################################################################################

### Title: Mp3 Tag Assistant Pro 2.92 (tag metadata) Remote Stack Overflow PoC

### Summary: MP3 Tag Assistant Professional 2.92 is a professional-level audio
             tag editor with UNICODE support.

### Product web page: http://www.assistanttools.com/

### Desc: MP3 Tag Assistant Professional 2.92 is vulnerable to a stack buffer
	  overflow attack when loading a malicious mp3 file (or file that supports
	  tags) filled with overly long A's in its metadata (id3v1, id3v2 apev2,
	  etc.). To succesfully exploit this issue you have to change the hex
	  values of the file and remove the null bytes in the metadata header.
	  I'm being lazy this season..... so.... ;). You can take any mp3 file,
	  edit its metadata with some mp3 tag editor (ironic, isen't it..) and
	  fill every field with long string of bytes.

	* I think that this issue is affecting many softwares out there that
	  deals with playing mp3 files or any other file that supports tags
	  metadata. So knock your socks off.....t00t w00t.

	  This is the same PoC as: http://zeroscience.org/codes/aimp2_poc.txt

	  So I'll use the same mp3 file (aimp2_evil.mp3) which is a song by
	  Gary Jules - Mad World, and it's approximately 2.92 megabytes.

	  Proof of Concept: http://www.zeroscience.org/codes/aimp2_evil.mp3

### Tested on Microsoft Windows XP Professional SP3 (English)

### WinDbg log:


---------------------------------------------------------------------------------

 (c5c.eb0): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 eax=001093d4 ebx=00000000 ecx=00bc7f7c edx=00bc7f7c esi=0010a658 edi=00109414
 eip=00410056 esp=00109418 ebp=00410041 iopl=0         nv up ei ng nz na po nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010282
 *** WARNING: Unable to verify checksum for [path]\Mp3 Tag Assistant Pro.exe
 *** ERROR: Module load completed but symbols could not be loaded for [path]\Mp3 Tag Assistant Pro.exe
 Mp3_Tag_Assistant_Pro+0x10056:
 00410056 008b45085068    add     byte ptr [ebx+68500845h],cl ds:0023:68500845=??
 0:000> g
 (c5c.eb0): Access violation - code c0000005 (!!! second chance !!!)
 eax=001093d4 ebx=00000000 ecx=00bc7f7c edx=00bc7f7c esi=0010a658 edi=00109414
 eip=00410056 esp=00109418 ebp=00410041 iopl=0         nv up ei ng nz na po nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000282
 Mp3_Tag_Assistant_Pro+0x10056:
 00410056 008b45085068    add     byte ptr [ebx+68500845h],cl ds:0023:68500845=??

---------------------------------------------------------------------------------


### OllyDbg log: http://img241.imageshack.us/img241/6766/mp3tagolly.jpg


### Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

### liquidworm gmail com

### http://www.zeroscience.org/

### 31.05.2009

################################################################################