TuneClone Buffer Overflow Vulnerability Allowing Arbitrary Code Execution

A buffer overflow vulnerability in TuneClone version 2.20 has been identified, allowing local attackers to execute arbitrary code. This vulnerability arises from a structured exception handler (SEH) buffer overflow, which can be exploited by supplying a malicious license code string. Attackers can craft a payload that includes a controlled buffer, a non-standard exception handler (NSEH) jump instruction, and an SEH handler address pointing to a return-oriented programming (ROP) gadget. By pasting this payload into the license code field, they can trigger code execution and establish a bind shell.

Impact

Exploitation of this vulnerability allows for arbitrary code execution with the privileges of the user running TuneClone.

Reproduction

To reproduce this vulnerability, first create a payload using a Python script that crafts the exploit. This script should generate a buffer overflow payload that includes the necessary SEH overwrite and shellcode for a bind shell. Save this payload into a text file. Then, open TuneClone and navigate to the 'Help' menu, selecting 'Enter License Code'. Paste the contents of the text file into the license code field and click 'OK'. If successful, this will result in a bind shell on port 3110.