|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RealPlayer 10.5 Denial of Service and possible Overflow
From: Carlos Ulver (carlos.ulver
gmail.com)
Date: Mon Jan 24 2005 - 13:50:47 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Well i was trying to find something in .ra format. I found something
interesting(I think)
I had an old .Ra and tryed to change some information of the file(via
an hexadecimal editor):
All my .ra files begin always with the following code:
.ra......ra4.........r.........>................+........
If i change ONE byte at the beginning RealAudio crashes like the
following example:
.ra......Aa4.........r.........>................+........
In this case I just overwrited the second 'r' for 'A' and RealPlayer crashed.
I could not see if i overwrite with more A´s be possible to write into
stack cause I´m with no good debugger here and I don´t understant
windows debug report.
It was tested only with RealPlayer 10.5. *** If possible some one try
to write into stack will be great. ***
I´m making files avaliable at www.debarry2.com.br/carlos/rapoc.zip
as an proof of concept for this.
You could also get the rapoc.zip at www.debarry2.com.br/carlos by a
link I put at first page(top);
If its possible to write into stack all of u comrades know that we can
execute arbitrary code into affected systems.
Sorry for my bad Brazilian-english.
Carlos A. Ulver.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]