####################################################################### Luigi Auriemma Application: Buzz http://www.jeskola.net/buzz/ Versions: <= Build 1458 Platforms: Windows Bugs: various Exploitation: file Date: 20 Feb 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From http://www.buzzmachines.com/whatisbuzz.php: "Buzz is the first ever "easy to use" free modular software based synthesizer." ####################################################################### ======= 2) Bugs ======= Some problems found on the fly during a quick test, no much details available and no deep research performed (consider it an exercise). Dumped code referred to build 1456. ------------------------------ A] Arbitrary memory corruption ------------------------------ Vulnerability that allows to replace a 0x00 byte with a 0x01 in any arbitrary memory location: 00441AE8 > 8B07 MOV EAX,DWORD PTR DS:[EDI] ; EAX controlled 00441AEA . 80B8 40595000 00 CMP BYTE PTR DS:[EAX+505940],0 00441AF1 . 74 0C JE SHORT buzz.00441AFF 00441AF3 . C707 FFFFFFFF MOV DWORD PTR DS:[EDI],-1 00441AF9 . 5F POP EDI 00441AFA . 5E POP ESI 00441AFB . 5D POP EBP 00441AFC . C2 0400 RETN 4 00441AFF > C680 40595000 01 MOV BYTE PTR DS:[EAX+505940],1 ; corruption ----------------- B] Array overflow ----------------- 16bit array overflow: 00499B68 > 0FB74424 1C MOVZX EAX,WORD PTR SS:[ESP+1C] ; controlled 00499B6D . 8B8B A4030000 MOV ECX,DWORD PTR DS:[EBX+3A4] 00499B73 . 8B0C81 MOV ECX,DWORD PTR DS:[ECX+EAX*4] 00499B76 . 8B11 MOV EDX,DWORD PTR DS:[ECX] 00499B78 . 8B52 14 MOV EDX,DWORD PTR DS:[EDX+14] 00499B7B . 8D4424 24 LEA EAX,DWORD PTR SS:[ESP+24] 00499B7F . 50 PUSH EAX 00499B80 . FFD2 CALL EDX ----------------- C] Array overflow ----------------- 16bit array overflow: 00499BB0 > 0FB75424 28 MOVZX EDX,WORD PTR SS:[ESP+28] ; controlled 00499BB5 . 8B71 08 MOV ESI,DWORD PTR DS:[ECX+8] 00499BB8 . 8B83 A4030000 MOV EAX,DWORD PTR DS:[EBX+3A4] 00499BBE . 8B76 04 MOV ESI,DWORD PTR DS:[ESI+4] 00499BC1 . 3B3490 CMP ESI,DWORD PTR DS:[EAX+EDX*4] 00499BC4 . 74 24 JE SHORT buzz.00499BEA 00499BC6 . 0FB75424 1C MOVZX EDX,WORD PTR SS:[ESP+1C] 00499BCB . 8B09 MOV ECX,DWORD PTR DS:[ECX] 00499BCD . 894C24 24 MOV DWORD PTR SS:[ESP+24],ECX 00499BD1 . 8B0C90 MOV ECX,DWORD PTR DS:[EAX+EDX*4] 00499BD4 . 8B01 MOV EAX,DWORD PTR DS:[ECX] 00499BD6 . 8B40 18 MOV EAX,DWORD PTR DS:[EAX+18] 00499BD9 . 8D5424 3C LEA EDX,DWORD PTR SS:[ESP+3C] 00499BDD . 52 PUSH EDX 00499BDE . FFD0 CALL EAX ----------------- D] Array overflow ----------------- 16bit array overflow: 0048E8E7 |> 0FB74424 18 |MOVZX EAX,WORD PTR SS:[ESP+18] ; controlled 0048E8EC |. 8B75 08 |MOV ESI,DWORD PTR SS:[EBP+8] 0048E8EF |. 893C86 |MOV DWORD PTR DS:[ESI+EAX*4],EDI ; write ----------------- E] Array overflow ----------------- 16bit array overflow: 00499715 . 8D0490 LEA EAX,DWORD PTR DS:[EAX+EDX*4] 00499718 . 8B10 MOV EDX,DWORD PTR DS:[EAX] 0049971A . 51 PUSH ECX 0049971B . 52 PUSH EDX 0049971C . E8 0FBBFCFF CALL buzz.00465230 ... 0046525A |. 8B06 MOV EAX,DWORD PTR DS:[ESI] 0046525C |. 8B50 20 MOV EDX,DWORD PTR DS:[EAX+20] 0046525F |. 53 PUSH EBX 00465260 |. 8BCE MOV ECX,ESI 00465262 |. FFD2 CALL EDX ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/buzz_1.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################