ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
88 lines
No EOL
2.7 KiB
Text
88 lines
No EOL
2.7 KiB
Text
-----BEGIN PGP SIGNED MESSAGE-----
|
|
Hash: SHA1
|
|
|
|
- - Orange Bat advisory -
|
|
|
|
Name : VLC 0.8.6i
|
|
Class : Heap overflow
|
|
Published : 2008-08-16
|
|
Credit : g_ (g_ # orange-bat # com)
|
|
|
|
- - Details -
|
|
|
|
|
|
\modules\demux\tta.c
|
|
|
|
#define TTA_FRAMETIME 1.04489795918367346939
|
|
.
|
|
.
|
|
.
|
|
int i_seektable_size = 0, i;
|
|
.
|
|
.
|
|
.
|
|
/* Read the metadata */
|
|
es_format_Init( &fmt, AUDIO_ES, VLC_FOURCC( 'T', 'T', 'A', '1' ) );
|
|
fmt.audio.i_channels = GetWLE( &p_header[6] );
|
|
fmt.audio.i_bitspersample = GetWLE( &p_header[8] );
|
|
[1] fmt.audio.i_rate = GetDWLE( &p_header[10] );
|
|
|
|
p_sys->i_datalength = GetDWLE( &p_header[14] );
|
|
p_sys->i_framelength = TTA_FRAMETIME * fmt.audio.i_rate;
|
|
|
|
[2] p_sys->i_totalframes = p_sys->i_datalength / p_sys->i_framelength +
|
|
((p_sys->i_datalength % p_sys->i_framelength) ? 1 : 0);
|
|
p_sys->i_currentframe = 0;
|
|
|
|
[3] i_seektable_size = sizeof(uint32_t)*p_sys->i_totalframes;
|
|
p_seektable = (uint8_t *)malloc( i_seektable_size );
|
|
stream_Read( p_demux->s, p_seektable, i_seektable_size );
|
|
p_sys->pi_seektable = (uint32_t *)malloc(i_seektable_size);
|
|
|
|
for( i = 0; i < p_sys->i_totalframes; i++ )
|
|
[4] p_sys->pi_seektable[i] = GetDWLE( &p_seektable[i*4] );
|
|
|
|
|
|
[1] - we can set i_rate to 1
|
|
[2] - i_framelength = 1 (look for constant definition, it's ~1),
|
|
so i_totalframes = i_datalength
|
|
[3] - because we can set i_datalength to 2^30 and bacause
|
|
i_totalframes = i_datalength, multiplication will overflow
|
|
[4] - i_totalframes is positive (highest bit not set), so this loop will
|
|
spin 2^30 times, overwriting everything with data from the heap.
|
|
unfortunate thing is we have little control over what is written.
|
|
|
|
- - Proof of concept -
|
|
|
|
|
|
http://www.orange-bat.com/adv/2008/vlc.dos.tta
|
|
backup: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/6252.tta (2008-vlc.dos.tta)
|
|
|
|
- - PGP -
|
|
|
|
All advisories from Orange Bat are signed. You can find our public
|
|
key here: http://www.orange-bat.com/g_.asc
|
|
|
|
- - Disclaimer -
|
|
|
|
This document and all the information it contains is provided "as is",
|
|
without any warranty. Orange Bat is not responsible for the
|
|
misuse of the information provided in this advisory. The advisory is
|
|
provided for educational purposes only.
|
|
|
|
Permission is hereby granted to redistribute this advisory, providing
|
|
that no changes are made and that the copyright notices and
|
|
disclaimers remain intact.
|
|
|
|
(c) 2008 www.orange-bat.com
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: GnuPG v1.4.9 (MingW32)
|
|
|
|
iEYEARECAAYFAkimwoYACgkQIUHRVUfOLgW8hgCgmPcqqIlcLQpmH8u6wB2fVOHs
|
|
Zv4AoNNYWhzdknZOnPuChysoak1rMRsx
|
|
=4K3f
|
|
-----END PGP SIGNATURE-----
|
|
|
|
# milw0rm.com [2008-08-16] |