####################################################################### Luigi Auriemma Application: Psycle http://psycle.pastnotecut.org Versions: <= 1.10.0 Platforms: Windows Bugs: A] SNGI heap overflow B] SNGI array overflow C] PATD heap overflow Exploitation: file Date: 18 Feb 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Psycle is a cool tracker for creating music via modular synthesizers and VST. ####################################################################### ======= 2) Bugs ======= --------------------- A] SNGI heap overflow --------------------- Heap overflow in the handling of the SNGI structure: 0046FDEC . 83BE 6C2A0000 00 CMP DWORD PTR DS:[ESI+2A6C],0 ; our 32bit value 0046FDF3 . 7E 42 JLE SHORT psycle.0046FE37 0046FDF5 . 8DB8 C02E0000 LEA EDI,DWORD PTR DS:[EAX+2EC0] 0046FDFB . BE 40D1FFFF MOV ESI,-2EC0 0046FE00 . 2BF0 SUB ESI,EAX 0046FE02 > 8B03 MOV EAX,DWORD PTR DS:[EBX] 0046FE04 . 6A 01 PUSH 1 0046FE06 . 8D4F BC LEA ECX,DWORD PTR DS:[EDI-44] 0046FE09 . 51 PUSH ECX 0046FE0A . 8BCB MOV ECX,EBX 0046FE0C . 8B50 28 MOV EDX,DWORD PTR DS:[EAX+28] 0046FE0F . FFD2 CALL EDX ; fread 0046FE11 . 8B03 MOV EAX,DWORD PTR DS:[EBX] 0046FE13 . 6A 01 PUSH 1 0046FE15 . 57 PUSH EDI 0046FE16 . 8BCB MOV ECX,EBX 0046FE18 . 8B50 28 MOV EDX,DWORD PTR DS:[EAX+28] 0046FE1B . FFD2 CALL EDX ; fread 0046FE1D . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 0046FE20 . 803F 00 CMP BYTE PTR DS:[EDI],0 0046FE23 . 74 06 JE SHORT psycle.0046FE2B 0046FE25 . FF80 BC2E0000 INC DWORD PTR DS:[EAX+2EBC] 0046FE2B > 47 INC EDI 0046FE2C . 8D0C3E LEA ECX,DWORD PTR DS:[ESI+EDI] 0046FE2F . 3B88 6C2A0000 CMP ECX,DWORD PTR DS:[EAX+2A6C] 0046FE35 .^7C CB JL SHORT psycle.0046FE02 The effect of this overflow is the possibility of corrupting an arbitrary zone of the memory: 7855AEBC 8807 MOV BYTE PTR DS:[EDI],AL ; controlled or 784858BA C60401 00 MOV BYTE PTR DS:[ECX+EAX],0 ; controlled ---------------------- B] SNGI array overflow ---------------------- Code execution via array overflow: 00478DCA |. 8B90 08310700 MOV EDX,DWORD PTR DS:[EAX+73108] ; our value 00478DD0 |. 8BBC90 042F0700 MOV EDI,DWORD PTR DS:[EAX+EDX*4+72F04] 00478DD7 |. 85FF TEST EDI,EDI 00478DD9 |. 74 64 JE SHORT psycle.00478E3F 00478DDB |. 8B07 MOV EAX,DWORD PTR DS:[EDI] 00478DDD |. 8B90 B0000000 MOV EDX,DWORD PTR DS:[EAX+B0] 00478DE3 |. 8BCF MOV ECX,EDI 00478DE5 |. FFD2 CALL EDX ; code execution The 32bit value used in the array is taken from offset 0x20 of the SNGI structure. In my proof-of-concept I have chosen 0xaf that should point to a sequence of 'a' used as name of a machine. --------------------- C] PATD heap overflow --------------------- Heap overflow in the handling of the patterns where the program allocates the amount of memory specified by the file and then copies blocks of data with a size of max 0xff or 0xff+3 bytes: 00442F12 |. 