lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <10c6adab050124082260bb657a@mail.gmail.com>
From: carlos.ulver at gmail.com (Carlos Ulver)
Subject: RealPlayer 10.5 Denial of Service and possible
	Overflow

Well i was trying to find something in .ra format. I found something
interesting(I think)
I had an old .Ra and tryed to change some information of the file(via
an hexadecimal editor):
All my .ra files begin always with the following code:
.ra......ra4.........r.........>................+........
If i change ONE byte at the beginning RealAudio crashes like the
following example:
.ra......Aa4.........r.........>................+........

In this case I just overwrited the second 'r' for 'A' and RealPlayer crashed.
I could not see if i overwrite with more A?s be possible to write into
stack cause I?m with no good debugger here and I don?t understant
windows debug report.
It was tested only with RealPlayer 10.5. *** If possible some one try
to write into stack will be great. ***

I?m making files avaliable at           www.debarry2.com.br/carlos/rapoc.zip
as an proof of concept for this.

You could also get the rapoc.zip at www.debarry2.com.br/carlos by a
link I put at first page(top);

If its possible to write into stack all of u comrades know that we can
execute arbitrary code into affected systems.

Sorry for my bad Brazilian-english.

Carlos A. Ulver.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