首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Windows Media Player with K-Lite Codec Pack DoS PoC
来源:www.twitter.com/dinosn 作者:Nicolas 发布时间:2011-06-15  

Greetings,
  There is a DOS condition on windows media player when the klite codec pack
is installed.

# Exploit Title: Windows Media Player with klite codec pack DOS Poc
# Date: 14/06/2011
# Author: Nicolas Krassas , www.twitter.com/dinosn
# Version:Windows Media Player 12
# Tested on: Windows 7

The 3gp handling from MP4Splitter.ax filter of klite codec pack will cause
an Access violation when a specially crafted movie file is loaded on the
media player. The same crash will occur also when the file is loaded on a
playlist and the media player will try to generate thumbnail image of the
contents.

File at: http://www.deventum.com/research/Crash_WMplayer.3gp
Mirror: http://www.exploit-db.com/sploits/Crash_WMplayer.3gp

Debug info,


Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: SRV*c:\Symbols*
http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00340000 0036c000   C:\Program Files\Windows Media
Player\wmplayer.exe
ModLoad: 773e0000 7751c000   C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 76390000 76464000   C:\Windows\system32\kernel32.dll
ModLoad: 75810000 7585a000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 764c0000 76560000   C:\Windows\system32\ADVAPI32.dll
ModLoad: 76230000 762dc000   C:\Windows\system32\msvcrt.dll
ModLoad: 77530000 77549000   C:\Windows\SYSTEM32\sechost.dll
ModLoad: 762e0000 76381000   C:\Windows\system32\RPCRT4.dll
ModLoad: 76560000 76629000   C:\Windows\system32\USER32.dll
ModLoad: 761e0000 7622e000   C:\Windows\system32\GDI32.dll
ModLoad: 75af0000 75afa000   C:\Windows\system32\LPK.dll
ModLoad: 75bf0000 75c8d000   C:\Windows\system32\USP10.dll
ModLoad: 775d0000 77605000   C:\Windows\system32\WS2_32.dll
ModLoad: 77520000 77526000   C:\Windows\system32\NSI.dll
ModLoad: 75db0000 75dcf000   C:\Windows\system32\IMM32.DLL
ModLoad: 75880000 7594c000   C:\Windows\system32\MSCTF.dll
ModLoad: 742a0000 742e0000   C:\Windows\system32\uxtheme.dll
ModLoad: 76790000 773da000   C:\Windows\system32\SHELL32.dll
ModLoad: 75b00000 75b57000   C:\Windows\system32\SHLWAPI.dll
ModLoad: 61cc0000 627b4000   C:\Windows\system32\wmp.dll
ModLoad: 74000000 74190000
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
ModLoad: 76630000 7678c000   C:\Windows\system32\ole32.dll
ModLoad: 75b60000 75bef000   C:\Windows\system32\OLEAUT32.dll
ModLoad: 73f10000 73f23000   C:\Windows\system32\dwmapi.dll
ModLoad: 60f70000 61b7c000   C:\Windows\system32\wmploc.dll
ModLoad: 754b0000 754bc000   C:\Windows\system32\CRYPTBASE.dll
ModLoad: 74420000 745be000
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
ModLoad: 76140000 761c3000   C:\Windows\system32\CLBCatQ.DLL
ModLoad: 68320000 683d2000   C:\Windows\System32\jscript.dll
ModLoad: 74a30000 74a39000   C:\Windows\System32\VERSION.dll
ModLoad: 74fe0000 74ff6000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 74ce0000 74d1b000   C:\Windows\system32\rsaenh.dll
ModLoad: 75510000 7551e000   C:\Windows\system32\RpcRtRemote.dll
ModLoad: 75520000 7557f000   C:\Windows\system32\SXS.DLL
ModLoad: 73d30000 73e2b000   C:\Windows\system32\WindowsCodecs.dll
ModLoad: 73890000 73895000   C:\Windows\system32\MSIMG32.dll
ModLoad: 75580000 7558b000   C:\Windows\system32\profapi.dll
ModLoad: 75950000 75aed000   C:\Windows\system32\SETUPAPI.dll
ModLoad: 75600000 75627000   C:\Windows\system32\CFGMGR32.dll
ModLoad: 75860000 75872000   C:\Windows\system32\DEVOBJ.dll
ModLoad: 742e0000 743d5000   C:\Windows\system32\propsys.dll
ModLoad: 74a00000 74a21000   C:\Windows\system32\ntmarta.dll
ModLoad: 76470000 764b5000   C:\Windows\system32\WLDAP32.dll
