View Full Version : Reversing Ms13-057

October 25th, 2013, 09:08

Its my first post in this forum, i wish i can learn many things here .

As i write in Title i got interested in Microsoft patch ms13-057 which is a patch in wmv file format, Anyone here worked on this ?

**Im really dont want to write exploit for it im not sure if i can or not just a POC for triggering this bug and find answer of my question is enough.

So, I have downloaded the patch extract the patched module(WMVDECOD.dll on Windows XP with Media Player 11)then i diff it against the .dll that i got from my windows xp system(using IDA Pro and TurboDiff), i got 3 function changed after a quick review of those functions i guess i have found the vulnerable function. (You can find both patched and unpatched dll in attachement)

Then i did a xref to from that vulnerable function, i got list on functions that calling to this function!
I start Media player with a simple wmv file fortunalty it Hit my breakpoint on that vulnerable function.

So i start from tracing the function that i guessed it is vulnerable, i set a breakpoint on first instruction(Using Ollydbg) and i start checking all Registers(Follow in Dump) and Stack to find a value of my wmv file. I dump registers and seach random values from Dump panel of olly in a Hex Editor to see if i can find a value from my file in Media Player but FAILED!!! Never find any value from program memory in the file.

Im not even sure that is this the right way to do it !?(i have read something about taint analysis but never find a good tools).

What is the Next Step for me to do?
How can i Trace values in memory in my file ?
How can i Find which value from which part of the file is comming to my Vulnerable function ?

Finally, Is Anyone interested in reversing this patch with me ?

I tried to explain exact thing that i have done in detail
Thank you very much