Microsoft Windows Media Player with K-Lite Codec Pack – Denial of Service (PoC)

• Exploit Database
• 109 阅读

• 作者： Nicolas Krassas
  日期： 2011-06-14
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17398/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261

  Greetings, There is a DOS condition on windows media player when the klite codec pack is installed.   # Exploit Title: Windows Media Player with klite codec pack DOS Poc # Date: 14/06/2011 # Author: Nicolas Krassas , www.twitter.com/dinosn # Version:Windows Media Player 12 # Tested on: Windows 7   The 3gp handling from MP4Splitter.ax filter of klite codec pack will cause an Access violation when a specially crafted movie file is loaded on the media player. The same crash will occur also when the file is loaded on a playlist and the media player will try to generate thumbnail image of the contents.   File at: http://www.deventum.com/research/Crash_WMplayer.3gp Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17398.3gp (Crash_WMplayer.3gp)   Debug info,     Microsoft (R) Windows Debugger Version 6.12.0002.633 X86 Copyright (c) Microsoft Corporation. All rights reserved.   *** wait with pending attach Symbol search path is: SRV*c:\Symbols* http://msdl.microsoft.com/download/symbols Executable search path is: ModLoad: 00340000 0036c000 C:\Program Files\Windows Media Player\wmplayer.exe ModLoad: 773e0000 7751c000 C:\Windows\SYSTEM32\ntdll.dll ModLoad: 76390000 76464000 C:\Windows\system32\kernel32.dll ModLoad: 75810000 7585a000 C:\Windows\system32\KERNELBASE.dll ModLoad: 764c0000 76560000 C:\Windows\system32\ADVAPI32.dll ModLoad: 76230000 762dc000 C:\Windows\system32\msvcrt.dll ModLoad: 77530000 77549000 C:\Windows\SYSTEM32\sechost.dll ModLoad: 762e0000 76381000 C:\Windows\system32\RPCRT4.dll ModLoad: 76560000 76629000 C:\Windows\system32\USER32.dll ModLoad: 761e0000 7622e000 C:\Windows\system32\GDI32.dll ModLoad: 75af0000 75afa000 C:\Windows\system32\LPK.dll ModLoad: 75bf0000 75c8d000 C:\Windows\system32\USP10.dll ModLoad: 775d0000 77605000 C:\Windows\system32\WS2_32.dll ModLoad: 77520000 77526000 C:\Windows\system32\NSI.dll ModLoad: 75db0000 75dcf000 C:\Windows\system32\IMM32.DLL ModLoad: 75880000 7594c000 C:\Windows\system32\MSCTF.dll ModLoad: 742a0000 742e0000 C:\Windows\system32\uxtheme.dll ModLoad: 76790000 773da000 C:\Windows\system32\SHELL32.dll ModLoad: 75b00000 75b57000 C:\Windows\system32\SHLWAPI.dll ModLoad: 61cc0000 627b4000 C:\Windows\system32\wmp.dll ModLoad: 74000000 74190000 C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll ModLoad: 76630000 7678c000 C:\Windows\system32\ole32.dll ModLoad: 75b60000 75bef000 C:\Windows\system32\OLEAUT32.dll ModLoad: 73f10000 73f23000 C:\Windows\system32\dwmapi.dll ModLoad: 60f70000 61b7c000 C:\Windows\system32\wmploc.dll ModLoad: 754b0000 754bc000 C:\Windows\system32\CRYPTBASE.dll ModLoad: 74420000 745be000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll ModLoad: 76140000 761c3000 C:\Windows\system32\CLBCatQ.DLL ModLoad: 68320000 683d2000 C:\Windows\System32\jscript.dll