Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-based Buffer Overflow #2052

Closed
rbouqueau opened this issue Jan 17, 2022 · 1 comment
Closed

Heap-based Buffer Overflow #2052

rbouqueau opened this issue Jan 17, 2022 · 1 comment

Comments

@rbouqueau
Copy link
Member

rbouqueau commented Jan 17, 2022
edited

https://huntr.dev/bounties/1691cca3-ab54-4259-856b-751be2395b11/ (not public?)

poc3.mp4 
Description

Heap-based Buffer Overflow SFS_AddString () at bifs/script_dec.c:76
Proof of Concept

POC1 is here.
Result

MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null  POC1
···

[5]    538135 abort      ./source/gpac/bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp

Bt

Program received signal SIGABRT, Aborted.
0x0000000000d18d6b in raise ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x10dd8c0 ◂— 0x10dd8c0
 RCX  0xd18d6b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
 RDX  0x0
 RDI  0x2
 RSI  0x7fffffff73b0 ◂— 0x0
 R8   0x0
 R9   0x7fffffff73b0 ◂— 0x0
 R10  0x8
 R11  0x246
 R12  0x7fffffff7620 —▸ 0x1108750 ◂— 0x33333333333333f3
 R13  0x10
 R14  0x7ffff7ff8000 ◂— 0x6c6c616d00001000
 R15  0x1
 RBP  0x7fffffff7700 ◂— 0x5dc
 RSP  0x7fffffff73b0 ◂— 0x0
 RIP  0xd18d6b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0xd18d6b <raise+203>         mov    rax, qword ptr [rsp + 0x108]
   0xd18d73 <raise+211>         xor    rax, qword ptr fs:[0x28]
   0xd18d7c <raise+220>         jne    raise+260                      <raise+260>
    ↓
   0xd18da4 <raise+260>         call   __stack_chk_fail_local                      <__stack_chk_fail_local>
 
   0xd18da9                     nop    dword ptr [rax]
   0xd18db0 <sigprocmask>       endbr64 
   0xd18db4 <sigprocmask+4>     sub    rsp, 0x98
   0xd18dbb <sigprocmask+11>    xor    r8d, r8d
   0xd18dbe <sigprocmask+14>    mov    rax, qword ptr fs:[0x28]
   0xd18dc7 <sigprocmask+23>    mov    qword ptr [rsp + 0x88], rax
   0xd18dcf <sigprocmask+31>    xor    eax, eax
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsi r9 rsp 0x7fffffff73b0 ◂— 0x0
01:0008│            0x7fffffff73b8 —▸ 0xd437e2 (malloc+114) ◂— mov    r8, rax
02:0010│            0x7fffffff73c0 ◂— 0x5
03:0018│            0x7fffffff73c8 —▸ 0x10e6370 ◂— 0x0
04:0020│            0x7fffffff73d0 ◂— 0x1
05:0028│            0x7fffffff73d8 —▸ 0xd465cf (strdup+31) ◂— test   rax, rax
06:0030│            0x7fffffff73e0 —▸ 0x7fffffff7410 —▸ 0x7fffffff7880 —▸ 0x7fffffff7920 —▸ 0x7fffffff79e0 ◂— ...
07:0038│            0x7fffffff73e8 —▸ 0x445bec (gf_bs_read_int+68) ◂— movzx  eax, al
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0         0xd18d6b raise+203
   f 1         0x4013d8 abort+299
   f 2         0xd37836 __libc_message+662
   f 3         0xd3eabc
   f 4         0xd41e1c _int_malloc+3116
   f 5         0xd437e2 malloc+114
   f 6         0x450afc gf_malloc+28
   f 7         0x56de8f SFS_AddString+118
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x0000000000d18d6b in raise ()
#1  0x00000000004013d8 in abort ()
#2  0x0000000000d37836 in __libc_message ()
#3  0x0000000000d3eabc in malloc_printerr ()
#4  0x0000000000d41e1c in _int_malloc ()
#5  0x0000000000d437e2 in malloc ()
#6  0x0000000000450afc in gf_malloc (size=1500) at utils/alloc.c:150
#7  0x000000000056de8f in SFS_AddString (parser=0x7fffffff78d0, str=0xe13fb8 "(") at bifs/script_dec.c:76
#8  0x000000000056e7bf in SFS_Arguments (parser=0x7fffffff78d0, is_var=GF_FALSE) at bifs/script_dec.c:257
#9  0x000000000056e540 in SFScript_Parse (codec=0x10f6d90, script_field=0x10fbd88, bs=0x10e6370, n=0x10f9c50) at bifs/script_dec.c:208
#10 0x0000000000564ddb in gf_bifs_dec_sf_field (codec=0x10f6d90, bs=0x10e6370, node=0x10f9c50, field=0x7fffffff7a50, is_mem_com=GF_FALSE) at bifs/field_decode.c:260
#11 0x0000000000565384 in BD_DecMFFieldVec (codec=0x10f6d90, bs=0x10e6370, node=0x10f9c50, field=0x7fffffff7b20, is_mem_com=GF_FALSE) at bifs/field_decode.c:408
#12 0x000000000056588c in gf_bifs_dec_field (codec=0x10f6d90, bs=0x10e6370, node=0x10f9c50, field=0x7fffffff7b20, is_mem_com=GF_FALSE) at bifs/field_decode.c:540
#13 0x0000000000565b0e in gf_bifs_dec_node_list (codec=0x10f6d90, bs=0x10e6370, node=0x10f9c50, is_proto=GF_FALSE) at bifs/field_decode.c:600
#14 0x0000000000566701 in gf_bifs_dec_node (codec=0x10f6d90, bs=0x10e6370, NDT_Tag=3) at bifs/field_decode.c:902
#15 0x00000000005653d4 in BD_DecMFFieldVec (codec=0x10f6d90, bs=0x10e6370, node=0x10f9bc0, field=0x7fffffff8100, is_mem_com=GF_FALSE) at bifs/field_decode.c:414
#16 0x000000000056588c in gf_bifs_dec_field (codec=0x10f6d90, bs=0x10e6370, node=0x10f9bc0, field=0x7fffffff8100, is_mem_com=GF_FALSE) at bifs/field_decode.c:540
#17 0x0000000000565b0e in gf_bifs_dec_node_list (codec=0x10f6d90, bs=0x10e6370, node=0x10f9bc0, is_proto=GF_FALSE) at bifs/field_decode.c:600
#18 0x0000000000566701 in gf_bifs_dec_node (codec=0x10f6d90, bs=0x10e6370, NDT_Tag=23) at bifs/field_decode.c:902
#19 0x000000000055d31b in BD_DecSceneReplace (codec=0x10f6d90, bs=0x10e6370, proto_list=0x10f9320) at bifs/com_dec.c:1327
#20 0x000000000056c81d in BM_SceneReplace (codec=0x10f6d90, bs=0x10e6370, com_list=0x10f7150) at bifs/memory_decoder.c:860
#21 0x000000000056ca9e in BM_ParseCommand (codec=0x10f6d90, bs=0x10e6370, com_list=0x10f7150) at bifs/memory_decoder.c:908
#22 0x000000000056cf48 in gf_bifs_decode_command_list (codec=0x10f6d90, ESID=8, data=0x10f71d0 '\314' <repeats 29 times>, "̔", '\224' <repeats 30 times>, '\314' <repeats 138 times>, <incomplete sequence \314>..., data_length=8208, com_list=0x10f7150) at bifs/memory_decoder.c:1009
#23 0x00000000006be0e9 in gf_sm_load_run_isom (load=0x7fffffff8850) at scene_manager/loader_isom.c:303
#24 0x00000000006a2059 in gf_sm_load_run (load=0x7fffffff8850) at scene_manager/scene_manager.c:719
#25 0x000000000041786e in dump_isom_scene (file=0x7fffffffe649 "discxx/__GI_raise-__GI_abort/POC1", inName=0x7fffffffe63f "/dev/null", is_final_name=GF_TRUE, dump_mode=GF_SM_DUMP_BT, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:199
#26 0x000000000041521f in mp4boxMain (argc=11, argv=0x7fffffffe2d8) at main.c:6044
#27 0x000000000041719b in main (argc=11, argv=0x7fffffffe2d8) at main.c:6496
#28 0x0000000000d09840 in __libc_start_main ()
#29 0x000000000040211e in _start ()
@rbouqueau rbouqueau mentioned this issue Jan 17, 2022
Closed
aureliendavid added a commit that referenced this issue Jan 17, 2022
@aureliendavid
fix overflow on script_dec (#2052)
b5741da
@aureliendavid
Copy link
Member

fixed by b5741da

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rbouqueau @aureliendavid