D | 8955 A4 | mov dword ptr ss:[ebp-5C],edx |
760A4C20 | 0F85 AA0300 | jne windows.storage.760A4FD0 |
760A4C26 | 837D 9C 00 | cmp dword ptr ss:[ebp-64],0 |
760A4C2A | 0F85 CF0300 | jne windows.storage.760A4FFF |
760A4C30 | 85C0 | test eax,eax |
760A4C32 | 0F85 B10300 | jne windows.storage.760A4FE9 |
760A4C38 | 85C9 | test ecx,ecx |
760A4C3A | 0F85 B40300 | jne windows.storage.760A4FF4 |
760A4C40 | 85F6 | test esi,esi |
760A4C42 | 0F85 90D713 | jne windows.storage.761E23D8 |
760A4C48 | 8B45 98 | mov eax,dword ptr ss:[ebp-68] |
760A4C4B | 85C0 | test eax,eax |
760A4C4D | 0F85 90D713 | jne windows.storage.761E23E3 |
760A4C53 | 85D2 | test edx,edx |
760A4C55 | 0F85 93D713 | jne windows.storage.761E23EE |
760A4C5B | E8 75070C00 | call windows.storage.761653D5 |
760A4C60 | 84C0 | test al,al |
760A4C62 | 0F84 380100 | je windows.storage.760A4DA0 |
760A4C68 | C645 AB 00 | mov byte ptr ss:[ebp-55],0 |
760A4C6C | C745 FC 000 | mov dword ptr ss:[ebp-4],0 |
760A4C73 | 8D8B 9C0000 | lea ecx,dword ptr ds:[ebx+9C] |
760A4C79 | 8B01 | mov eax,dword ptr ds:[ecx] |
760A4C7B | C745 EC 000 | mov dword ptr ss:[ebp-14],0 | [ebp-14]:L"C:\\Users\\nir\\Desktop\\FreeAudioVideoPack\\apps\\3GP_to_AVI\\3gptoavi.exe"
760A4C82 | 8B70 38 | mov esi,dword ptr ds:[eax+38] |
760A4C85 | 8D45 EC | lea eax,dword ptr ss:[ebp-14] | [ebp-14]:L"C:\\Users\\nir\\Desktop\\FreeAudioVideoPack\\apps\\3GP_to_AVI\\3gptoavi.exe"