ModLoad: 74a30000 74a39000 C:\Windows\System32\VERSION.dll ModLoad: 74fe0000 74ff6000 C:\Windows\system32\CRYPTSP.dll ModLoad: 74ce0000 74d1b000 C:\Windows\system32\rsaenh.dll ModLoad: 75510000 7551e000 C:\Windows\system32\RpcRtRemote.dll ModLoad: 75520000 7557f000 C:\Windows\system32\SXS.DLL ModLoad: 73d30000 73e2b000 C:\Windows\system32\WindowsCodecs.dll ModLoad: 73890000 73895000 C:\Windows\system32\MSIMG32.dll ModLoad: 75580000 7558b000 C:\Windows\system32\profapi.dll ModLoad: 75950000 75aed000 C:\Windows\system32\SETUPAPI.dll ModLoad: 75600000 75627000 C:\Windows\system32\CFGMGR32.dll ModLoad: 75860000 75872000 C:\Windows\system32\DEVOBJ.dll ModLoad: 742e0000 743d5000 C:\Windows\system32\propsys.dll ModLoad: 74a00000 74a21000 C:\Windows\system32\ntmarta.dll ModLoad: 76470000 764b5000 C:\Windows\system32\WLDAP32.dll ModLoad: 73e60000 73e99000 C:\Windows\System32\MMDevApi.dll ModLoad: 63320000 63379000 C:\Windows\system32\MFPlat.DLL ModLoad: 73c70000 73c77000 C:\Windows\system32\AVRT.dll ModLoad: 64e60000 64e96000 C:\Windows\system32\AUDIOSES.DLL ModLoad: 6fd30000 6fd8a000 C:\Windows\System32\netprofm.dll ModLoad: 73880000 73890000 C:\Windows\System32\nlaapi.dll ModLoad: 6f460000 6f468000 C:\Windows\System32\npmproxy.dll ModLoad: 70b90000 70bd4000 C:\Windows\system32\upnphost.dll ModLoad: 70930000 7093d000 C:\Windows\system32\SSDPAPI.dll ModLoad: 72670000 726a2000 C:\Windows\system32\WINMM.dll ModLoad: 74b40000 74b4d000 C:\Windows\system32\WTSAPI32.dll ModLoad: 751a0000 751c9000 C:\Windows\system32\WINSTA.dll ModLoad: 75c90000 75daa000 C:\Windows\system32\WININET.dll ModLoad: 76100000 76103000 C:\Windows\system32\Normaliz.dll ModLoad: 75e30000 75fe6000 C:\Windows\system32\iertutil.dll ModLoad: 75ff0000 76100000 C:\Windows\system32\urlmon.dll ModLoad: 75470000 75478000 C:\Windows\system32\Secur32.dll ModLoad: 75490000 754ab000 C:\Windows\system32\SSPICLI.DLL ModLoad: 73610000 7361a000 C:\Windows\system32\slc.dll ModLoad: 64030000 64094000 C:\Windows\system32\imapi2.dll ModLoad: 74b50000 74b5b000 C:\Windows\system32\pcwum.DLL ModLoad: 75630000 7565d000 C:\Windows\system32\WINTRUST.dll ModLoad: 756f0000 7580d000 C:\Windows\system32\CRYPT32.dll ModLoad: 755f0000 755fc000 C:\Windows\system32\MSASN1.dll ModLoad: 6a4c0000 6a50c000 C:\Windows\System32\mswmdm.dll ModLoad: 74e40000 74e84000 C:\Windows\system32\dnsapi.DLL ModLoad: 72e40000 72e5c000 C:\Windows\system32\iphlpapi.DLL ModLoad: 72e30000 72e37000 C:\Windows\system32\WINNSI.DLL ModLoad: 70700000 70727000 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDNSP.DLL ModLoad: 761d0000 761d5000 C:\Windows\system32\PSAPI.DLL ModLoad: 74fa0000 74fdc000 C:\Windows\System32\mswsock.dll ModLoad: 706d0000 706f5000 C:\Program Files\Bonjour\mdnsNSP.dll ModLoad: 65fc0000 65ff6000 C:\Windows\system32\upnp.dll ModLoad: 71450000 714a8000 C:\Windows\system32\WINHTTP.dll ModLoad: 71400000 7144f000 C:\Windows\system32\webio.dll ModLoad: 72960000 72966000 C:\Windows\System32\wshqos.dll ModLoad: 74ac0000 74ac5000 C:\Windows\system32\wshtcpip.DLL