FFDshow SEH Exception leading to NULL pointer on Read Author: Matthew Bergin Website: http://berginpentesting.com/ Email: matt@berginpentesting.com Date: 09/02/10 Filename: C:\Program Files\K-Lite Codec Pack\FFDshow\ffdshow.ax Version: v1.1.3530.0 License: GNU General Public License Description Crash Instructions kernel32.7c812afb 5E POP ESI ffdshow.02659580 <- Exception E06d7363 kernel32.7c812afc C9 LEAVE kernel32.7c812afd C2 1000 RETN 10 ffdshow.0261a804C9 LEAVE ffdshow.0261a805C2 0800 RETN 8 ffdshow.023cc4078b45 08 MOV EAX, DWORD PTR SS:[EBP+8] ffdshow.023cc4da50 PUSH EAX ffdshow.026fbe9c ffdshow.023cc4dbE8 70FEFFFF CALL ffdshow.023cc350 ffdshow.023cc35055 PUSH EBP ffdshow.023cc3518BEC MOV EBP,ESP ffdshow.023cc3536A FF PUSH -1 ffdshow.023cc35568 C1826402 PUSH ffdshow.026482c1 ffdshow.023cc35a61:A1 00000000 MOV EAX, DWORD PTR FS:[0] ffdshow.023cc36050 PUSH EAX ffdshow.023cc36164:8925 00000000MOV DWORD PTR FS:[0], ESP ffdshow.023CC36883EC 1C SUB ESP,1C ffdshow.023CC36B53 PUSH EBX ffdshow.023CC36C33C0 XOR EAX,EAX ffdshow.023CC36E56 PUSH ESI ffdshow.023CC36F8945 EC MOV DWORD PTR SS:[EBP-14],EAX ffdshow.023CC37257 PUSH EDI ffdshow.023CC3738B7D 08 MOV EDI,DWORD PTR SS:[EBP+8] ffdshow.023CC3768907 MOV DWORD PTR DS:[EDI],EAX ffdshow.023CC3788965 F0 MOV DWORD PTR SS:[EBP-10],ESP ffdshow.023CC37B8947 04 MOV DWORD PTR DS:[EDI+4],EAX ffdshow.023CC37E8D45 E4 LEA EAX,DWORD PTR SS:[EBP-1C] ffdshow.023CC381BB 01000000 MOV EBX,1 ffdshow.023CC38650 PUSH EAX ffdshow.023CC387895D EC MOV DWORD PTR SS:[EBP-14],EBX ffdshow.023CC38A895D FC MOV DWORD PTR SS:[EBP-4],EBX ffdshow.023CC38DE8 EEFDFFFF CALL ffdshow.023CC180 ... ... ffdshow.023CC19E33C0 XOR EAX,EAX ffdshow.023CC1A08965 F0 MOV DWORD PTR SS:[EBP-10],ESP ffdshow.023CC1A350 PUSH EAX ffdshow.023CC1A450 PUSH EAX ffdshow.023CC1A58945 EC MOV DWORD PTR SS:[EBP-14],EAX ffdshow.023CC1A88945 FC MOV DWORD PTR SS:[EBP-4],EAX ffdshow.023CC1ABE8 0CE62400 CALL ffdshow.0261A7BC ffdshow.023CC1B08B4D E8 MOV ECX,DWORD PTR SS:[EBP-18] ffdshow.023CC1B38B01 MOV EAX,DWORD PTR DS:[ECX] <- Access Violation when reading 00000000 NULL pointer ffdshow.023CC1B58B10 MOV EDX,DWORD PTR DS:[EAX] ffdshow.023CC1B7FFD2 CALL EDX Crash Registers on Exception EAX 01d0db3c ECX 00000000 EDX 01d0dbe0 EBX 00000000 ESP 01d0db38 EBP 01d0db8c ESI 01d0dbc4 EDI 00000000 EIP 7c812afb kernel32.7c812afb Crash Registers on Violation EAX 01d0da8c ECX 00000000 EDX 01d0dbe0 EBX 00000001 ESP 01d0db24 EBP 01d0db88 ESI 02659580 ffdshow.02659580 EDI 026fbe9c ffdshow.026fbe9c EIP 023cc1b3 ffdshow.023cc1b3 Stack 01D0DBD0|026FBE9Cffdshow.026FBE9C 01D0DBD4|00000000 01D0DBD8|02659580ffdshow.02659580 01D0DBDC|00000000 01D0DBE0|0265B7E4ffdshow.0265B7E4 01D0DBE4|00000000 01D0DBE8|0265BC88ASCII "boost::current_exception()" 01D0DBEC|0265BC58ASCII "src\boost/exception/detail/exception_ptr.hpp" 01D0DBF0|00000050 01D0DBF4|0265B7D8ffdshow.0265B7D8 01D0DBF8|0265B544ASCII "bad allocation" 01D0DBFC|00000000 01D0DC00|0265B8C4ffdshow.0265B8C4 01D0DC04|00000000 01D0DC08|01D0DBD4 01D0DC0C|01D0DC50Pointer to next SEH record 01D0DC10|026482D0SE handler 01D0DC14|00000000 01D0DC18]01D0DC6C 01D0DC1C|023CC5A4RETURN to ffdshow.023CC5A4 from ffdshow.023CC490 01D0DC20|026FBE9Cffdshow.026FBE9C 01D0DC24|01D0DC30 01D0DC28|023B0000ffdshow.023B0000 01D0DC2C|00000000 01D0DC30|0265B7C4ffdshow.0265B7C4 01D0DC34|00000000 01D0DC38|0265BC88ASCII "boost::current_exception()" 01D0DC3C|0265BC58ASCII "src\boost/exception/detail/exception_ptr.hpp" 01D0DC40|00000050 01D0DC44|0265B7CCffdshow.0265B7CC 01D0DC48|0265B544ASCII "bad allocation" 01D0DC4C|00000000 01D0DC50|01D0DCBCPointer to next SEH record 01D0DC54|026482FESE handler Reproduction Use attached PoC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14882.rar (FFDshowSEHExceptionleadingtoNULLpointeronRead.rar)
体验盒子
