Lea eax, = 1(bye~!) 000002a0Ĭhange SamplesPerSec header to FFFF8015 for to overwrite LFH chunk of ffcodec. Because the LFH Heap Size for EIP control is 0x2a8 (requested 0x2a0). The answer is to set the SamplesPerSec header value to ffff8015. Let's make a value of 0x000002a 0 for Dst Heap Size. Ignore the last BP, (sar ebp,2) because when the heap is allocated, being multiplied by 4 again. In short, the formula for the Dst heap size is ( (imul SamplesPerSec, 0x08) shl 2 ) + 0x100000. What we have to see here is the value of SamplesPerSec header. Let's look at how to get the destination heap size. Then, Let's get the same lfh chunk to the Dst Heap. ![]() Since I was tested in Windows 7, the destination heap can be overwritten if there is a chunk that precedes ffcodec function table. The depth of the lfh heap of 0x2a8 is just 0x10. (LFH Size : 0x2a8, Requested size : 0x2a0) This is a heap area and LFH flag is enabled. A suitable place to Exploit~!Ĭheck the function table info. ※ When come here, the EDI register has the starting address of the destination heap. EIP is controlled when the " call eax" command is called. The function pointer I choose for EIP control is part of ffcodec. So First, edit BytesPerSec to big. ex) 0x11111111 and set SamplersPerSec to big and Data_Chunk_Size to small. SamplesPerSec : used to control Size of Source heap.ĭata chunk size : used to control Size of Destination heap. ![]() ![]() This is a Wav File Format and the problematic registers are three.īytesPerSec : used to make PotPlayer use large sized heap buffers (Src&Dst heap) Tested OS : Windows 7 Pro, Windows 7 Home K (reliable 100% ) Tested Version : PotPlayer (32bit) - PotPlayer.exe, PotPlayerMini.exe PotPlayer Audio(.wav) File Exploit Vulnerability
0 Comments
Leave a Reply. |