0FB64E 02 MOVZX ECX,BYTE PTR DS:[ESI+2] ; our 32bit size 00442F16 |. 0FB656 01 MOVZX EDX,BYTE PTR DS:[ESI+1] 00442F1A |. 0FB606 MOVZX EAX,BYTE PTR DS:[ESI] 00442F1D |. 57 PUSH EDI 00442F1E |. 0FB67E 03 MOVZX EDI,BYTE PTR DS:[ESI+3] 00442F22 |. C1E7 08 SHL EDI,8 00442F25 |. 0BF9 OR EDI,ECX 00442F27 |. C1E7 08 SHL EDI,8 00442F2A |. 0BFA OR EDI,EDX 00442F2C |. C1E7 08 SHL EDI,8 00442F2F |. 0BF8 OR EDI,EAX 00442F31 |. 57 PUSH EDI 00442F32 |. 83C6 04 ADD ESI,4 00442F35 |. E8 2AE0FFFF CALL ; malloc 00442F3A |. 8B4D 08 MOV ECX,DWORD PTR SS:[EBP+8] 00442F3D |. 83C4 04 ADD ESP,4 00442F40 |. 8901 MOV DWORD PTR DS:[ECX],EAX 00442F42 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 00442F45 |. 85FF TEST EDI,EDI 00442F47 |. 7E 5F JLE SHORT psycle.00442FA8 00442F49 |. 53 PUSH EBX 00442F4A |. 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX] 00442F50 |> 66:0FB616 /MOVZX DX,BYTE PTR DS:[ESI] ; 8bit size 00442F54 |. 0FB7C2 |MOVZX EAX,DX 00442F57 |. 46 |INC ESI 00442F58 |. 66:85C0 |TEST AX,AX 00442F5B |. 74 12 |JE SHORT psycle.00442F6F 00442F5D |. 0FB7D8 |MOVZX EBX,AX 00442F60 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] 00442F63 |. 53 |PUSH EBX ; /n 00442F64 |. 56 |PUSH ESI ; |src 00442F65 |. 50 |PUSH EAX ; |dest 00442F66 |. E8 219B0B00 |CALL ; \memcpy 00442F6B |. 03F3 |ADD ESI,EBX 00442F6D |. EB 2C |JMP SHORT psycle.00442F9B 00442F6F |> 66:0FB60E |MOVZX CX,BYTE PTR DS:[ESI] ; 8bit size 00442F73 |. 66:0FB656 01 |MOVZX DX,BYTE PTR DS:[ESI+1] 00442F78 |. 46 |INC ESI 00442F79 |. 66:83C1 03 |ADD CX,3 00442F7D |. 0FB7C1 |MOVZX EAX,CX 00442F80 |. 0FB7CA |MOVZX ECX,DX 00442F83 |. 0FB7D8 |MOVZX EBX,AX 00442F86 |. 8B45 FC |MOV EAX,DWORD PTR SS:[EBP-4] 00442F89 |. 0FB7C9 |MOVZX ECX,CX 00442F8C |. 8BD0 |MOV EDX,EAX 00442F8E |. 2BD1 |SUB EDX,ECX 00442F90 |. 53 |PUSH EBX ; /n 00442F91 |. 2BD3 |SUB EDX,EBX ; | 00442F93 |. 52 |PUSH EDX ; |src 00442F94 |. 50 |PUSH EAX ; |dest 00442F95 |. 46 |INC ESI ; | 00442F96 |. E8 F19A0B00 |CALL ; \memcpy 00442F9B |> 015D FC |ADD DWORD PTR SS:[EBP-4],EBX 00442F9E |. 2BFB |SUB EDI,EBX 00442FA0 |. 83C4 0C |ADD ESP,0C 00442FA3 |. 85FF |TEST EDI,EDI 00442FA5 |.^7F A9 \JG SHORT psycle.00442F50 The overflow is not much controllable so may be difficult to exploit. In my proof-of-concept I have specified a total pattern of 0x3ff bytes with an allocable destination buffer of 1 byte and obviously 0xff bytes to copy. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/psycle_1.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################