[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

Windows Media Player with K-Lite Codec Pack DoS PoC

Author
Nicolas Krassas
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-16331
Category
dos / poc
Date add
14-06-2011
Platform
windows
Greetings,
  There is a DOS condition on windows media player when the klite codec pack
is installed.
 
# Exploit Title: Windows Media Player with klite codec pack DOS Poc
# Date: 14/06/2011
# Author: Nicolas Krassas , www.twitter.com/dinosn
# Version:Windows Media Player 12
# Tested on: Windows 7
 
The 3gp handling from MP4Splitter.ax filter of klite codec pack will cause
an Access violation when a specially crafted movie file is loaded on the
media player. The same crash will occur also when the file is loaded on a
playlist and the media player will try to generate thumbnail image of the
contents.
 
File at: http://www.deventum.com/research/Crash_WMplayer.3gp
Mirror: http://www.exploit-db.com/sploits/Crash_WMplayer.3gp
 
Debug info,
 
 
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
 
*** wait with pending attach
Symbol search path is: SRV*c:\Symbols*
http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00340000 0036c000   C:\Program Files\Windows Media
Player\wmplayer.exe
ModLoad: 773e0000 7751c000   C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 76390000 76464000   C:\Windows\system32\kernel32.dll
ModLoad: 75810000 7585a000   C:\Windows\system32\KERNELBASE.dll
ModLoad: 764c0000 76560000   C:\Windows\system32\ADVAPI32.dll
ModLoad: 76230000 762dc000   C:\Windows\system32\msvcrt.dll
ModLoad: 77530000 77549000   C:\Windows\SYSTEM32\sechost.dll
ModLoad: 762e0000 76381000   C:\Windows\system32\RPCRT4.dll
ModLoad: 76560000 76629000   C:\Windows\system32\USER32.dll
ModLoad: 761e0000 7622e000   C:\Windows\system32\GDI32.dll
ModLoad: 75af0000 75afa000   C:\Windows\system32\LPK.dll
ModLoad: 75bf0000 75c8d000   C:\Windows\system32\USP10.dll
ModLoad: 775d0000 77605000   C:\Windows\system32\WS2_32.dll
ModLoad: 77520000 77526000   C:\Windows\system32\NSI.dll
ModLoad: 75db0000 75dcf000   C:\Windows\system32\IMM32.DLL
ModLoad: 75880000 7594c000   C:\Windows\system32\MSCTF.dll
ModLoad: 742a0000 742e0000   C:\Windows\system32\uxtheme.dll
ModLoad: 76790000 773da000   C:\Windows\system32\SHELL32.dll
ModLoad: 75b00000 75b57000   C:\Windows\system32\SHLWAPI.dll
ModLoad: 61cc0000 627b4000   C:\Windows\system32\wmp.dll
ModLoad: 74000000 74190000
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
ModLoad: 76630000 7678c000   C:\Windows\system32\ole32.dll
ModLoad: 75b60000 75bef000   C:\Windows\system32\OLEAUT32.dll
ModLoad: 73f10000 73f23000   C:\Windows\system32\dwmapi.dll
ModLoad: 60f70000 61b7c000   C:\Windows\system32\wmploc.dll
ModLoad: 754b0000 754bc000   C:\Windows\system32\CRYPTBASE.dll
ModLoad: 74420000 745be000
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
ModLoad: 76140000 761c3000   C:\Windows\system32\CLBCatQ.DLL
ModLoad: 68320000 683d2000   C:\Windows\System32\jscript.dll
ModLoad: 74a30000 74a39000   C:\Windows\System32\VERSION.dll
ModLoad: 74fe0000 74ff6000   C:\Windows\system32\CRYPTSP.dll