ModLoad: 73e60000 73e99000   C:\Windows\System32\MMDevApi.dll
ModLoad: 63320000 63379000   C:\Windows\system32\MFPlat.DLL
ModLoad: 73c70000 73c77000   C:\Windows\system32\AVRT.dll
ModLoad: 64e60000 64e96000   C:\Windows\system32\AUDIOSES.DLL
ModLoad: 6fd30000 6fd8a000   C:\Windows\System32\netprofm.dll
ModLoad: 73880000 73890000   C:\Windows\System32\nlaapi.dll
ModLoad: 6f460000 6f468000   C:\Windows\System32\npmproxy.dll
ModLoad: 70b90000 70bd4000   C:\Windows\system32\upnphost.dll
ModLoad: 70930000 7093d000   C:\Windows\system32\SSDPAPI.dll
ModLoad: 72670000 726a2000   C:\Windows\system32\WINMM.dll
ModLoad: 74b40000 74b4d000   C:\Windows\system32\WTSAPI32.dll
ModLoad: 751a0000 751c9000   C:\Windows\system32\WINSTA.dll
ModLoad: 75c90000 75daa000   C:\Windows\system32\WININET.dll
ModLoad: 76100000 76103000   C:\Windows\system32\Normaliz.dll
ModLoad: 75e30000 75fe6000   C:\Windows\system32\iertutil.dll
ModLoad: 75ff0000 76100000   C:\Windows\system32\urlmon.dll
ModLoad: 75470000 75478000   C:\Windows\system32\Secur32.dll
ModLoad: 75490000 754ab000   C:\Windows\system32\SSPICLI.DLL
ModLoad: 73610000 7361a000   C:\Windows\system32\slc.dll
ModLoad: 64030000 64094000   C:\Windows\system32\imapi2.dll
ModLoad: 74b50000 74b5b000   C:\Windows\system32\pcwum.DLL
ModLoad: 75630000 7565d000   C:\Windows\system32\WINTRUST.dll
ModLoad: 756f0000 7580d000   C:\Windows\system32\CRYPT32.dll
ModLoad: 755f0000 755fc000   C:\Windows\system32\MSASN1.dll
ModLoad: 6a4c0000 6a50c000   C:\Windows\System32\mswmdm.dll
ModLoad: 74e40000 74e84000   C:\Windows\system32\dnsapi.DLL
ModLoad: 72e40000 72e5c000   C:\Windows\system32\iphlpapi.DLL
ModLoad: 72e30000 72e37000   C:\Windows\system32\WINNSI.DLL
ModLoad: 70700000 70727000   C:\Program Files\Common Files\Microsoft
Shared\Windows Live\WLIDNSP.DLL
ModLoad: 761d0000 761d5000   C:\Windows\system32\PSAPI.DLL
ModLoad: 74fa0000 74fdc000   C:\Windows\System32\mswsock.dll
ModLoad: 706d0000 706f5000   C:\Program Files\Bonjour\mdnsNSP.dll
ModLoad: 65fc0000 65ff6000   C:\Windows\system32\upnp.dll
ModLoad: 71450000 714a8000   C:\Windows\system32\WINHTTP.dll
ModLoad: 71400000 7144f000   C:\Windows\system32\webio.dll
ModLoad: 72960000 72966000   C:\Windows\System32\wshqos.dll
ModLoad: 74ac0000 74ac5000   C:\Windows\system32\wshtcpip.DLL
ModLoad: 75000000 75006000   C:\Windows\system32\wship6.dll
ModLoad: 72c30000 72c42000   C:\Windows\system32\dhcpcsvc.DLL
ModLoad: 6b000000 6b036000   C:\Windows\System32\cewmdm.dll
ModLoad: 74f20000 74f28000   C:\Windows\system32\credssp.dll
ModLoad: 6fa90000 6fbc3000   C:\Windows\System32\msxml3.dll
ModLoad: 67cb0000 67d26000   C:\Program Files\Windows Media
Player\wmpnssci.dll
ModLoad: 72cb0000 72cbd000   C:\Windows\system32\dhcpcsvc6.DLL
ModLoad: 70f10000 70f1c000   C:\Windows\System32\wmdmps.dll
ModLoad: 74a40000 74ab6000   C:\Windows\system32\FirewallAPI.dll
ModLoad: 6c340000 6c4af000   C:\Windows\system32\explorerframe.dll
ModLoad: 73ee0000 73f0f000   C:\Windows\system32\DUser.dll
ModLoad: 73f40000 73ff2000   C:\Windows\system32\DUI70.dll
ModLoad: 641a0000 641c7000   C:\Windows\System32\wmpps.dll
ModLoad: 73910000 73962000   C:\Windows\system32\RASAPI32.dll
ModLoad: 738f0000 73905000   C:\Windows\system32\rasman.dll
ModLoad: 738e0000 738ed000   C:\Windows\system32\rtutils.dll
ModLoad: 703b0000 703b6000   C:\Windows\system32\sensapi.dll
ModLoad: 73670000 73695000   C:\Windows\system32\peerdist.dll
ModLoad: 74ba0000 74bb7000   C:\Windows\system32\USERENV.dll
ModLoad: 75180000 7519b000   C:\Windows\system32\AUTHZ.dll
ModLoad: 70370000 70376000   C:\Windows\system32\rasadhlp.dll
ModLoad: 72cc0000 72cf8000   C:\Windows\System32\fwpuclnt.dll
ModLoad: 731d0000 731dd000   C:\Program Files\Common Files\Microsoft
Shared\OFFICE14\MSOXMLMF.DLL
ModLoad: 711e0000 71283000
