DivFix++ 0.34 – Denial of Service

• Exploit Database
• 17 阅读

• 作者： qflb.wu
  日期： 2017-07-31
• 类别：

  • dos
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/42396/

• DivFix++ denial of service vulnerability
  ================
  Author : qflb.wu
  ===============
  
  
  Introduction:
  =============
  DivFix++ is FREE AVI Video Fix & Preview program.
  
  
  Affected version:
  =====
  v0.34
  
  
  Vulnerability Description:
  ==========================
  the DivFixppCore::avi_header_fix function in src/DivFix++Core.cpp in DivFix++ v0.34 can cause a denial of service(invalid memory write and application crash) via a crafted avi file.
  
  
  ./DivFix++ -i DivFix++_v0.34_invalid_memory_write.avi -o out.avi
  
  
  ----debug info:----
  Program received signal SIGSEGV, Segmentation fault.
  __memcpy_sse2_unaligned ()
  at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
  167../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
  (gdb) bt
  #0__memcpy_sse2_unaligned ()
  at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
  #10x00000000004239d8 in DivFixppCore::avi_header_fix() ()
  #20x000000000042c0c0 in DivFixppCore::Fix(wxString, wxString, bool, bool, bool, bool) ()
  #30x000000000041404a in DivFixppApp::OnCmdLineParsed(wxCmdLineParser&) ()
  #40x0000000000414f6e in DivFixppApp::OnInit() ()
  #50x0000000000416f4f in wxAppConsoleBase::CallOnInit() ()
  #60x00007ffff6c6903c in wxEntry(int&, wchar_t**) ()
   from /usr/lib/x86_64-linux-gnu/libwx_baseu-3.0.so.0
  #70x0000000000411e70 in main ()
  (gdb) 
  
  
  -------------------
  (gdb) disassemble 0x00000000004239b0,0x00000000004239df
  Dump of assembler code from 0x4239b0 to 0x4239df:
   0x00000000004239b0 <_ZN12DivFixppCore14avi_header_fixEv+3504>:add%al,(%rax)
   0x00000000004239b2 <_ZN12DivFixppCore14avi_header_fixEv+3506>:mov%eax,%edi
   0x00000000004239b4 <_ZN12DivFixppCore14avi_header_fixEv+3508>:callq0x434eaf <_Z17make_littleendianIiERT_S0_>
   0x00000000004239b9 <_ZN12DivFixppCore14avi_header_fixEv+3513>:mov-0x138(%rbp),%rdx
   0x00000000004239c0 <_ZN12DivFixppCore14avi_header_fixEv+3520>:mov0x38(%rdx),%rdx
   0x00000000004239c4 <_ZN12DivFixppCore14avi_header_fixEv+3524>:lea0x10(%rdx),%rcx
   0x00000000004239c8 <_ZN12DivFixppCore14avi_header_fixEv+3528>:mov$0x4,%edx
   0x00000000004239cd <_ZN12DivFixppCore14avi_header_fixEv+3533>:mov%rax,%rsi
   0x00000000004239d0 <_ZN12DivFixppCore14avi_header_fixEv+3536>:mov%rcx,%rdi
  => 0x00000000004239d3 <_ZN12DivFixppCore14avi_header_fixEv+3539>:callq0x40fcc0 <memcpy@plt>
   0x00000000004239d8 <_ZN12DivFixppCore14avi_header_fixEv+3544>:mov-0x138(%rbp),%rax
  ---Type <return> to continue, or q <return> to quit---
  End of assembler dump.
  (gdb) i r 
  rax0x6615286690088
  rbx0x00
  rcx0x1016
  rdx0x44
  rsi0x6615286690088
  rdi0x1016
  rbp0x7fffffffcf100x7fffffffcf10
  rsp0x7fffffffcdd00x7fffffffcdd0
  r8 0x8049308407344
  r9 0x7ffff7fc1a40140737353882176
  r100x640000006e429496729710
  r110x00
  r120x11
  r130x11
  r140x00
  r150x00
  rip0x4239d30x4239d3 <DivFixppCore::avi_header_fix()+3539>
  eflags 0x246[ PF ZF IF ]
  cs 0x3351
  ss 0x2b43
  ds 0x00
  es 0x00
  fs 0x00
  ---Type <return> to continue, or q <return> to quit---
  gs 0x00
  (gdb)
  
  
  POC:
  DivFix++_v0.34_invalid_memory_write.avi
  CVE:
  CVE-2017-11330
  
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42396.zip