PotPlayer 1.6.5x - '.mp3' Crash (PoC)

EDB-ID:

39428

CVE:

N/A




Platform:

Windows

Date:

2016-02-09


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

# Exploit Title: POTPLAYER 1.6.5x MP3 CRASH POC
# Date: 08-02-2016
# Exploit Author: Shantanu Khandelwal
# Vendor Homepage: https://potplayer.daum.net/
# Software Link: (32-Bit) http://get.daum.net/PotPlayer/v3/PotPlayerSetup.exe
# Software Link: (64-Bit) http://get.daum.net/PotPlayer64/v3/PotPlayerSetup64.exe
# Version: 1.6.5x
# Tested on: Windows XP Sp3,Windows 8,Windows 10
# CVE : unknown at the moment
#============================================================================================
#Description: Read Access Violation on Block Data Mo#ve #Short Description:
ReadAVonBlockMove #Exploitability Classification: PROBABLY_EXPLOITABLE
#============================================================================================
#==================================================
#(8a4.d54): Access violation - code c0000005 (first chance) #First chance
exceptions are reported before any exception handling. #This exception may
be expected and handled. #eax=05d46659 ebx=05bb2998 ecx=00000011
edx=00000000 esi=05c68ffd edi=0012edd4 #eip=01b62e1e esp=0012e9dc
ebp=0363ad80 iopl=0 nv up ei pl nz ac po nc #cs=001b ss=0023 ds=0023
es=0023 fs=003b gs=0000 efl=00010212 #*** ERROR: Symbol file could not be
found. Defaulted to export symbols for C:\Program
Files\DAUM\PotPlayer\PotPlayer.dll -
#===========================================================

POTPLAYER has buffer overflow in png parser of image of MP3 offset 5B .
Crash is because of '\x22' at offset 5B

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/39428.zip