ModLoad: 75000000 75006000 C:\Windows\system32\wship6.dll ModLoad: 72c30000 72c42000 C:\Windows\system32\dhcpcsvc.DLL ModLoad: 6b000000 6b036000 C:\Windows\System32\cewmdm.dll ModLoad: 74f20000 74f28000 C:\Windows\system32\credssp.dll ModLoad: 6fa90000 6fbc3000 C:\Windows\System32\msxml3.dll ModLoad: 67cb0000 67d26000 C:\Program Files\Windows Media Player\wmpnssci.dll ModLoad: 72cb0000 72cbd000 C:\Windows\system32\dhcpcsvc6.DLL ModLoad: 70f10000 70f1c000 C:\Windows\System32\wmdmps.dll ModLoad: 74a40000 74ab6000 C:\Windows\system32\FirewallAPI.dll ModLoad: 6c340000 6c4af000 C:\Windows\system32\explorerframe.dll ModLoad: 73ee0000 73f0f000 C:\Windows\system32\DUser.dll ModLoad: 73f40000 73ff2000 C:\Windows\system32\DUI70.dll ModLoad: 641a0000 641c7000 C:\Windows\System32\wmpps.dll ModLoad: 73910000 73962000 C:\Windows\system32\RASAPI32.dll ModLoad: 738f0000 73905000 C:\Windows\system32\rasman.dll ModLoad: 738e0000 738ed000 C:\Windows\system32\rtutils.dll ModLoad: 703b0000 703b6000 C:\Windows\system32\sensapi.dll ModLoad: 73670000 73695000 C:\Windows\system32\peerdist.dll ModLoad: 74ba0000 74bb7000 C:\Windows\system32\USERENV.dll ModLoad: 75180000 7519b000 C:\Windows\system32\AUTHZ.dll ModLoad: 70370000 70376000 C:\Windows\system32\rasadhlp.dll ModLoad: 72cc0000 72cf8000 C:\Windows\System32\fwpuclnt.dll ModLoad: 731d0000 731dd000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL ModLoad: 711e0000 71283000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.5570_none_509463cabcb6ef2a\MSVCR90.dll ModLoad: 73e30000 73e5f000 C:\Windows\system32\XmlLite.dll ModLoad: 6f310000 6f319000 C:\Windows\system32\LINKINFO.dll (2730.1a14): Break instruction exception - code 80000003 (first chance) eax=7ff9e000 ebx=00000000 ecx=00000000 edx=7747f125 esi=00000000 edi=00000000 eip=774140f0 esp=01a9feb4 ebp=01a9fee0 iopl=0 nv up ei pl zr na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000246 ntdll!DbgBreakPoint: 774140f0 ccint 3 0:029> g ModLoad: 754c0000 7550c000 C:\Windows\system32\apphelp.dll ModLoad: 10000000 10017000 C:\Users\Dinos\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll ModLoad: 733d0000 734bb000 C:\Windows\system32\dbghelp.dll ModLoad: 7c3a0000 7c41b000 C:\Users\Dinos\AppData\Roaming\Dropbox\bin\MSVCP71.dll ModLoad: 7c340000 7c396000 C:\Users\Dinos\AppData\Roaming\Dropbox\bin\MSVCR71.dll ModLoad: 6e660000 6e691000 C:\Windows\system32\EhStorShell.dll ModLoad: 6bb20000 6bf2b000 GrooveEX.DLL ModLoad: 6bb20000 6bf2b000 C:\PROGRA~1\MIF5BA~1\Office14\GROOVEEX.DLL ModLoad: 71140000 711ce000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.5570_none_509463cabcb6ef2a\MSVCP90.dll ModLoad: 6e630000 6e65b000 C:\Windows\WinSxS\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.5570_none_51ce1f16bbe3e56e\ATL90.DLL ModLoad: 6bf30000 6c33f000 C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf ModLoad: 6b2b0000 6bb14000 C:\PROGRA~1\MIF5BA~1\Office14\1033\GrooveIntlResource.dll ModLoad: 64720000 6478a000 C:\Windows\System32\cscui.dll ModLoad: 737d0000 737d9000 C:\Windows\System32\CSCDLL.dll