GoldWave 5.70 - Local Buffer Overflow (SEH Unicode) | Lucideus

Author: byzo
EDB-ID: 44423
Requirements: Windows 7 SP1 x86, GoldWave 5.70
Exploit-DB link:

Buffer Overflow
It is a condition when a program is writing data to the memory buffer and it overruns the buffer boundary and writes data to adjacent buffers.

SEH - Structured exception handler is a protection mechanism that was implemented to stop the abuse of buffer overflow, Unfortunately SEH can be abused by attackers by finding space enough to write data prior to SEH overwrite.

Unicode Buffer Overflow
Sometimes data is used in functions or some manipulations/validations are applied and In some situations, data gets converted into Unicode. Thus sometimes payloads may also get converted into Unicode before getting to stack.

In the early days it was assumed that this type of overwriting cannot be exploited, but in the later years, special encoding schemes and scripts were released which allowed attackers to build Unicode compatible shellcode.

What is Unicode and why would a developer decide to convert data to Unicode?
Wikipedia states: “Unicode is a computing industry standard allowing computers to represent and manipulate text expressed in most of the world’s writing systems consistently. Developed in tandem with the Universal Character Set standard and published in book form as The Unicode Standard, the latest version of Unicode consists of a repertoire of more than 107,000 characters covering 90 scripts, a set of code charts for visual reference, an encoding methodology and set of standard character encodings, an enumeration of character properties such as upper and  lower case, a set of reference data computer files, and a number of related items, such as character properties, rules for normalization, decomposition, collation, rendering, and bidirectional display order (for the correct display of text containing both right-to-left scripts, such as Arabic or Hebrew, and left-to-right scripts).”.

In short: Unicode allows us to visually represent and/or manipulate text in most of the systems across the world in a consistent manner. So applications can be used across the globe, without having to worry about how the text will look like when displayed on a computer – almost any computer – in another part of the world.

When we execute the software the executable gets stored in memory (RAM), The data variable gets stored in the stack in ram, In the software there are certain input field which takes up input data in form of strings and “Enter URL” field does not have any validations to enter the data ,Thus it is the entry point where attackers are able to input contents other than intended data/strings . When we paste the shellcode in the vulnerable input field called “Enter URL” it gets executed in memory in stack which is where most of the buffer overflow attacks happen, the shellcode helps to create a shell which enables an attacker to execute any code the attacker wants, in this case, it is a calculator. The funny thing here is that in input field “Enter URL” , when data is input it  gets converted in to Unicode and despite being converted into the Unicode the attack runs and that is due to Unicode buffer overflow vulnerability and computer raises a structured exception handler(SEH) as protection mechanism but the buffer code runs because there is enough space prior to SEH overwrite.

Example: #msfvenom -p windows/exec CMD=calc.exe -e x86/unicode_upper BufferRegister=EAX

Step 1: Download the python file and run it.

Step 2: As a result of running python file, a file called “goldwave570.txt ” would be created. Open and copy the contents of the file

Step 3: Open GoldWave 5.70, Click on “file” then “open URL” and paste the copied contents and then hit “ok”

Video Proof of Concept

No comments:

Powered by Blogger.