Audio Editor Pro 2.91 Remote Memory Corruption PoC

vendor:

Audio Editor Pro

by:

Gjoko 'LiquidWorm' Krstic

7,5

CVSS

HIGH

Remote Memory Corruption

119

CWE

Product Name: Audio Editor Pro

Affected Version From: 2.91

Affected Version To: 2.91

Patch Exists: YES

Related CWE: N/A

CPE: a:mightsoft:audio_editor_pro

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: MS Windows XP Pro SP3 (EN)

2009

Audio Editor Pro 2.91 Remote Memory Corruption PoC

Audio Editor Pro is a visual multifunctional audio files editor for Microsoft Windows. It is vulnerable to a remote memory corruption vulnerability when a specially crafted MP3 file is opened. This can be exploited to execute arbitrary code by tricking a user into opening a malicious MP3 file.

Mitigation:

Update to the latest version of Audio Editor Pro.

Source

Exploit-DB raw data:

Title: Audio Editor Pro 2.91 Remote Memory Corruption PoC

Product web page: http://www.mightsoft.com/

Summary: Audio Editor Pro is a visual multifunctional audio files editor for Microsoft Windows

Tested on: MS Windows XP Pro SP3 (EN)


--------------------------windbg--------------------------

(2bc.f5c): Unknown exception - code e0000001 (first chance)
(2bc.f5c): Unknown exception - code e0000001 (first chance)
(2bc.f5c): Unknown exception - code e0000001 (first chance)
(2bc.f5c): C++ EH exception - code e06d7363 (first chance)
(2bc.f5c): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=0012ec04 ebx=80040303 ecx=00000000 edx=00000000 esi=0012ec94 edi=0012ec94
eip=7c812aeb esp=0012ec00 ebp=0012ec54 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00040206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll - 
kernel32!RaiseException+0x52:
7c812aeb 5e              pop     esi
0:000> g
WARNING: Continuing a non-continuable exception
(2bc.f5c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=80040303 ebx=80040303 ecx=00000000 edx=00000000 esi=00000000 edi=00d2ffb0
eip=0043a0c1 esp=0012eca0 ebp=0012ecb4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050206
*** ERROR: Module load completed but symbols could not be loaded for [path]\areditor.exe
areditor+0x3a0c1:
0043a0c1 83660c00        and     dword ptr [esi+0Ch],0 ds:0023:0000000c=????????

-------------------------/windbg--------------------------


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
http://www.zeroscience.org/
16.07.2009




PoC:  1. http://zeroscience.org/codes/aimp2_evil.mp3
      2. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/8837.mp3 (2009-aimp2_evil.mp3)
      3. http://securityreason.com/download/11/13

# milw0rm.com [2009-07-16]