GOM Media Player 2.1.37 Buffer Overflow

2012-03-12T00:00:00
ID PACKETSTORM:110699
Type packetstorm
Reporter longrifle0x
Modified 2012-03-12T00:00:00

Description

                                        
                                            `Introduction:  
=============  
GOM Player (Gretech Online Movie Player) is a 32/64-bit media player for  
Microsoft Windows, distributed by the Gretech Corporation of South Korea.  
It is the primary client player for South Korean GOM-TV, and is more  
popular in South Korea than any other media player. Key strengths inherited  
from libavcodec include wide ranging ability to play media files, including  
.flv - without needing to obtain an external codec, and the ability to play  
some broken media files. Both of those features are present in other  
projects using libavcodec like VLC and MPlayer, but are absent from some  
other media software, including Windows Media Player.  
Abstract:  
=========  
The Vulnerability Laboratory Research Team discovered a Buffer Overflow  
Vulnerability on GOM Media Player v. 2.1.37  
Exploitation-Technique:  
=======================  
Local  
Severity:  
=========  
High  
Vulnerable Module(s):  
[+] GomU+0x125cb7  
Proof of Concept=================  
The vulnerability can be exploited by local & remote attackers.  
1) Download & open the software client  
2) Click open ==> Url..  
3) Put vulnerability code  
4) now you will see result  
Executable search path is:  
ModLoad: 00400000 007a9000 GomU.exe  
ModLoad: 77790000 778cc000 ntdll.dll  
ModLoad: 76730000 76804000 C:\Windows\system32\kernel32.dll  
ModLoad: 75380000 753ca000 C:\Windows\system32\KERNELBASE.dll  
ModLoad: 70cf0000 70d22000 C:\Windows\system32\WINMM.dll  
ModLoad: 76aa0000 76b4c000 C:\Windows\system32\msvcrt.dll  
ModLoad: 765e0000 766a9000 C:\Windows\system32\USER32.dll  
ModLoad: 760f0000 7613e000 C:\Windows\system32\GDI32.dll  
ModLoad: 76590000 7659a000 C:\Windows\system32\LPK.dll  
ModLoad: 76810000 768ad000 C:\Windows\system32\USP10.dll  
ModLoad: 766b0000 7672b000 C:\Windows\system32\comdlg32.dll  
ModLoad: 761a0000 761f7000 C:\Windows\system32\SHLWAPI.dll  
ModLoad: 74070000 7420e000  
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll  
ModLoad: 754a0000 760ea000 C:\Windows\system32\SHELL32.dll  
ModLoad: 71380000 713d1000 C:\Windows\system32\WINSPOOL.DRV  
ModLoad: 76250000 762f0000 C:\Windows\system32\ADVAPI32.dll  
ModLoad: 768b0000 768c9000 C:\Windows\SYSTEM32\sechost.dll  
ModLoad: 76b70000 76c11000 C:\Windows\system32\RPCRT4.dll  
ModLoad: 6d8e0000 6d8fc000 C:\Windows\system32\oledlg.dll  
ModLoad: 762f0000 7644c000 C:\Windows\system32\ole32.dll  
ModLoad: 72dc0000 72dd9000 C:\Windows\system32\OLEPRO32.DLL  
ModLoad: 76c20000 76caf000 C:\Windows\system32\OLEAUT32.dll  
ModLoad: 768d0000 76a6d000 C:\Windows\system32\SETUPAPI.dll  
ModLoad: 752a0000 752c7000 C:\Windows\system32\CFGMGR32.dll  
ModLoad: 75360000 75372000 C:\Windows\system32\DEVOBJ.dll  
ModLoad: 74600000 74609000 C:\Windows\system32\VERSION.dll  
ModLoad: 76f80000 77075000 C:\Windows\system32\WININET.dll  
ModLoad: 76450000 76587000 C:\Windows\system32\urlmon.dll  
ModLoad: 75180000 7529d000 C:\Windows\system32\CRYPT32.dll  
ModLoad: 75170000 7517c000 C:\Windows\system32\MSASN1.dll  
ModLoad: 76d80000 76f7e000 C:\Windows\system32\iertutil.dll  
ModLoad: 765a0000 765d5000 C:\Windows\system32\WS2_32.dll  
ModLoad: 778d0000 778d6000 C:\Windows\system32\NSI.dll  
ModLoad: 76b50000 76b6f000 C:\Windows\system32\IMM32.dll  
ModLoad: 76cb0000 76d7c000 C:\Windows\system32\MSCTF.dll  
ModLoad: 71fa0000 71fbc000 C:\Windows\system32\iphlpapi.dll  
ModLoad: 71f90000 71f97000 C:\Windows\system32\WINNSI.DLL  
(668.151c): Break instruction exception - code 80000003 (first chance)  
eax=00000000 ebx=00000000 ecx=0012fb08 edx=777d7094 esi=fffffffe  
edi=00000000  
eip=7783054e esp=0012fb24 ebp=0012fb50 iopl=0 nv up ei pl zr na pe  
nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000  
efl=00000246  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for  
ntdll.dll -  
ntdll!LdrVerifyImageMatchesChecksum+0x633:  
7783054e cc int 3  
0:000> g  
ModLoad: 73ef0000 73f30000 C:\Windows\system32\uxtheme.dll  
ModLoad: 75080000 7508c000 C:\Windows\system32\CRYPTBASE.dll  
ModLoad: 10000000 100d3000 C:\Program  
Files\GRETECH\GomPlayer\lang\GomENG.dll  
ModLoad: 75010000 7502b000 C:\Windows\system32\SspiCli.dll  
ModLoad: 75100000 7510b000 C:\Windows\system32\profapi.dll  
ModLoad: 74a30000 74a74000 C:\Windows\system32\dnsapi.DLL  
ModLoad: 73780000 737d2000 C:\Windows\system32\RASAPI32.dll  
ModLoad: 73760000 73775000 C:\Windows\system32\rasman.dll  
ModLoad: 73750000 7375d000 C:\Windows\system32\rtutils.dll  
ModLoad: 6f050000 6f056000 C:\Windows\system32\sensapi.dll  
ModLoad: 75400000 75483000 C:\Windows\system32\CLBCatQ.DLL  
ModLoad: 74bb0000 74bc6000 C:\Windows\system32\CRYPTSP.dll  
ModLoad: 74950000 7498b000 C:\Windows\system32\rsaenh.dll  
ModLoad: 750f0000 750fe000 C:\Windows\system32\RpcRtRemote.dll  
ModLoad: 01fb0000 0201a000 C:\Program  
Files\GRETECH\GomPlayer\GomTVStrm.dll  
ModLoad: 73b30000 73b69000 C:\Windows\system32\MMDevAPI.DLL  
ModLoad: 73f30000 74025000 C:\Windows\system32\PROPSYS.dll  
ModLoad: 6f020000 6f050000 C:\Windows\system32\wdmaud.drv  
ModLoad: 6f010000 6f014000 C:\Windows\system32\ksuser.dll  
ModLoad: 739d0000 739d7000 C:\Windows\system32\AVRT.dll  
ModLoad: 6f320000 6f356000 C:\Windows\system32\AUDIOSES.DLL  
ModLoad: 6d9b0000 6d9b8000 C:\Windows\system32\msacm32.drv  
ModLoad: 6d990000 6d9a4000 C:\Windows\system32\MSACM32.dll  
ModLoad: 6d980000 6d987000 C:\Windows\system32\midimap.dll  
ModLoad: 64630000 64c5f000 C:\Windows\system32\Macromed\Flash\Flash10v.ocx  
ModLoad: 72c20000 72c92000 C:\Windows\system32\DSOUND.dll  
ModLoad: 73b70000 73b95000 C:\Windows\system32\POWRPROF.dll  
ModLoad: 72040000 720b9000 C:\Windows\system32\mscms.dll  
ModLoad: 74760000 74777000 C:\Windows\system32\USERENV.dll  
ModLoad: 6e1a0000 6ec20000 C:\Windows\system32\ieframe.dll  
ModLoad: 778e0000 778e5000 C:\Windows\system32\PSAPI.DLL  
ModLoad: 73710000 7374c000 C:\Windows\system32\OLEACC.dll  
ModLoad: 6e1a0000 6ec20000 C:\Windows\system32\ieframe.dll  
ModLoad: 778e0000 778e5000 C:\Windows\system32\PSAPI.DLL  
ModLoad: 73710000 7374c000 C:\Windows\system32\OLEACC.dll  
ModLoad: 73b10000 73b23000 C:\Windows\system32\dwmapi.dll  
ModLoad: 73640000 73661000 C:\Windows\system32\ntmarta.dll  
ModLoad: 76200000 76245000 C:\Windows\system32\WLDAP32.dll  
ModLoad: 74ff0000 74ff8000 C:\Windows\system32\Secur32.dll  
ModLoad: 74880000 74888000 C:\Windows\system32\credssp.dll  
ModLoad: 749c0000 749fa000 C:\Windows\system32\schannel.DLL  
ModLoad: 734d0000 734e0000 C:\Windows\system32\NLAapi.dll  
ModLoad: 739c0000 739d0000 C:\Windows\system32\napinsp.dll  
ModLoad: 73990000 739a2000 C:\Windows\system32\pnrpnsp.dll  
ModLoad: 738f0000 738fd000 C:\Windows\system32\wshbth.dll  
ModLoad: 74b70000 74bac000 C:\Windows\System32\mswsock.dll  
ModLoad: 738e0000 738e8000 C:\Windows\System32\winrnr.dll  
ModLoad: 718d0000 71908000 C:\Windows\System32\fwpuclnt.dll  
ModLoad: 714b0000 714b6000 C:\Windows\system32\rasadhlp.dll  
ModLoad: 75490000 75493000 C:\Windows\system32\Normaliz.dll  
ModLoad: 75030000 7507c000 C:\Windows\system32\apphelp.dll  
ModLoad: 74690000 74695000 C:\Windows\System32\wshtcpip.dll  
ModLoad: 74b60000 74b66000 C:\Windows\System32\wship6.dll  
ModLoad: 6b140000 6b16e000 C:\Windows\system32\MLANG.dll  
ModLoad: 72390000 7294c000 C:\Windows\System32\mshtml.dll  
ModLoad: 70fe0000 7100a000 C:\Windows\System32\msls31.dll  
ModLoad: 72ec0000 72ecb000 C:\Windows\system32\ImgUtil.dll  
ModLoad: 6b9d0000 6ba82000 C:\Windows\system32\jscript.dll  
ModLoad: 72d70000 72d7e000 C:\Windows\System32\pngfilt.dll  
ModLoad: 72f80000 72f8b000 C:\Windows\system32\msimtf.dll  
ModLoad: 73670000 73675000 C:\Windows\system32\msimg32.dll  
ModLoad: 69340000 694b7000 C:\Windows\system32\quartz.dll  
ModLoad: 04700000 0472f000 C:\Program Files\GRETECH\GomPlayer\GRFU.ax  
ModLoad: 6a450000 6a613000 C:\Windows\system32\d3d9.dll  
ModLoad: 71360000 71366000 C:\Windows\system32\d3d8thk.dll  
ModLoad: 68dc0000 68ea7000 C:\Windows\system32\DDRAW.dll  
ModLoad: 712f0000 712f6000 C:\Windows\system32\DCIMAN32.dll  
ModLoad: 04c80000 04d11000 C:\Windows\system32\igdumdx32.dll  
ModLoad: 07e40000 08311000 C:\Windows\system32\igdumd32.dll  
ModLoad: 04c80000 04d11000 C:\Windows\system32\igdumdx32.dll  
ModLoad: 07e40000 08311000 C:\Windows\system32\igdumd32.dll  
ModLoad: 6c770000 6c788000 C:\Windows\system32\DXVA2.DLL  
ModLoad: 685c0000 68678000 C:\Program Files\GRETECH\GomPlayer\GVF.ax  
ModLoad: 0a340000 0a4ac000 C:\Program Files\GRETECH\GomPlayer\GAF.ax  
ModLoad: 04c80000 04d11000 C:\Windows\system32\igdumdx32.dll  
ModLoad: 07e40000 08311000 C:\Windows\system32\igdumd32.dll  
ModLoad: 04c80000 04d11000 C:\Windows\system32\igdumdx32.dll  
ModLoad: 07e40000 08311000 C:\Windows\system32\igdumd32.dll  
ModLoad: 6c770000 6c788000 C:\Windows\system32\DXVA2.DLL  
(668.151c): Stack overflow - code c00000fd (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=0075747c ebx=0085447a ecx=00032608 edx=0656002e esi=0012f650  
edi=0656002c  
eip=00525cb7 esp=0012f600 ebp=0012f618 iopl=0 nv up ei pl nz na po  
nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000  
efl=00210202  
*** ERROR: Module load completed but symbols could not be loaded for  
GomU.exe  
GomU+0x125cb7:  
00525cb7 8501 test dword ptr [ecx],eax  
ds:0023:00032608=00000000  
Risk:  
=====  
The security risk of the buffer overflow vulnerability is estimated as  
high(-).  
Credits:  
========  
Ucha Gobejishvili ( longrifle0x)  
Video Demonstration: http://www.youtube.com/watch?v=uN87KAm53Zg  
  
  
`