ModLoad: 74ce0000 74d1b000   C:\Windows\system32\rsaenh.dll
ModLoad: 75510000 7551e000   C:\Windows\system32\RpcRtRemote.dll
ModLoad: 75520000 7557f000   C:\Windows\system32\SXS.DLL
ModLoad: 73d30000 73e2b000   C:\Windows\system32\WindowsCodecs.dll
ModLoad: 73890000 73895000   C:\Windows\system32\MSIMG32.dll
ModLoad: 75580000 7558b000   C:\Windows\system32\profapi.dll
ModLoad: 75950000 75aed000   C:\Windows\system32\SETUPAPI.dll
ModLoad: 75600000 75627000   C:\Windows\system32\CFGMGR32.dll
ModLoad: 75860000 75872000   C:\Windows\system32\DEVOBJ.dll
ModLoad: 742e0000 743d5000   C:\Windows\system32\propsys.dll
ModLoad: 74a00000 74a21000   C:\Windows\system32\ntmarta.dll
ModLoad: 76470000 764b5000   C:\Windows\system32\WLDAP32.dll
ModLoad: 73e60000 73e99000   C:\Windows\System32\MMDevApi.dll
ModLoad: 63320000 63379000   C:\Windows\system32\MFPlat.DLL
ModLoad: 73c70000 73c77000   C:\Windows\system32\AVRT.dll
ModLoad: 64e60000 64e96000   C:\Windows\system32\AUDIOSES.DLL
ModLoad: 6fd30000 6fd8a000   C:\Windows\System32\netprofm.dll
ModLoad: 73880000 73890000   C:\Windows\System32\nlaapi.dll
ModLoad: 6f460000 6f468000   C:\Windows\System32\npmproxy.dll
ModLoad: 70b90000 70bd4000   C:\Windows\system32\upnphost.dll
ModLoad: 70930000 7093d000   C:\Windows\system32\SSDPAPI.dll
ModLoad: 72670000 726a2000   C:\Windows\system32\WINMM.dll
ModLoad: 74b40000 74b4d000   C:\Windows\system32\WTSAPI32.dll
ModLoad: 751a0000 751c9000   C:\Windows\system32\WINSTA.dll
ModLoad: 75c90000 75daa000   C:\Windows\system32\WININET.dll
ModLoad: 76100000 76103000   C:\Windows\system32\Normaliz.dll
ModLoad: 75e30000 75fe6000   C:\Windows\system32\iertutil.dll
ModLoad: 75ff0000 76100000   C:\Windows\system32\urlmon.dll
ModLoad: 75470000 75478000   C:\Windows\system32\Secur32.dll
ModLoad: 75490000 754ab000   C:\Windows\system32\SSPICLI.DLL
ModLoad: 73610000 7361a000   C:\Windows\system32\slc.dll
ModLoad: 64030000 64094000   C:\Windows\system32\imapi2.dll
ModLoad: 74b50000 74b5b000   C:\Windows\system32\pcwum.DLL
ModLoad: 75630000 7565d000   C:\Windows\system32\WINTRUST.dll
ModLoad: 756f0000 7580d000   C:\Windows\system32\CRYPT32.dll
ModLoad: 755f0000 755fc000   C:\Windows\system32\MSASN1.dll
ModLoad: 6a4c0000 6a50c000   C:\Windows\System32\mswmdm.dll
ModLoad: 74e40000 74e84000   C:\Windows\system32\dnsapi.DLL
ModLoad: 72e40000 72e5c000   C:\Windows\system32\iphlpapi.DLL
ModLoad: 72e30000 72e37000   C:\Windows\system32\WINNSI.DLL
ModLoad: 70700000 70727000   C:\Program Files\Common Files\Microsoft
Shared\Windows Live\WLIDNSP.DLL
ModLoad: 761d0000 761d5000   C:\Windows\system32\PSAPI.DLL
ModLoad: 74fa0000 74fdc000   C:\Windows\System32\mswsock.dll
ModLoad: 706d0000 706f5000   C:\Program Files\Bonjour\mdnsNSP.dll
ModLoad: 65fc0000 65ff6000   C:\Windows\system32\upnp.dll
ModLoad: 71450000 714a8000   C:\Windows\system32\WINHTTP.dll
ModLoad: 71400000 7144f000   C:\Windows\system32\webio.dll
ModLoad: 72960000 72966000   C:\Windows\System32\wshqos.dll
ModLoad: 74ac0000 74ac5000   C:\Windows\system32\wshtcpip.DLL
ModLoad: 75000000 75006000   C:\Windows\system32\wship6.dll
