1, software description BoxSoft WAV to MP3 Converter is a 1 0 0% free powerful audio conversion tool that can Batch the WAV format files into high-quality MP3 audio files, it is equipped with a standard audio encoder, you can set the bit rate and a conversion of the plurality of audio files, another handy feature is you can set the hotspot directory, in wav turn MP3 automatically when the file is written to the directory to be monitored. Test platform: Microsoft Windows XP Professional SP3 (Chinese version) Software address: http://www.boxoft.com/wav-to-mp3/ 2, the vulnerability description In the user to use the software, because the software development process is the lack of security, overflow detection; it is easy to create hacks for this software to write specific code, thereby inducing the user to open a malformed mp3 file, on the system caused by damage, to trigger the CVE-2 0 1 5-7 2 4 3 vulnerability. In the processing of wav files, encountered the head start of the four bytes is not equal to the RIFF, not the end of the process but continue to read the file looking for the RIFF, until it encounters the RIFF, read to the end of the file, the Read length is greater than or equal to 0×2 0 0 0, and wherein one of the three before the end of the read, but the processing function does not allocate such a large space for storing the read out content, so we as long as the structure does not contain a RIFF of a super long string occurs stack overflow can lead to arbitrary code execution, for example, from the specified address to download the malicious code to run locally. Vulnerability rating: Critical poc address: https://www.exploit-db.com/exploits/38035/ 3, vulnerability analysis （1）According to the error information to locate an exception the code The use of a specific structure of the wav file generated is not readable the exception, loaded to the OD positioned to the address 0x004B9C7D, since[esi+eax]premises of the referenced address is not read results in an exception. ! Using the stack traceback of the way, and found the following code snippet to modify the address, in this cycle, not because of the length of the cycle for school inspection leads to stack overflow, overwriting the local variables, so that it holds the address to be replaced, causing the above exception. ! （2）Use the tool analyzes the code to produce the cause of the exception Use PEID found is the DELPHI language to write, and therefore loaded into the DEDEDARK, the next analysis of this function, the function starts when the first read wav first 4 bytes of the contents of the AAAA saved in[esp + c]the position of the esp+c is a character array of the first address, followed by a switch statement, begin is executed when case 0 is. ! In case 0, first determines whether the first 4 bytes is equal to the RIFF, the Not Equal To then continue to read 1 byte that is equal to the read out 4 bytes, the esi is stored the read data offset, if not equal to it has been read from the file until the read to the end of the file or is esi greater than or equal to 0×2 0 0 0, but the function is internal and not so great in the local space, thus producing the overflow. Enter 0x004B9C6C in the cycle to determine the read data is equal to edx stored string in the comparison process in case-insensitive, i.e. lowercase a and uppercase A is the same. In case 1, Determine the next Read of 4 bytes is equal to the WAVE, is not equal to the readout of 1 byte, equal to the read out 4 bytes, if not equal to has been read, the processing manner and the same as above, and therefore it is also a capable of generating spill code. In case 2, The judge read into the 4 bytes is equal to fmt the first 4 bytes are spaces,not equal to, then continue to read 4 bytes, then move the Last Judgment is equal to fmt 4 bytes to the temporary variable, this temporary variable is next to be read the number of bytes that this read. the first two bytes continue to be placed into the temporary variable. Most began to read out the 4 bytes is equal to the fmt, then read out the four bytes into a temporary variable, the temporary variable as the number continues to read out the data after the re-read 4 bytes. ! （3）exploit Know the overflow principle, the next step is to use this vulnerability. The first to use overwrite SEH to produce abnormal execution shellcode is. Looking for recent SEH, address is 0x0105FEBC, save the file to read out the contents of the array the first address of the 0x0105EE98, so first fill 0×1 0 2 4 A, then populate the"\xeb\x06\x90\x90", the next filling a springboard to address, in xp there are safeSEH protected, you need not open the SEH module looking for a springboard. First view of the present process is not open SafeSEH module, the results of only the main module and msacm32. drv module. ! Select the main module, look for pop pop ret instruction, the address found is: 0x040144c, then fill the pop-up calculator, after filling 5 8 6 0 A A, used to make stack overflow to a non-writable location in order to produce an abnormal execution of our abnormal function, the running program pop-up calculator. ! EXP is as follows: shellcode= ("\x33\xC0\x50\xB8\x2E\x64\x6C\x6C\x50\xB8\x65\x6C\x33\x32\x50\xB8" "\x6B\x65\x72\x6E\x50\x8B\xC4\x50\xB8\x7B\x1D\x80\x7C\xFF\xD0\x33" "\xC0\x50\xB8\x2E\x65\x78\x65\x50\xB8\x63\x61\x6C\x63\x50\x8B\xC4" "\x6A\x05\x50\xB8\xAD\x23\x86\x7C\xFF\xD0\x33\xC0\x50\xB8\xFA\xCA"