Julien Ahrens

Vulnerability Intel | ROP Gadget Hunter | Privacy Enthusiast | Full-time BugBounty hunter | @Hacker0x01 MVH | @SynackRedTeam member | on a world-trip

[IA2] Free WMA MP3 Converter v1.5 (.wav) Local Buffer Overflow Vulnerability *updated*

21 Jan 2012 » Advisory

I’ve found a local stack buffer overflow vulnerability in “Free WMA MP3 Converter” version 1.5 which could lead to a remote shell when using the proper shellcode. This exploit is slightly different compared to the others out there: It’s for the newest version and works on Windows XP and Windows 7 x86 and x64 :-)

[IA2] Free WMA MP3 Converter v1.5 (.wav)
Local Buffer Overflow Vulnerability

Details
=============
Product:         Free WMA MP3 Converter v1.5
Severity:        Medium
Exploit-Type:    Local
Vendor-URL:      http://www.eusing.com
Advisory-Status: published
References:      -
Contact:         info[a.t]inshell[d.o.t]net

Credits
=============
Discovered by: Julien Ahrens

Affected Products:
=============
Free WMA MP3 Converter v1.5

Tested on:
=============
Windows XP SP3 Professional German
Windows 7 SP1 Home Premium German

Description
=============
Free WMA MP3 Converter is an free WMA to MP3 converter which helps you
convert WMA to MP3, MP3 to WMA, WAV to MP3, WAV to WMA, MP3 to WAV,
WMA to WAV etc. Free WMA MP3 Converter provides optimized default settings.
No more thinking but just a click to start WMA to MP3 conversion with
the MP3 converter!

Timeline
================
2012-01-21:	Vendor Notification
2012-01-28:	Vendor Notification #2
2012-01-28:	Vendor Response/Feedback

Read full advisory and PoC