Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Winamp M3U playlist parser buffer overflow security vulnerability

From: Pauli Ojanpera <pauli_ojanpera () HOTMAIL COM>
Date: Wed, 26 Jul 2000 18:04:58 EEST
LEGAL NOTICE:
The same stuff applies to this as to the original post.

Once again I was not specific enough in my post to Bugtraq.
I guess I never learn.

The faulty function in question starts at memory address 0x411FE5.
The function has a local variable stored in stack right after
the buffer to be overflowed and right before the stored frame
pointer (EBP). This way:

[Return address]                          = 4 bytes
[Stored frame pointer (EBP)]              = 4 bytes
[FILE *fp]                                = 4 bytes
[Buffer to overflow (#EXTINF: parameter)] = 269 bytes

In order to get the function to successfully return, the file
pointer in between the buffer and the stored frame pointer MUST
point to a valid FILE record. (I indeed am not sure if it is
a FILE pointer, but it is a pointer to a some record anyway.)
Because the FILE pointer pointer contains a zero in it, it
cannot be overwritten right to hold the same old value it had.
I however found out a valid address in IN_MOD plugin address
space that I could use to fool the function to believe the pointer
points to a valid record. That address doesn't have values
that couldn't be embedded in the string.

The file (ATTACK.M3U) I attached to my original post, has this
value (0x1111A1A0) in the right position (bytes 270-273) in the
parameter string. After that, it has a dummy frame pointer value ('PPPP')
and next is the return address to jump to ('AAAA').

With a runtime debugger (not to mention one :) you can breakpoint
at 0x411FE5 and inspect the stack frame to see how things are stored
there.

P.S. I'm f*en sorry for my probably erraneous English. 8-]

----Original Message Follows----
From:  xxx <xxx@xxx>
To: "Pauli Ojanpera" <pauli_ojanpera () HOTMAIL COM>
Subject: Re: Winamp M3U playlist parser buffer overflow security
vulnerability
Date: Mon, 24 Jul 2000 14:30:50 -0400

hey man,

i got that sploit you found in winamp.
useing the 280 A's

well you also stated that you can take control over there computer.
well i have been trying and i cant seem to find how you can control them.

do you think you can guide me to any way the works.
thanks alot man.

xxx.


________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Previous By Date Next
Previous By Thread Next

Current thread: