Mp3 Tag Assistant Pro 2.92 (tag metadata) Remote Stack Overflow PoC

Title: Mp3 Tag Assistant Pro 2.92 (tag metadata) Remote Stack Overflow PoC
Advisory ID: ZSL-2009-4915
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 01.06.2009
Summary
MP3 Tag Assistant Professional 2.92 is a professional-level audio tag editor with UNICODE support.
Description
MP3 Tag Assistant Professional 2.92 is vulnerable to a stack buffer overflow attack when loading a malicious mp3 file (or file that supports tags) filled with overly long A's in its metadata (id3v1, id3v2 apev2, etc.). To succesfully exploit this issue you have to change the hex values of the file and remove the null bytes in the metadata header. I'm being lazy this season..... so.... ;). You can take any mp3 file, edit its metadata with some mp3 tag editor (ironic, isen't it..) and fill every field with long string of bytes.

--------------------------------------------------------------------------------

(c5c.eb0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001093d4 ebx=00000000 ecx=00bc7f7c edx=00bc7f7c esi=0010a658 edi=00109414
eip=00410056 esp=00109418 ebp=00410041 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282
*** WARNING: Unable to verify checksum for [path]\Mp3 Tag Assistant Pro.exe
*** ERROR: Module load completed but symbols could not be loaded for [path]\Mp3 Tag Assistant Pro.exe
Mp3_Tag_Assistant_Pro+0x10056:
00410056 008b45085068 add byte ptr [ebx+68500845h],cl ds:0023:68500845=??
0:000> g
(c5c.eb0): Access violation - code c0000005 (!!! second chance !!!)
eax=001093d4 ebx=00000000 ecx=00bc7f7c edx=00bc7f7c esi=0010a658 edi=00109414
eip=00410056 esp=00109418 ebp=00410041 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000282
Mp3_Tag_Assistant_Pro+0x10056:
00410056 008b45085068 add byte ptr [ebx+68500845h],cl ds:0023:68500845=??

--------------------------------------------------------------------------------

Vendor
AssistantTools.com - http://www.assistanttools.com
Affected Version
2.92 build 300
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
N/A
PoC
mp3tag_bof.txt
aimp2_evil.mp3
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://secunia.com/advisories/35305
[2] http://osvdb.org/show/osvdb/54810
[3] http://www.securitylab.ru/vulnerability/380786.php
[4] http://securityreason.com/exploitalert/6345
[5] http://www.f-secure.com/vulnerabilities/SA200902492
[6] http://www.zeroscience.mk/codes/aimp2_evil.mp3
[7] http://milw0rm.com/sploits/2009-aimp2_evil.mp3
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-4201
[9] http://xforce.iss.net/xforce/xfdb/50870
Changelog
[01.06.2009] - Initial release
[02.06.2009] - Added reference [8] and [9]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk