Title: Free Audio Video Pack 2.22.0.0 - Binary Planting Date: 2020-1-27 Author: Nir Yehoshua Product: http://www.pazera-software.com/files/FreeAudioVideoPack.7z Tested on: Microsoft Windows 10 x64 [eng] The Loading: 0x776B4C80 - FreeAudioVideoPack.exe used "LdrLoadDll" function to load binary with the following parameters: # Type Name Value 1 PWSTR SearchPath 16385 2 PULONG DllCharacteristics 0x0019eda0 = 0 3 PUNICODE_STRING Name 0x0019edb0 = { Length = 24, MaximumLength = 26, Buffer = 0x75a25d60 } 4 PVOID* BaseAddress 0x0019eda4 = 0x72e40000 "C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.18362.418_none_2e73e95e27897f63\comctl32.dll" NTSTATUS Return STATUS_SUCCESS The Vulnerability: The intresting function starts at 0x760A4BC2, FreeAudioVideoPack.exe didn't verifing the binaries in "C:\Users\%user%\Desktop\FreeAudioVideoPack\apps\". A potential attacker can replace the legitimate binaries in with malicious binaries and run it under FreeAudioVideoPack.exe virtual memory space: 760A4BC2 | 55 | push ebp | 760A4BC3 | 8BEC | mov ebp,esp | 760A4BC5 | 6A FF | push FFFFFFFF | 760A4BC7 | 68 D0741976 | push windows.storage.761974D0 | 760A4BCC | 64:A1 00000 | mov eax,dword ptr fs:[0] | 760A4BD2 | 50 | push eax | 760A4BD3 | 83EC 64 | sub esp,64 | 760A4BD6 | A1 541A4B76 | mov eax,dword ptr ds:[764B1A54] | 760A4BDB | 33C5 | xor eax,ebp | 760A4BDD | 8945 F0 | mov dword ptr ss:[ebp-10],eax | 760A4BE0 | 53 | push ebx | 760A4BE1 | 56 | push esi | 760A4BE2 | 57 | push edi | 760A4BE3 | 50 | push eax | 760A4BE4 | 8D45 F4 | lea eax,dword ptr ss:[ebp-C] | 760A4BE7 | 64:A3 00000 | mov dword ptr fs:[0],eax | 760A4BED | 8BD9 | mov ebx,ecx | 760A4BEF | 8B45 0C | mov eax,dword ptr ss:[ebp+C] | 760A4BF2 | 8B55 20 | mov edx,dword ptr ss:[ebp+20] | 760A4BF5 | 8B4D 18 | mov ecx,dword ptr ss:[ebp+18] | 760A4BF8 | 8B75 1C | mov esi,dword ptr ss:[ebp+1C] | 760A4BFB | 8B7D 08 | mov edi,dword ptr ss:[ebp+8] | 760A4BFE | 8945 A0 | mov dword ptr ss:[ebp-60],eax | 760A4C01 | 837D A0 00 | cmp dword ptr ss:[ebp-60],0 | 760A4C05 | 8B45 10 | mov eax,dword ptr ss:[ebp+10] | 760A4C08 | 8945 9C | mov dword ptr ss:[ebp-64],eax | 760A4C0B | 8B45 14 | mov eax,dword ptr ss:[ebp+14] | 760A4C0E | 8955 98 | mov dword ptr ss:[ebp-68],edx | 760A4C11 | 8B55 24 | mov edx,dword ptr ss:[ebp+24] | 760A4C14 | 8945 94 | mov dword ptr ss:[ebp-6C],eax | 760A4C17 | 894D 90 | mov dword ptr ss:[ebp-70],ecx | 760A4C1A | 8975 D8 | mov dword ptr ss:[ebp-28],esi | 760A4C1D | 8955 A4 | mov dword ptr ss:[ebp-5C],edx | 760A4C20 | 0F85 AA0300 | jne windows.storage.760A4FD0 | 760A4C26 | 837D 9C 00 | cmp dword ptr ss:[ebp-64],0 | 760A4C2A | 0F85 CF0300 | jne windows.storage.760A4FFF | 760A4C30 | 85C0 | test eax,eax | 760A4C32 | 0F85 B10300 | jne windows.storage.760A4FE9 | 760A4C38 | 85C9 | test ecx,ecx | 760A4C3A | 0F85 B40300 | jne windows.storage.760A4FF4 | 760A4C40 | 85F6 | test esi,esi | 760A4C42 | 0F85 90D713 | jne windows.storage.761E23D8 | 760A4C48 | 8B45 98 | mov eax,dword ptr ss:[ebp-68] | 760A4C4B | 85C0 | test eax,eax | 760A4C4D | 0F85 90D713 | jne windows.storage.761E23E3 | 760A4C53 | 85D2 | test edx,edx | 760A4C55 | 0F85 93D713 | jne windows.storage.761E23EE | 760A4C5B | E8 75070C00 | call windows.storage.761653D5 | 760A4C60 | 84C0 | test al,al | 760A4C62 | 0F84 380100 | je windows.storage.760A4DA0 | 760A4C68 | C645 AB 00 | mov byte ptr ss:[ebp-55],0 | 760A4C6C | C745 FC 000 | mov dword ptr ss:[ebp-4],0 | 760A4C73 | 8D8B 9C0000 | lea ecx,dword ptr ds:[ebx+9C] | 760A4C79 | 8B01 | mov eax,dword ptr ds:[ecx] | 760A4C7B | C745 EC 000 | mov dword ptr ss:[ebp-14],0 | [ebp-14]:L"C:\\Users\\nir\\Desktop\\FreeAudioVideoPack\\apps\\3GP_to_AVI\\3gptoavi.exe" 760A4C82 | 8B70 38 | mov esi,dword ptr ds:[eax+38] | 760A4C85 | 8D45 EC | lea eax,dword ptr ss:[ebp-14] | [ebp-14]:L"C:\\Users\\nir\\Desktop\\FreeAudioVideoPack\\apps\\3GP_to_AVI\\3gptoavi.exe"