C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.5570_none_509463cabcb6ef2a\MSVCR90.dll
ModLoad: 73e30000 73e5f000   C:\Windows\system32\XmlLite.dll
ModLoad: 6f310000 6f319000   C:\Windows\system32\LINKINFO.dll
(2730.1a14): Break instruction exception - code 80000003 (first chance)
eax=7ff9e000 ebx=00000000 ecx=00000000 edx=7747f125 esi=00000000
edi=00000000
eip=774140f0 esp=01a9feb4 ebp=01a9fee0 iopl=0         nv up ei pl zr na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000246
ntdll!DbgBreakPoint:
774140f0 cc              int     3
0:029> g
ModLoad: 754c0000 7550c000   C:\Windows\system32\apphelp.dll
ModLoad: 10000000 10017000
C:\Users\Dinos\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
ModLoad: 733d0000 734bb000   C:\Windows\system32\dbghelp.dll
ModLoad: 7c3a0000 7c41b000
C:\Users\Dinos\AppData\Roaming\Dropbox\bin\MSVCP71.dll
ModLoad: 7c340000 7c396000
C:\Users\Dinos\AppData\Roaming\Dropbox\bin\MSVCR71.dll
ModLoad: 6e660000 6e691000   C:\Windows\system32\EhStorShell.dll
ModLoad: 6bb20000 6bf2b000   GrooveEX.DLL
ModLoad: 6bb20000 6bf2b000   C:\PROGRA~1\MIF5BA~1\Office14\GROOVEEX.DLL
ModLoad: 71140000 711ce000
C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.5570_none_509463cabcb6ef2a\MSVCP90.dll
ModLoad: 6e630000 6e65b000
C:\Windows\WinSxS\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.5570_none_51ce1f16bbe3e56e\ATL90.DLL
ModLoad: 6bf30000 6c33f000
C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
ModLoad: 6b2b0000 6bb14000
C:\PROGRA~1\MIF5BA~1\Office14\1033\GrooveIntlResource.dll
ModLoad: 64720000 6478a000   C:\Windows\System32\cscui.dll
ModLoad: 737d0000 737d9000   C:\Windows\System32\CSCDLL.dll
ModLoad: 70940000 7094b000   C:\Windows\system32\CSCAPI.dll
ModLoad: 64680000 646f0000   C:\Windows\system32\ntshrui.dll
ModLoad: 75400000 75419000   C:\Windows\system32\srvcli.dll
ModLoad: 6f720000 6f7c0000   C:\Windows\system32\SearchFolder.dll
ModLoad: 73010000 73026000   C:\Windows\system32\thumbcache.dll
ModLoad: 6de20000 6e132000   C:\Windows\system32\MF.dll
ModLoad: 73620000 73634000   C:\Windows\system32\ATL.DLL
ModLoad: 64e20000 64e24000   C:\Windows\system32\ksuser.dll
ModLoad: 67510000 67569000   C:\Windows\System32\wmpeffects.dll
ModLoad: 682f0000 682fb000   C:\Windows\System32\msdmo.dll
ModLoad: 66f70000 66fea000   C:\Windows\System32\evr.dll
ModLoad: 73c80000 73ca5000   C:\Windows\System32\POWRPROF.dll
ModLoad: 70f20000 70f38000   C:\Windows\system32\DXVA2.DLL
ModLoad: 628f0000 62ab3000   C:\Windows\system32\D3D9.DLL
ModLoad: 730f0000 730f6000   C:\Windows\system32\d3d8thk.dll
ModLoad: 58eb0000 5985a000   C:\Windows\system32\nvd3dum.dll
(2730.1d98): C++ EH exception - code e06d7363 (first chance)
ModLoad: 684a0000 684ec000   C:\Windows\System32\mfds.dll
ModLoad: 65e10000 65f87000   C:\Windows\system32\quartz.dll
ModLoad: 65320000 65334000   C:\Windows\system32\devenum.dll
ModLoad: 088e0000 089db000   C:\Program Files\K-Lite Codec
Pack\Filters\vsfilter.dll
ModLoad: 77550000 775cb000   C:\Windows\system32\COMDLG32.dll
ModLoad: 70570000 705c1000   C:\Windows\system32\WINSPOOL.DRV
ModLoad: 67360000 673cc000   C:\Program Files\K-Lite Codec
Pack\Filters\FLVSplitter.ax
ModLoad: 66d80000 66e2e000   C:\Program Files\K-Lite Codec
Pack\Filters\MP4Splitter.ax
(2730.1d98): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=66d8bed0 ebx=00000000 ecx=00000000 edx=0691ef40 esi=08e9fe28
edi=08e9fe50
eip=66d8bef1 esp=0691ee78 ebp=00000000 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\Program Files\K-Lite Codec Pack\Filters\MP4Splitter.ax -
MP4Splitter!DllRegisterServer+0x5a41:
66d8bef1 8b01            mov     eax,dword ptr [ecx]
ds:0023:00000000=????????
0:031> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:66d8bef1 mov eax,dword ptr [ecx]