ModLoad: 72c30000 72c42000   C:\Windows\system32\dhcpcsvc.DLL
ModLoad: 6b000000 6b036000   C:\Windows\System32\cewmdm.dll
ModLoad: 74f20000 74f28000   C:\Windows\system32\credssp.dll
ModLoad: 6fa90000 6fbc3000   C:\Windows\System32\msxml3.dll
ModLoad: 67cb0000 67d26000   C:\Program Files\Windows Media
Player\wmpnssci.dll
ModLoad: 72cb0000 72cbd000   C:\Windows\system32\dhcpcsvc6.DLL
ModLoad: 70f10000 70f1c000   C:\Windows\System32\wmdmps.dll
ModLoad: 74a40000 74ab6000   C:\Windows\system32\FirewallAPI.dll
ModLoad: 6c340000 6c4af000   C:\Windows\system32\explorerframe.dll
ModLoad: 73ee0000 73f0f000   C:\Windows\system32\DUser.dll
ModLoad: 73f40000 73ff2000   C:\Windows\system32\DUI70.dll
ModLoad: 641a0000 641c7000   C:\Windows\System32\wmpps.dll
ModLoad: 73910000 73962000   C:\Windows\system32\RASAPI32.dll
ModLoad: 738f0000 73905000   C:\Windows\system32\rasman.dll
ModLoad: 738e0000 738ed000   C:\Windows\system32\rtutils.dll
ModLoad: 703b0000 703b6000   C:\Windows\system32\sensapi.dll
ModLoad: 73670000 73695000   C:\Windows\system32\peerdist.dll
ModLoad: 74ba0000 74bb7000   C:\Windows\system32\USERENV.dll
ModLoad: 75180000 7519b000   C:\Windows\system32\AUTHZ.dll
ModLoad: 70370000 70376000   C:\Windows\system32\rasadhlp.dll
ModLoad: 72cc0000 72cf8000   C:\Windows\System32\fwpuclnt.dll
ModLoad: 731d0000 731dd000   C:\Program Files\Common Files\Microsoft
Shared\OFFICE14\MSOXMLMF.DLL
ModLoad: 711e0000 71283000
C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.5570_none_509463cabcb6ef2a\MSVCR90.dll
ModLoad: 73e30000 73e5f000   C:\Windows\system32\XmlLite.dll
ModLoad: 6f310000 6f319000   C:\Windows\system32\LINKINFO.dll
(2730.1a14): Break instruction exception - code 80000003 (first chance)
eax=7ff9e000 ebx=00000000 ecx=00000000 edx=7747f125 esi=00000000
edi=00000000
eip=774140f0 esp=01a9feb4 ebp=01a9fee0 iopl=0         nv up ei pl zr na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000246
ntdll!DbgBreakPoint:
774140f0 cc              int     3
0:029> g
ModLoad: 754c0000 7550c000   C:\Windows\system32\apphelp.dll
ModLoad: 10000000 10017000
C:\Users\Dinos\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
ModLoad: 733d0000 734bb000   C:\Windows\system32\dbghelp.dll
ModLoad: 7c3a0000 7c41b000
C:\Users\Dinos\AppData\Roaming\Dropbox\bin\MSVCP71.dll
ModLoad: 7c340000 7c396000
C:\Users\Dinos\AppData\Roaming\Dropbox\bin\MSVCR71.dll
ModLoad: 6e660000 6e691000   C:\Windows\system32\EhStorShell.dll
ModLoad: 6bb20000 6bf2b000   GrooveEX.DLL
ModLoad: 6bb20000 6bf2b000   C:\PROGRA~1\MIF5BA~1\Office14\GROOVEEX.DLL
ModLoad: 71140000 711ce000
C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.5570_none_509463cabcb6ef2a\MSVCP90.dll
ModLoad: 6e630000 6e65b000
C:\Windows\WinSxS\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.5570_none_51ce1f16bbe3e56e\ATL90.DLL
ModLoad: 6bf30000 6c33f000
C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
ModLoad: 6b2b0000 6bb14000
C:\PROGRA~1\MIF5BA~1\Office14\1033\GrooveIntlResource.dll
ModLoad: 64720000 6478a000   C:\Windows\System32\cscui.dll
ModLoad: 737d0000 737d9000   C:\Windows\System32\CSCDLL.dll