ModLoad: 70940000 7094b000 C:\Windows\system32\CSCAPI.dll ModLoad: 64680000 646f0000 C:\Windows\system32\ntshrui.dll ModLoad: 75400000 75419000 C:\Windows\system32\srvcli.dll ModLoad: 6f720000 6f7c0000 C:\Windows\system32\SearchFolder.dll ModLoad: 73010000 73026000 C:\Windows\system32\thumbcache.dll ModLoad: 6de20000 6e132000 C:\Windows\system32\MF.dll ModLoad: 73620000 73634000 C:\Windows\system32\ATL.DLL ModLoad: 64e20000 64e24000 C:\Windows\system32\ksuser.dll ModLoad: 67510000 67569000 C:\Windows\System32\wmpeffects.dll ModLoad: 682f0000 682fb000 C:\Windows\System32\msdmo.dll ModLoad: 66f70000 66fea000 C:\Windows\System32\evr.dll ModLoad: 73c80000 73ca5000 C:\Windows\System32\POWRPROF.dll ModLoad: 70f20000 70f38000 C:\Windows\system32\DXVA2.DLL ModLoad: 628f0000 62ab3000 C:\Windows\system32\D3D9.DLL ModLoad: 730f0000 730f6000 C:\Windows\system32\d3d8thk.dll ModLoad: 58eb0000 5985a000 C:\Windows\system32\nvd3dum.dll (2730.1d98): C++ EH exception - code e06d7363 (first chance) ModLoad: 684a0000 684ec000 C:\Windows\System32\mfds.dll ModLoad: 65e10000 65f87000 C:\Windows\system32\quartz.dll ModLoad: 65320000 65334000 C:\Windows\system32\devenum.dll ModLoad: 088e0000 089db000 C:\Program Files\K-Lite Codec Pack\Filters\vsfilter.dll ModLoad: 77550000 775cb000 C:\Windows\system32\COMDLG32.dll ModLoad: 70570000 705c1000 C:\Windows\system32\WINSPOOL.DRV ModLoad: 67360000 673cc000 C:\Program Files\K-Lite Codec Pack\Filters\FLVSplitter.ax ModLoad: 66d80000 66e2e000 C:\Program Files\K-Lite Codec Pack\Filters\MP4Splitter.ax (2730.1d98): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=66d8bed0 ebx=00000000 ecx=00000000 edx=0691ef40 esi=08e9fe28 edi=08e9fe50 eip=66d8bef1 esp=0691ee78 ebp=00000000 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202 *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\K-Lite Codec Pack\Filters\MP4Splitter.ax - MP4Splitter!DllRegisterServer+0x5a41: 66d8bef1 8b01mov eax,dword ptr [ecx] ds:0023:00000000=???????? 0:031> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x0 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation   Faulting Instruction:66d8bef1 mov eax,dword ptr [ecx]   Basic Block: 66d8bef1 mov eax,dword ptr [ecx] Tainted Input Operands: ecx 66d8bef3 mov eax,dword ptr [eax+30h] Tainted Input Operands: eax 66d8bef6 push ebx 66d8bef7 mov ebx,dword ptr [esp+38h] 66d8befb lea edx,[esp+1ch] 66d8beff push edx 66d8bf00 lea edx,[esp+10h] 66d8bf04 push edx 66d8bf05 lea edx,[esp+40h] 66d8bf09 push edx 66d8bf0a inc ebx 66d8bf0b push ebx 66d8bf0c call eax Tainted Input Operands: eax, ecx   Exception Hash (Major/Minor): 0x312e650b.0x312e1f0b   Stack Trace: MP4Splitter!DllRegisterServer+0x5a41 Instruction Address: 0x0000000066d8bef1   Description: Data from Faulting Address controls Code Flow Short Description: TaintedDataControlsCodeFlow Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at MP4Splitter!DllRegisterServer+0x0000000000005a41 (Hash=0x312e650b.0x312e1f0b)   The data from the faulting address is later used as the target for a branch.