Basic Block:
    66d8bef1 mov eax,dword ptr [ecx]
       Tainted Input Operands: ecx
    66d8bef3 mov eax,dword ptr [eax+30h]
       Tainted Input Operands: eax
    66d8bef6 push ebx
    66d8bef7 mov ebx,dword ptr [esp+38h]
    66d8befb lea edx,[esp+1ch]
    66d8beff push edx
    66d8bf00 lea edx,[esp+10h]
    66d8bf04 push edx
    66d8bf05 lea edx,[esp+40h]
    66d8bf09 push edx
    66d8bf0a inc ebx
    66d8bf0b push ebx
    66d8bf0c call eax
       Tainted Input Operands: eax, ecx

Exception Hash (Major/Minor): 0x312e650b.0x312e1f0b

Stack Trace:
MP4Splitter!DllRegisterServer+0x5a41
Instruction Address: 0x0000000066d8bef1

Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address
controls Code Flow starting at
MP4Splitter!DllRegisterServer+0x0000000000005a41
(Hash=0x312e650b.0x312e1f0b)

The data from the faulting address is later used as the target for a branch.
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Opera Web Browser 11.11 Remote
·Microsoft Office XP Remote cod
·Conky Linux 1.8.0 Local DoS/Po
·MS HyperV Persistent DoS Vulne
·Microsoft WinXP sp2/sp3 local
·Internet Explorer6 空指针访问
·Gogago YouTube Video Converter
·MS11-050 IE mshtml!CObjectElem
·Black Ice Cover Page SDK insec
·Black Ice Fax Voice SDK v12.6
·DATAC RealWin SCADA Server 2 O
·DEC Alpha Linux 3.0 Local Root
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved