Get VLC code (vlc-0.9.4.tar.bz2.tar.bz2.tar.bz2)
To verify author's finding, I check the key place of our buffer overflow attacks.
- static void parse_master(demux_t *p_demux)
- {
- demux_sys_t *p_sys = p_demux->p_sys;
- uint8_t mst_buf[32];
- int i, i_map_size;
- int64_t i_save_pos = stream_Tell(p_demux->s);
- int64_t i_pts_secs;
- /* Note that the entries in the SEQ table in the stream may have
- different sizes depending on the bits per entry. We store them
- all in the same size structure, so we have to parse them out one
- by one. If we had a dynamic structure, we could simply read the
- entire table directly from the stream into memory in place. */
- /* clear the SEQ table */
- free(p_sys->seq_table);
- /* parse header info */
- stream_Read(p_demux->s, mst_buf, 32);
- i_map_size = U32_AT(&mst_buf[20]); /* size of bitmask, in bytes */
- p_sys->i_bits_per_seq_entry = i_map_size * 8;
- i = U32_AT(&mst_buf[28]); /* size of SEQ table, in bytes */
- p_sys->i_seq_table_size = i / (8 + i_map_size);
- /* parse all the entries */
- p_sys->seq_table = malloc(p_sys->i_seq_table_size * sizeof(ty_seq_table_t));
- for (i=0; i<p_sys->i_seq_table_size; i++) {
- stream_Read(p_demux->s, mst_buf, 8 + i_map_size);
Download TiVo format video
According to the code, I use notepad++ to find out the place of value - 0xf5467abd
Certainly the next step is to edit the value in an offset 0x14 from 0xf5467abd and to make it larger than 0x18. (Here I did it by 0xff)
Play it and you will find exception offset 0x20030000.
Then I find where 0x23003000 (little-endian) is and make it an value I want (this is what we want to do), 0x81818181 for example.
Finally, because it's concerned about laws, author didn't tell how to use bug. So I can't try or provide it here. Up to now, I have no idea how to make it and the next step is to learn something about "jmp reg".
No comments:
Post a Comment