Wednesday, 29 April 2015

AIMP v3.60.1470 - Denial of Service [Crash]

 AIMP v3.60.1470 - Denial of Service and Memory Corruption Vulnerability
# Exploit Title: [AIMP v3.60.1470 - Denial of Service]
# Date: [23/01/2015]
# Exploit Author: [Kapil Soni (Haxinos)]
# Twitter: @Haxinos
# Vendor Homepage: []
# Software Link: []
# Version: [AIMP 3.60.1470]
# Tested on: [Windows XP SP2]

Product Information:

    **Multi-format Playback:
    .CDA, .AAC, .AC3, .APE, .DTS, .FLAC, .IT, .MIDI, .MO3, .MOD, .M4A, .M4B, .MP1, .MP2, .MP3,
    .MPC, .MTM, .OFR, .OGG, .OPUS, .RMI, .S3M, .SPX, .TAK, .TTA, .UMX, .WAV, .WMA, .WV, .XM

    **Output supports
    DirectSound / ASIO / WASAPI / WASAPI Exclusive

    **18-band equalizer and built-in sound effects
    Reverb, Flanger, Chorus, Pitch, Tempo, Echo, Speed, Bass, Enhancer, Voice Remover
    32-bit audio processing
    For the best quality!

    **Work with multiple playlists
    While one plays - you work with another
    Internet radio
    Listen internet-radio stations in OGG / WAV / MP3 / AAC / AAC+ formats
    Capture stream to APE, FLAC, OGG, WAV, WV, WMA and MP3 formats
    Capture stream as is for MP3 / AAC / AAC+ formats

    Work with few playlists:
    Personal appearance settings of even playlist
    Ability to block content from changes
    Ability to synchronize playlist content with folder or another playlist

    Multithreading encoding
    Few encoding modes
    Single source - single result / All sources - single result (with ability to generate CUE Sheet)
    Encode to popular formats
    Encode to APE, MP3, FLAC, OGG, WAV, WMA, MusePack and WavPack formats

    Audio CD Grabber
    Allow you to import audio data from Audio CD
    An ability to change format of input audio stream?
    Shut down the computer after conversion operation

    Audio Library
    Represents the music files organizer, which allows you easily organize your music, set marks for listened Tracks, keeping playback statistics.

    Alarm Clock
    You can choose playback start time of selected track with smooth volume increasing.
    Wake up the computer from sleeping mode is supported.

    Auto shutdown the computer
    You can sleep while listening favorite music, just set the timer to shutdown the computer at given time or on playback finish.

Debugging & Error Logs:
(7d8.1fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=024a2340 ebx=00420070 ecx=00410041 edx=00410041 esi=02492310 edi=004186e4
eip=00577e73 esp=0012fbe0 ebp=0012fc54 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\AIMP3\AIMP.Runtime.dll -
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\AIMP3\AIMP3.exe
00577e73 8911            mov     dword ptr [ecx],edx  ds:0023:00410041=004101c9
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.

Steps for Reproduce (Access Violation):
1) Open AIMP Player and rename the playlist or press ALT+R
2) put "A" - 40000 times or more and click on OK.
3) Now press cntrl+s for save playlist, and application got crashed.

Exploitation Technique:
Local (Overflow, Crash PoC)


Kapil Soni (@Haxinos)


Post a Comment