PotPlayer Audio(.wav) File Exploit Vulnerability
(Remote Code Execution)Proof Of Concept1. Wav Header2. Function table info for EIP control.3. Control Size of Destination Heap4. Control Size of Source heap and Values for shellcode5. Make ShellCode & Exploit
PotPlayer Audio(.wav) File Exploit Vulnerability (Remote Code Execution)
Score : 7.8 HIGH
Proof Of Concept
Tested Version : PotPlayer 1.7.8556 (32bit) - PotPlayer.exe, PotPlayerMini.exe
Tested OS : Windows 7 Pro, Windows 7 Home K (reliable 100%)
1. Wav Header
This is a Wav File Format and the problematic registers are three.
BytesPerSec : used to make PotPlayer use large sized heap buffers (Src&Dst heap)
SamplesPerSec : used to control Size of Source heap.
data chunk size : used to control Size of Destination heap.
So First, edit BytesPerSec to big. ex) 0x11111111 and set SamplersPerSec to big and Data_Chunk_Size to small. Then heap buffer overflow is occurred.
2. Function table info for EIP control.
( in PotPlayer.dll )
The function pointer I choose for EIP control is part of ffcodec. EIP is controlled when the "call eax" command is called.
※ When come here, the EDI register has the starting address of the destination heap. A suitable place to Exploit~!
Check the function table info. This is a heap area and LFH flag is enabled.
(LFH Size : 0x2a8, Requested size : 0x2a0)
The depth of the lfh heap of 0x2a8 is just 0x10. Since I was tested in Windows 7, the destination heap can be overwritten if there is a chunk that precedes ffcodec function table.
Then, Let's get the same lfh chunk to the Dst Heap.
3. Control Size of Destination Heap
( in PotPlayer.dll )
Let's look at how to get the destination heap size. The value of 0x02 seems a fixed value. so 0x02*4==0x08 also fixed value. What we have to see here is the value of SamplesPerSec header.
In short, the formula for the Dst heap size is ( (imul SamplesPerSec, 0x08) shl 2 ) + 0x100000.
Ignore the last BP, (sar ebp,2) because when the heap is allocated, being multiplied by 4 again.
Let's make a value of 0x000002a0 for Dst Heap Size. Because the LFH Heap Size for EIP control is 0x2a8 (requested 0x2a0). The answer is to set the SamplesPerSec header value to ffff8015.
Check below.
imul 0x08, ffff8015; == imul 0x08 -7FEB == -3FF58 == FFFC00A8 shl FFFC00A8; 2 == FFF002A0 lea eax, [FFF002A0+0x100000]; == 1(overflow)000002a0
Change SamplesPerSec header to FFFF8015 for to overwrite LFH chunk of ffcodec.
Then we always get a block allocated before the third stage than ffcodec function table.
EIP register is controlled if we can overwrite 4 blocks of lfh blcok size of 0x2a8.
Finally we have controlled the EIP register. 43673000="Cg0" is a part of 'pattern' in metasploit.
4. Control Size of Source heap and Values for shellcode
First, the file data is moved to the heap.
The first falsification. Simply convert double precision floating point to single precision floating points. And here you can see that the source heap size is half that of the data chunk header. ( Modulation varies depending on the type of sample file bit. )
This is the second modulation. It's a little complicated, but it's bypassable anyway, so let's just look at the bypass process.
If the largest value in the 400 samples is greater than the value from the image, the second modulation is not reflected.
Because I used a 64bit file, it is 8 bytes per sample. As mentioned above, it is somewhat complex, so let's use the calculated values in a fixed way. Put 00000004333346 in the file for every 400h samples.
Keep the rest of the 3FFh samples intact except for one sample to prevent modulation.
The third modulation is to verify that the result value is between floating point 1 and -1.
[for bypass the third modulation]
First letter can | ASCII : 0 1 2 3 8 9 a b c d e f |
second letter can | ASCII : 0~F ★if F, third letter must be 0~7 |
5. Make ShellCode & Exploit
Finds a dll has no ASLR and no Rebase. ==> "DaumCrashHandler.dll"
Get a static address of command "call adi".
This is an shellcode for Calc.
1. Complete string with command "or 0x40" ---- "Calc" and "WinExec" Strings
2. getmodulehandle(kernel32.dll)
3. getfunctionaddr(WinExec)
4. WinExec("Calc")
Cannot create the calc and WinExec strings at once, these strings are completed during shell code execution with "or 40" command.
While running the shell code, the string is completed and finally the calculator runs.
Exploit Success~~!!