We can solve this by pushing into the stack the bytes of the shellcode using only printable ASCII characters. VirtualDJ has inserted a 0xC3 byte ( retn) before each non-printable ASCII character in the first buffer and we cannot execute the shellcode directly. At this address (inside urlmon.dll) we find a call edi instruction and so the bytes in the first buffer will be executed. After the buffer overflows occurs we get eip = 0×44465346 = "FSFD". However if we take into account the previous information, we can do this indirectly: We write in the bytes 4100:4104 of the title "FSFD". We cannot assign the eip the address of the first buffer directly since it contains characters which are not in range A-Z. At the time when the buffer overflow happens and the program reaches the retn instruction, the edi register points to the first buffer. According to the ID3 v2.x standard, these tags can have a length greater than 4096 therefore it is possible to produce a buffer overflow in this second buffer. After that, a second buffer of length 4096 is allocated in the stack and only the characters from the first buffer will be copied to it. When the user enters a folder, VirtualDJ tries to retrieve all information from the ID3 tags of MP3 files inside such as Title, Album, and Artist and stores it in a buffer. I have found a buffer overflow vulnerability in VirtualDJ Pro 7.3 and VirtualDJ Home 7.3 and possibly previous versions of this software. Email < Other articles VirtualDJ Pro/Home 7.3: Buffer Overflow
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |