Jump to content
d3v1l

DoS in Microsoft Media Player 11 on Win XP SP2

By d3v1l, in Exploituri

Recommended Posts

d3v1l Newbie

d3v1l

Posted
Posted 

 .---------------.
/ Advisory \
-----------------------------------------------------------------.
:
Affected : Microsoft Media Player 11 on Win XP SP2 :
Type : DIVISION by ZERO :
Result : DoS :
Remote : YES :
Date : 2007-08-07 :
Author: : Adonis, Abed :
url : [url]http://www.safehack.com/exp/mp/mplayer11.txt[/url] :
-----------------------------------------------------------------.

------------.
Disclaimer \
--------------`--------------------------------------------------.
This material is presented for informational and educational :
purposes only. We do not accept any liability for anything anyone:
does with this information. So, don't shoot the messenger. :
:
Use a computer in a ways that ensure respect for your fellow. :
-----------------------------------------------------------------.

--------------.
Brief History \
----------------`------------------------------------------------.
A division by Zero lead to a denial of service on :
Microsoft Windows Media Player version 11 :
:
If you open a specially crafted .au file in windows Media player :
you will crash the player with the following error. :
:
Exception number: c0000094 (divide by zero) :
:
To see if you Windows Media Player is vulnerable you can use our :
.au generator coded in python, or you can download the POC file. :
:
:
Proof-of-Concept :
---------------- :
:
[url]http://www.safehack.com/exp/mp/iapetus.py[/url] (python .au generator) :
[url]http://www.safehack.com/exp/mp/iapetus.au[/url] (poc file) :
:
If you do not have python installed you can just use the poc file:
-----------------------------------------------------------------.

--------------.
DEBUG DUMP \
----------------`------------------------------------------------.

Application exception occurred:
App: C:\Program Files\Windows Media Player\wmplayer.exe (pid=4972)
When: 8/7/2007 - 19:50:13.051
Exception number: c0000094 (divide by zero)

*----> System Information <----*
Computer Name: --
User Name: --
Terminal Session Id: 0
Number of Processors: 1
Processor Type: x86 Family 15 Model 2 Stepping 4
Windows Version: 5.1
Current Build: 2600
Service Pack: 2
Current Type: Uniprocessor Free
Registered Organization: Organization
Registered Owner: Name



*----> State Dump for Thread Id 0x838 <----*

eax=ffffffff ebx=010a82b0 ecx=00000000 edx=00000000 esi=ffffffff edi=000fe3a2
eip=748fe598 esp=01c8f0c0 ebp=01c8f154 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246

function: quartz
748fe581 b708 mov bh,0x8
748fe583 c1ea02 shr edx,0x2
748fe586 3bd1 cmp edx,ecx
748fe588 7702 ja quartz+0xee58c (748fe58c)
748fe58a 8bd1 mov edx,ecx
748fe58c 0fb708 movzx ecx,word ptr [eax]
748fe58f 56 push esi
748fe590 8d740aff lea esi,[edx+ecx-0x1]
748fe594 8bc6 mov eax,esi
748fe596 33d2 xor edx,edx
FAULT ->748fe598 f7f1 div ecx <- FAULT
748fe59a 8bc6 mov eax,esi
748fe59c 5e pop esi
748fe59d 2bc2 sub eax,edx
748fe59f c3 ret
748fe5a0 90 nop
748fe5a1 90 nop
748fe5a2 90 nop
748fe5a3 90 nop
748fe5a4 90 nop
748fe5a5 8bff mov edi,edi


-------------.
The Solution \
---------------`-------------------------------------------------.
:
Wait for a patch from Microsoft :
-----------------------------------------------------------------.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...