CVE-2010-2343
published 2010-06-21CVE-2010-2343: Stack-based buffer overflow in D.R. Software Audio Converter 8.1, 2007, and 8.05 allows remote attackers to execute arbitrary code via a crafted pls playlist…
PriorityP355critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
36.73%
98.3th percentile
Stack-based buffer overflow in D.R. Software Audio Converter 8.1, 2007, and 8.05 allows remote attackers to execute arbitrary code via a crafted pls playlist file.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dennisre | audio_converter | — | — |
| dennisre | audio_converter | — | — |
| dennisre | audio_converter | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xF1\x8E\x03\x10
bytes↗
\x70\x80\x08\x10
bytes↗
\x2F\x37\x01\x10
bytes↗
\x81\xc4\x54\xf2\xff\xff
bytes↗
\xeb\x06\x90\x90
bytes↗
\xEB\x06\xEB\x06
- →Trigger is a crafted .PLS playlist file with an overlong string (>1108 bytes for Easy CD-DA Recorder; >4432 bytes for Audio Converter 8.1) in a playlist entry that overwrites the SEH chain. ↗
- →SEH overwrite occurs at offset 4432 bytes in Audio Converter 8.1; monitor for abnormally large .PLS files opened by audioconv/easycdda processes. ↗
- →SEH overwrite occurs at offset 1108 bytes in Easy CD-DA Recorder 2007; the SEH handler is overwritten with a pop-pop-ret gadget from audconv.dll. ↗
- →ROP chain uses gadgets exclusively from audconv.dll and easycdda.exe; presence of ROP gadget addresses from audconv.dll (base 0x10000000) on the stack is a strong indicator of exploitation. ↗
- →Bad characters for payload encoding are 0x0a and 0x3d; encoded shellcode will not contain newline (0x0a) or equals-sign (0x3d) bytes. ↗
- →The exploit appends a large block of junk (10000 bytes) after the SEH overwrite to generate the exception; .PLS files significantly larger than 14 KB targeting these applications are suspicious. ↗
- →VirtualProtect() IAT address 0x0042a0e0 from easycdda.exe is used in the ROP chain for DEP bypass; look for this address value on the stack during exception handling in easycdda.exe. ↗
- ·The SEH pop-pop-ret gadget address differs between the two affected applications: 0x1008F1F1 (audioconv) vs 0x10088070 (audconv.dll in Easy CD-DA Recorder); detection rules targeting specific gadget addresses must account for both. ↗
- ·The Metasploit module targets only 'Windows XP SP3 / Windows 7 SP1 (DEP Bypass)' with a single target offset (1108); exploits against other OS/SP combinations may use different offsets and gadgets. ↗
- ·The ROP/WPM variant (EDB-13763) uses WriteProcessMemory (WPM) at 0x7C80221 for DEP bypass instead of VirtualProtect, so DEP-bypass detection logic must cover both WPM and VirtualProtect ROP chains. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Easy CD-DA Recorder - '.pls' Local Buffer Overflow (Metasploit)
exploitdb·2014-02-13
CVE-2010-2343 Easy CD-DA Recorder - '.pls' Local Buffer Overflow (Metasploit)
Easy CD-DA Recorder - '.pls' Local Buffer Overflow (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Easy CD-DA Recorder PLS Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability in
Easy CD-DA Recorder 2007, caused by a long string in a playlist entry.
By persuading the victim to open a specially-crafted .PLS file, a
remote attacker could execute arbitrary code on the system or cause
the application to crash. This module has been tested successfully on
Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'chap0', # Vulnerability discovery and original exploit
'Gabor Seljan',
Exploit-DB
Audio Converter 8.1 - Local Stack Buffer Overflow
exploitdb·2010-06-07
CVE-2010-2343 Audio Converter 8.1 - Local Stack Buffer Overflow
Audio Converter 8.1 - Local Stack Buffer Overflow
---
#***********************************************************************************
# Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit
# Date : 16/05/2010
# Author : Sud0
# Bug found by : chap0
# Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html
# Version : 8.1
# OS : Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln : SEH
# Thanks to my wife for her support
# Thanks for chap0 for bringing us the game
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Script provided 'as is', without any warranty.
# Use for educational purposes
Exploit-DB
Audio Converter 8.1 - Local Stack Buffer Overflow ROP/WPM
exploitdb·2010-06-07
CVE-2010-2343 Audio Converter 8.1 - Local Stack Buffer Overflow ROP/WPM
Audio Converter 8.1 - Local Stack Buffer Overflow ROP/WPM
---
#***********************************************************************************
# Exploit Title : Audio Converter 8.1 0day Stack Buffer Overflow PoC exploit ROP/WPM
# Date : 07/06/2010
# Author : Sud0
# Bug found by : chap0
# Software Link : http://download.cnet.com/Audio-Converter/3000-2140_4-10045287.html
# Version : 8.1
# OS : Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln : SEH
# Thanks to my wife for her support
# Thanks for chap0 for bringing us the game
# Greetz to: Corelan Security Team
# mr_me you'r killing the ROP bro :)
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
# Using ROP to bypass DEP protection and call WPM
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exploit-DB
Easy CD-DA Recorder 2007 - Local Buffer Overflow (SEH)
exploitdb·2010-06-07
CVE-2010-2343 Easy CD-DA Recorder 2007 - Local Buffer Overflow (SEH)
Easy CD-DA Recorder 2007 - Local Buffer Overflow (SEH)
---
# Exploit Title : Easy CD-DA Recorder 2007 SEH Buffer Overflow
# Date : June 7, 2010
# Author : chap0 [http://www.seek-truth.net]
# Software Link : http://download.cnet.com/Easy-CD-DA-Recorder/3000-2646_4-10059726.html
# Tested on : Windows XP SP3 En
# Type of vuln : SEH
# Greetz to : Corelan Security Team
# The Crew : http://www.corelan.be:8800/index.php/security/corelan-team-members/
# Advisory : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-048
# --------------------------------------------------------------------------------------
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# fo
Metasploit
Easy CD-DA Recorder PLS Buffer Overflow
metasploit
Easy CD-DA Recorder PLS Buffer Overflow
Easy CD-DA Recorder PLS Buffer Overflow
This module exploits a stack-based buffer overflow vulnerability in Easy CD-DA Recorder 2007 caused by an overlong string in a playlist entry. By persuading the victim to open a specially-crafted PLS file, a remote attacker can execute arbitrary code on the system or cause the application to crash. This module has been tested successfully on Windows XP SP3 and Windows 7 SP1.
No writeups or analysis indexed.
http://osvdb.org/65256http://secunia.com/advisories/40081http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-048-d-r-software-multiple-products/http://www.exploit-db.com/exploits/13760http://www.exploit-db.com/exploits/13763http://www.securityfocus.com/bid/40618http://www.securityfocus.com/bid/40631http://www.vupen.com/english/advisories/2010/1387https://exchange.xforce.ibmcloud.com/vulnerabilities/59206http://osvdb.org/65256http://secunia.com/advisories/40081http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-048-d-r-software-multiple-products/http://www.exploit-db.com/exploits/13760http://www.exploit-db.com/exploits/13763http://www.securityfocus.com/bid/40618http://www.securityfocus.com/bid/40631http://www.vupen.com/english/advisories/2010/1387https://exchange.xforce.ibmcloud.com/vulnerabilities/59206
2010-06-21
Published