ModLoad: 70940000 7094b000   C:\Windows\system32\CSCAPI.dll
ModLoad: 64680000 646f0000   C:\Windows\system32\ntshrui.dll
ModLoad: 75400000 75419000   C:\Windows\system32\srvcli.dll
ModLoad: 6f720000 6f7c0000   C:\Windows\system32\SearchFolder.dll
ModLoad: 73010000 73026000   C:\Windows\system32\thumbcache.dll
ModLoad: 6de20000 6e132000   C:\Windows\system32\MF.dll
ModLoad: 73620000 73634000   C:\Windows\system32\ATL.DLL
ModLoad: 64e20000 64e24000   C:\Windows\system32\ksuser.dll
ModLoad: 67510000 67569000   C:\Windows\System32\wmpeffects.dll
ModLoad: 682f0000 682fb000   C:\Windows\System32\msdmo.dll
ModLoad: 66f70000 66fea000   C:\Windows\System32\evr.dll
ModLoad: 73c80000 73ca5000   C:\Windows\System32\POWRPROF.dll
ModLoad: 70f20000 70f38000   C:\Windows\system32\DXVA2.DLL
ModLoad: 628f0000 62ab3000   C:\Windows\system32\D3D9.DLL
ModLoad: 730f0000 730f6000   C:\Windows\system32\d3d8thk.dll
ModLoad: 58eb0000 5985a000   C:\Windows\system32\nvd3dum.dll
(2730.1d98): C++ EH exception - code e06d7363 (first chance)
ModLoad: 684a0000 684ec000   C:\Windows\System32\mfds.dll
ModLoad: 65e10000 65f87000   C:\Windows\system32\quartz.dll
ModLoad: 65320000 65334000   C:\Windows\system32\devenum.dll
ModLoad: 088e0000 089db000   C:\Program Files\K-Lite Codec
Pack\Filters\vsfilter.dll
ModLoad: 77550000 775cb000   C:\Windows\system32\COMDLG32.dll
ModLoad: 70570000 705c1000   C:\Windows\system32\WINSPOOL.DRV
ModLoad: 67360000 673cc000   C:\Program Files\K-Lite Codec
Pack\Filters\FLVSplitter.ax
ModLoad: 66d80000 66e2e000   C:\Program Files\K-Lite Codec
Pack\Filters\MP4Splitter.ax
(2730.1d98): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=66d8bed0 ebx=00000000 ecx=00000000 edx=0691ef40 esi=08e9fe28
edi=08e9fe50
eip=66d8bef1 esp=0691ee78 ebp=00000000 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\Program Files\K-Lite Codec Pack\Filters\MP4Splitter.ax -
MP4Splitter!DllRegisterServer+0x5a41:
66d8bef1 8b01            mov     eax,dword ptr [ecx]
ds:0023:00000000=????????
0:031> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
 
Faulting Instruction:66d8bef1 mov eax,dword ptr [ecx]
 
Basic Block:
    66d8bef1 mov eax,dword ptr [ecx]
       Tainted Input Operands: ecx
    66d8bef3 mov eax,dword ptr [eax+30h]
       Tainted Input Operands: eax
    66d8bef6 push ebx
    66d8bef7 mov ebx,dword ptr [esp+38h]
    66d8befb lea edx,[esp+1ch]
    66d8beff push edx
    66d8bf00 lea edx,[esp+10h]
    66d8bf04 push edx
    66d8bf05 lea edx,[esp+40h]
    66d8bf09 push edx
    66d8bf0a inc ebx
    66d8bf0b push ebx
    66d8bf0c call eax
       Tainted Input Operands: eax, ecx
 
Exception Hash (Major/Minor): 0x312e650b.0x312e1f0b
 
Stack Trace:
MP4Splitter!DllRegisterServer+0x5a41
Instruction Address: 0x0000000066d8bef1
 
Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address
controls Code Flow starting at
MP4Splitter!DllRegisterServer+0x0000000000005a41
(Hash=0x312e650b.0x312e1f0b)
 
The data from the faulting address is later used as the target for a branch.



#  0day.today [2024-11-15]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team