bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/dos/15248.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

118 lines
No EOL
3.3 KiB
Text
Raw Blame History

Source: http://aluigi.org/adv/winamp_1-adv.txt
#######################################################################
Luigi Auriemma
Application: Winamp
http://www.winamp.com
Versions: <= 5.5.8.2985 (aka v5.581)
Platforms: Windows
Bugs: A] integer overflow in in_mkv
B] integer overflow in in_nsv
C] integer overflow in in_midi
D] buffer-overflow in in_mod
Exploitation: remote, versus server
Date: 13 Oct 2010
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Winamp is one of the most diffused and appreciated media players for
Windows.
#######################################################################
=======
2) Bugs
=======
-----------------------------
A] integer overflow in in_mkv
-----------------------------
The in_mkv plugin uses a particular function (address 077078c0) for
reading text strings from the Matroska containers.
The operations performed are the reading of the ebml numeric value
(64bit), the allocation of memory corresponding to that value (32bit)
plus 1 and the subsequent reading of the data from the file leading to
possible code execution:
buff = malloc(size + 1);
if(buff) fread(buff, 1, size, fd);
-----------------------------
B] integer overflow in in_nsv
-----------------------------
The in_nsv plugin is affected by an heap-overflow caused by the
function (address 077ca422) that first verifies the size of the
metadata string contained in the file adding 1 to it and then copies
0x1fffffff bytes in a heap buffer leading to possible code execution
(077C8577 CALL DWORD PTR DS:[EAX+8]):
memcpy(heap_buffer, attacker_data, size >> 3);
------------------------------
C] integer overflow in in_midi
------------------------------
The in_midi plugin is affected by an heap overflow during the handling
of the hmp files (a format used in some old DOS games) where a
variable-length 32bit value is used for the copying of data with
memcpy() from the attacker's data to a heap buffer which has not been
reallocated for matching the needed size due to an integer overflow.
Doesn't seem possible to control the code execution.
----------------------------
D] buffer-overflow in in_mod
----------------------------
The in_mod plugin is affected by a stack overflow which happens during
the handling of a malformed MTM file but it's required that the user
manually clicks on the player for visualizing the detailed informations
of the track.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/winamp_1.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/15248.zip (winamp_1_13Oct10.zip)
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Reference in a new issue View git blame Copy permalink