PotPlayer Audio(.wav) File Vulnerabilitiy

PotPlayer Audio(.wav) File Exploit Vulnerability

( Remote Code Execution )

CVE-2018-16797

Tested Version : PotPlayer 1.7.8556 (32bit) - PotPlayer.exe, PotPlayerMini.exe

Tested OS : Windows 7 Pro, Windows 7 Home K (reliable 100%)

1. Wav Header

This is a Wav File Format and the problematic registers are three.

BytesPerSec : used to make PotPlayer use large sized heap buffers (Src&Dst heap)

SamplesPerSec : used to control Size of Source heap.

data chunk size : used to control Size of Destination heap.

So First, edit BytesPerSec to big. ex) 0x11111111 and set SamplersPerSec to big and Data_Chunk_Size to small. Then heap buffer overflow is occurred.

2. Function table info for EIP control.

( in PotPlayer.dll )

The function pointer I choose for EIP control is part of ffcodec. EIP is controlled when the "call eax" command is called.

※ When come here, the EDI register has the starting address of the destination heap. A suitable place to Exploit~!

Check the function table info. This is a heap area and LFH flag is enabled.

(LFH Size : 0x2a8, Requested size : 0x2a0)

The depth of the lfh heap of 0x2a8 is just 0x10. Since I was tested in Windows 7, the destination heap can be overwritten if there is a chunk that precedes ffcodec function table.

Then, Let's get the same lfh chunk to the Dst Heap.

3. Control Size of Destination Heap

( in PotPlayer.dll )

Let's look at how to get the destination heap size. The value of 0x02 seems a fixed value. so 0x02*4==0x08 also fixed value. What we have to see here is the value of SamplesPerSec header.

In short, the formula for the Dst heap size is ( (imul SamplesPerSec, 0x08) shl 2 ) + 0x100000.

Ignore the last BP, (sar ebp,2) because when the heap is allocated, being multiplied by 4 again.

Let's make a value of 0x000002a0 for Dst Heap Size. Because the LFH Heap Size for EIP control is 0x2a8 (requested 0x2a0). The answer is to set the SamplesPerSec header value to ffff8015.

Check below.

imul 0x08, ffff8015 == imul 0x08, -7FEB == -3FF58 == FFFC00A8

shl FFFC00A8, 2 == FFF002A0

lea eax, [FFF002A0+0x100000] == 1(bye~!) 000002a0

Change SamplesPerSec header to FFFF8015 for to overwrite LFH chunk of ffcodec.

Then we always get a block allocated before the third stage than ffcodec function table.

EIP register is controlled if we can overwrite 4 blocks of lfh blcok size of 0x2a8.

Finally we have controlled the EIP register. 43673000="Cg0" is a part of 'pattern' in metasploit.

4. Control Size of Source heap and Values for shellcode

First, the file data is moved to the heap.

The first falsification. Simply convert double precision floating point to single precision floating points. And here you can see that the source heap size is half that of the data chunk header. ( Modulation varies depending on the type of sample file bit. )

This is the second modulation. It's a little complicated, but it's bypassable anyway, so let's just look at the bypass process.

If the largest value in the 400 samples is greater than the value from the image, the second modulation is not reflected.

Because I used a 64bit file, it is 8 bytes per sample. As mentioned above, it is somewhat complex, so let's use the calculated values in a fixed way. Put 00000004333346 in the file for every 400h samples.