扫码分享
验证:
体验盒子FFDshow SEH Exception leading to NULL pointer on Read
Author: Matthew Bergin
Website: http://berginpentesting.com/
Email: matt@berginpentesting.com
Date: 09/02/10
Filename: C:\Program Files\K-Lite Codec Pack\FFDshow\ffdshow.ax
Version: v1.1.3530.0
License: GNU General Public License
Description
Crash Instructions
kernel32.7c812afb 5E POP ESI ffdshow.02659580 <- Exception E06d7363
kernel32.7c812afc C9 LEAVE
kernel32.7c812afd C2 1000 RETN 10
ffdshow.0261a804C9 LEAVE
ffdshow.0261a805C2 0800 RETN 8
ffdshow.023cc4078b45 08 MOV EAX, DWORD PTR SS:[EBP+8]
ffdshow.023cc4da50 PUSH EAX ffdshow.026fbe9c
ffdshow.023cc4dbE8 70FEFFFF CALL ffdshow.023cc350
ffdshow.023cc35055 PUSH EBP
ffdshow.023cc3518BEC MOV EBP,ESP
ffdshow.023cc3536A FF PUSH -1
ffdshow.023cc35568 C1826402 PUSH ffdshow.026482c1
ffdshow.023cc35a61:A1 00000000 MOV EAX, DWORD PTR FS:[0]
ffdshow.023cc36050 PUSH EAX
ffdshow.023cc36164:8925 00000000MOV DWORD PTR FS:[0], ESP
ffdshow.023CC36883EC 1C SUB ESP,1C
ffdshow.023CC36B53 PUSH EBX
ffdshow.023CC36C33C0 XOR EAX,EAX
ffdshow.023CC36E56 PUSH ESI
ffdshow.023CC36F8945 EC MOV DWORD PTR SS:[EBP-14],EAX
ffdshow.023CC37257 PUSH EDI
ffdshow.023CC3738B7D 08 MOV EDI,DWORD PTR SS:[EBP+8]
ffdshow.023CC3768907 MOV DWORD PTR DS:[EDI],EAX
ffdshow.023CC3788965 F0 MOV DWORD PTR SS:[EBP-10],ESP
ffdshow.023CC37B8947 04 MOV DWORD PTR DS:[EDI+4],EAX
ffdshow.023CC37E8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C]
ffdshow.023CC381BB 01000000 MOV EBX,1
ffdshow.023CC38650 PUSH EAX
ffdshow.023CC387895D EC MOV DWORD PTR SS:[EBP-14],EBX
ffdshow.023CC38A895D FC MOV DWORD PTR SS:[EBP-4],EBX
ffdshow.023CC38DE8 EEFDFFFF CALL ffdshow.023CC180
...
...
ffdshow.023CC19E33C0 XOR EAX,EAX
ffdshow.023CC1A08965 F0 MOV DWORD PTR SS:[EBP-10],ESP
ffdshow.023CC1A350 PUSH EAX
ffdshow.023CC1A450 PUSH EAX
ffdshow.023CC1A58945 EC MOV DWORD PTR SS:[EBP-14],EAX
ffdshow.023CC1A88945 FC MOV DWORD PTR SS:[EBP-4],EAX
ffdshow.023CC1ABE8 0CE62400 CALL ffdshow.0261A7BC
ffdshow.023CC1B08B4D E8 MOV ECX,DWORD PTR SS:[EBP-18]
ffdshow.023CC1B38B01 MOV EAX,DWORD PTR DS:[ECX] <- Access Violation when reading 00000000 NULL pointer
ffdshow.023CC1B58B10 MOV EDX,DWORD PTR DS:[EAX]
ffdshow.023CC1B7FFD2 CALL EDX
Crash Registers on Exception
EAX 01d0db3c
ECX 00000000
EDX 01d0dbe0
EBX 00000000
ESP 01d0db38
EBP 01d0db8c
ESI 01d0dbc4
EDI 00000000
EIP 7c812afb kernel32.7c812afb
Crash Registers on Violation
EAX 01d0da8c
ECX 00000000
EDX 01d0dbe0
EBX 00000001
ESP 01d0db24
EBP 01d0db88
ESI 02659580 ffdshow.02659580
EDI 026fbe9c ffdshow.026fbe9c
EIP 023cc1b3 ffdshow.023cc1b3
Stack
01D0DBD0|026FBE9Cffdshow.026FBE9C
01D0DBD4|00000000
01D0DBD8|02659580ffdshow.02659580
01D0DBDC|00000000
01D0DBE0|0265B7E4ffdshow.0265B7E4
01D0DBE4|00000000
01D0DBE8|0265BC88ASCII "boost::current_exception()"
01D0DBEC|0265BC58ASCII "src\boost/exception/detail/exception_ptr.hpp"
01D0DBF0|00000050
01D0DBF4|0265B7D8ffdshow.0265B7D8
01D0DBF8|0265B544ASCII "bad allocation"
01D0DBFC|00000000
01D0DC00|0265B8C4ffdshow.0265B8C4
01D0DC04|00000000
01D0DC08|01D0DBD4
01D0DC0C|01D0DC50Pointer to next SEH record
01D0DC10|026482D0SE handler
01D0DC14|00000000
01D0DC18]01D0DC6C
01D0DC1C|023CC5A4RETURN to ffdshow.023CC5A4 from ffdshow.023CC490
01D0DC20|026FBE9Cffdshow.026FBE9C
01D0DC24|01D0DC30
01D0DC28|023B0000ffdshow.023B0000
01D0DC2C|00000000
01D0DC30|0265B7C4ffdshow.0265B7C4
01D0DC34|00000000
01D0DC38|0265BC88ASCII "boost::current_exception()"
01D0DC3C|0265BC58ASCII "src\boost/exception/detail/exception_ptr.hpp"
01D0DC40|00000050
01D0DC44|0265B7CCffdshow.0265B7CC
01D0DC48|0265B544ASCII "bad allocation"
01D0DC4C|00000000
01D0DC50|01D0DCBCPointer to next SEH record
01D0DC54|026482FESE handler
Reproduction
Use attached PoC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14882.rar (FFDshowSEHExceptionleadingtoNULLpointeronRead.rar)
体验盒子
