Music Tag Editor 1.61 build 212 Remote Buffer Overflow PoC

Title: Music Tag Editor 1.61 build 212 Remote Buffer Overflow PoC
Advisory ID: ZSL-2009-4922
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 16.07.2009
Summary
Simple-to-use WMA / MP3 tag editor that allows you to change tagged information about your MP3/WMA music files. Quickly change music filenames, create PLS/M3U playlists and even add lyrics to your music files, with full UNICODE support. Music filenames and tags are never what they should, be let alone consistent. Changing the artist, song title and album title can be a long and grueling process if done manually. Music Tag Editor is a simple-to-use tool that allows you to change "tagged" information about your MP3/WMA music files.
Description
The vulnerability is caused due to a boundary error in the processing of MP3 files. This can be exploited to cause a stack-based buffer overflow via an MP3 file having an overly long ID3 tag. Successful exploitation may allow execution of arbitrary code.

--------------------------------------------------------------------------------

(8bc.86c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410041 ebx=00000000 ecx=0010fa80 edx=00410041 esi=001e5fb0 edi=000fd060
eip=cccccccc esp=000fcfa0 ebp=000fcff8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
cccccccc ??

--------------------------------------------------------------------------------

Vendor
AssistantTools.com - http://www.assistanttools.com
Affected Version
1.61 build 212
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
N/A
PoC
musictag_bof.txt
aimp2_evil.mp3
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://secunia.com/advisories/35828/
[2] http://securityreason.com/exploitalert/6612
[3] http://www.packetstormsecurity.org/filedesc/musictag-overflow.txt.html
[4] http://zeroscience.mk/codes/aimp2_evil.mp3
[5] http://milw0rm.com/sploits/2009-aimp2_evil.mp3
[6] http://securityreason.com/download/11/13
[7] http://xforce.iss.net/xforce/xfdb/51724
[8] http://osvdb.org/55861
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3811
Changelog
[16.07.2009] - Initial release
[10.08.2009] - Added reference [7], [8] and [9]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk