Well i was trying to find something in .ra format. I found something interesting(I think) I had an old .Ra and tryed to change some information of the file(via an hexadecimal editor): All my .ra files begin always with the following code: .ra......ra4.........r.........>................+........ If i change ONE byte at the beginning RealAudio crashes like the following example: .ra......Aa4.........r.........>................+........
In this case I just overwrited the second 'r' for 'A' and RealPlayer crashed. I could not see if i overwrite with more A´s be possible to write into stack cause I´m with no good debugger here and I don´t understant windows debug report. It was tested only with RealPlayer 10.5. *** If possible some one try to write into stack will be great. *** I´m making files avaliable at www.debarry2.com.br/carlos/rapoc.zip as an proof of concept for this. You could also get the rapoc.zip at www.debarry2.com.br/carlos by a link I put at first page(top); If its possible to write into stack all of u comrades know that we can execute arbitrary code into affected systems. Sorry for my bad Brazilian-english. Carlos A. Ulver. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html