DivFix++ 0.34 – Denial of Service

Exploit Database
137 阅读

作者： qflb.wu

日期： 2017-07-31
类别：
- dos
平台：
- linux
来源：https://www.exploit-db.com/exploits/42396/

DivFix++ denial of service vulnerability

================

Author : qflb.wu

===============

Introduction:

=============

DivFix++ is FREE AVI Video Fix & Preview program.

Affected version:

=====

v0.34

Vulnerability Description:

==========================

the DivFixppCore::avi_header_fix function in src/DivFix++Core.cpp in DivFix++ v0.34 can cause a denial of service(invalid memory write and application crash) via a crafted avi file.

./DivFix++ -i DivFix++_v0.34_invalid_memory_write.avi -o out.avi

----debug info:----

Program received signal SIGSEGV, Segmentation fault.

__memcpy_sse2_unaligned ()

at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167

167../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.

(gdb) bt

#0__memcpy_sse2_unaligned ()

at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167

#10x00000000004239d8 in DivFixppCore::avi_header_fix() ()

#20x000000000042c0c0 in DivFixppCore::Fix(wxString, wxString, bool, bool, bool, bool) ()

#30x000000000041404a in DivFixppApp::OnCmdLineParsed(wxCmdLineParser&) ()

#40x0000000000414f6e in DivFixppApp::OnInit() ()

#50x0000000000416f4f in wxAppConsoleBase::CallOnInit() ()

#60x00007ffff6c6903c in wxEntry(int&, wchar_t**) ()

from /usr/lib/x86_64-linux-gnu/libwx_baseu-3.0.so.0

#70x0000000000411e70 in main ()

(gdb)

-------------------

(gdb) disassemble 0x00000000004239b0,0x00000000004239df

Dump of assembler code from 0x4239b0 to 0x4239df:

0x00000000004239b0 <_ZN12DivFixppCore14avi_header_fixEv+3504>:add%al,(%rax)

0x00000000004239b2 <_ZN12DivFixppCore14avi_header_fixEv+3506>:mov%eax,%edi

0x00000000004239b4 <_ZN12DivFixppCore14avi_header_fixEv+3508>:callq0x434eaf <_Z17make_littleendianIiERT_S0_>

0x00000000004239b9 <_ZN12DivFixppCore14avi_header_fixEv+3513>:mov-0x138(%rbp),%rdx

0x00000000004239c0 <_ZN12DivFixppCore14avi_header_fixEv+3520>:mov0x38(%rdx),%rdx

0x00000000004239c4 <_ZN12DivFixppCore14avi_header_fixEv+3524>:lea0x10(%rdx),%rcx

0x00000000004239c8 <_ZN12DivFixppCore14avi_header_fixEv+3528>:mov$0x4,%edx

0x00000000004239cd <_ZN12DivFixppCore14avi_header_fixEv+3533>:mov%rax,%rsi

0x00000000004239d0 <_ZN12DivFixppCore14avi_header_fixEv+3536>:mov%rcx,%rdi

=> 0x00000000004239d3 <_ZN12DivFixppCore14avi_header_fixEv+3539>:callq0x40fcc0 <memcpy@plt>

0x00000000004239d8 <_ZN12DivFixppCore14avi_header_fixEv+3544>:mov-0x138(%rbp),%rax

---Type <return> to continue, or q <return> to quit---

End of assembler dump.

(gdb) i r

rax0x6615286690088

rbx0x00

rcx0x1016

rdx0x44

rsi0x6615286690088

rdi0x1016

rbp0x7fffffffcf100x7fffffffcf10

rsp0x7fffffffcdd00x7fffffffcdd0

r8 0x8049308407344

r9 0x7ffff7fc1a40140737353882176

r100x640000006e429496729710

r110x00

r120x11

r130x11

r140x00

r150x00

rip0x4239d30x4239d3 <DivFixppCore::avi_header_fix()+3539>

eflags 0x246[ PF ZF IF ]

cs 0x3351

ss 0x2b43

ds 0x00

es 0x00

fs 0x00

---Type <return> to continue, or q <return> to quit---

gs 0x00

(gdb)

POC:

DivFix++_v0.34_invalid_memory_write.avi

CVE:

CVE-2017-11330

Proof of Concept:

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42396.zip