Exploit Totem Movie Player 3.4.3 (Ubuntu) - Stack Corruption

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
23427
Проверка EDB
  1. Пройдено
Автор
COOLKAVEH
Тип уязвимости
DOS
Платформа
LINUX
CVE
null
Дата публикации
2012-12-16
Код:
Title    :  Totem movie player(Ubuntu)stack corruption
Version  :  3.4.3 GStreamer 0.10.36
Date     :  2012-12-15
Vendor   :  http://projects.gnome.org/totem/index.html
Impact   :  Med/High
Contact  :  coolkaveh [at] rocketmail.com
Twitter  :  @coolkaveh
tested   :  Ubuntu 12.10 desktop 32 bit
Author   :  coolkaveh
################################################################################################
Totem is the official movie player of the GNOME desktop environment based on 
GStreamer and its ubuntu default movie player
###############################################################################################
Bug :
----
The vulnerability cause a stack corruption (division by zero) via a specially crafted Avi files
That will trigger a denial of service condition
---- 
###############################################################################################
Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 0xafe89b40 (LWP 21171)]
0xaf625080 in gst_riff_create_audio_caps () from /usr/lib/i386-linux-gnu/libgstriff-0.10.so.0
process 21159
0xaf62507b <+1883>:    mov    edx,eax
0xaf62507d <+1885>:    sar    edx,0x1f
=> 0xaf625080 <+1888>: idiv   edi
0xaf625082 <+1890>:    mov    esi,eax
0xaf625084 <+1892>:    movzx  eax,WORD PTR [ecx+0xe]
0xaf625088 <+1896>:    cmp    ax,0x20
 
eax            0x20  32
ecx            0x805cbf80   -2141405312
edx            0x0  0
ebx            0xaf62cff4   -1352478732
esp            0xafe88de0   0xafe88de0
ebp            0xafe88f1c   0xafe88f1c
esi            0x805832c0   -2141703488
edi            0x0  0
eip            0xaf625080   0xaf625080 <gst_riff_create_audio_caps+1888>
eflags         0x210246 [ PF ZF IF RF ID ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
 
si_addr:$2 = (void *) 0xaf625080 <gst_riff_create_audio_caps+1888>
#0  0xaf625080 in gst_riff_create_audio_caps () from /usr/lib/i386-linux-gnu/libgstriff-0.10.so.0
 
##################################################################################################
Proof of concept included.

http://www41.zippyshare.com/v/13083235/file.html 
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23427.rar
 
Источник
www.exploit-db.com

Похожие темы