-------------------------------------------------------------------
LEGAL STATEMENT:
The information contained in this mail message is confidential.
The information contained in this mail message is a trade
secret of mine and is protected under law.
Basically: You're not allowed to read or use or act upon the information
contained in this message unless you fall into a
category who are specifically allowed to.
1. People/entities with any formal relationship with Microsoft are
not allowed to read the content of this message.
2. People who do not fall into category 1 are allowed to do anything
they like but are not allowed to bypass this information forward.
--------------------------------------------------------------------
RANDOM RANT:
You know, somebody's got to take care of the client side.
--------------------------------------------------------------------
REVELATION:
HREF attribute of BANNER tag can be abused to smash our lovely stack.
This information applies to Media Player 6.4 at least.
You can try it out with your version at
<a
href="http://mediaplayerbug.tripod.com/";>http://mediaplayerbug.tripod.com/</a>.
Known status of different versions of dxmasf.dll:
Invulnerable: Size 427280 bytes. Time stamp 0x35ed5d3d. (From Finnish SP4
CD.)
Vulnerable: Size 498960 bytes. Time stamp 0x382cbe58. (From mpfull.exe
version 6.4. dunno more.)
Vulnerable: Size 525008 bytes. Time stamp 0x3a2ed2f1. (The patched version
that comes in wmqfe33955.exe.)
(Got the time stamps using File Viewer.)
As what comes to the .asx attachment, it won't work as it is. You've
got to edit it to refer a valid .asf/.avi file. I didn't want to waste
bandwidth. It is a text file so that should not be too much a trouble.
Umm. Analysis.txt is at Tripod too, no link to it though. Guess the
URL if you need it. :)
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Known status of different versions of dxmasf.dll:
Invulnerable: Size 427280 bytes. Time stamp 0x35ed5d3d. (From Finnish SP4
CD.)
Vulnerable: Size 498960 bytes. Time stamp 0x382cbe58. (From mpfull.exe
version 6.4. dunno more.)
Vulnerable: Size 525008 bytes. Time stamp 0x3a2ed2f1. (The patched version
that comes in wmqfe33955.exe.)
(Got the time stamps using File Viewer.)
Some nice analysis data is attached. These are in no way complete and even
some false information might appear here or there.
--8<------------------------Cut-here---------------------------8<-------------
Execution path of DXMASF.DLL (Time stamp 0x3a2ed2f1.) in detail follows.
This is the recently patched one.
1D3612BD : MSDXM!0x1D3197F0( 0x00298678, 0x0009e724, 0x002a015c ) {
1D3197F0 :
1D319843 : Kernel32!LoadLibraryA("dxmasf.dll")
1D319858 : Kernel32!GetProcAddress("UtilLoadImage",0x11f00000,0)
1D31987A : Kernel32!0x77F350A3(0,0,0x9e724,-1,0x6f13c,0x825,0,0)
1D319895 : DXMASF!UtilLoadImage( ? )
1FF26708 :
1FF26731 : 1FF26A97()
1FF2673C : 1FF26AA1()
1FF26AA1 :
1FF26AB5 : 1FF26C2A()
1FF26ACC : Kernel32!0x77F1297C() 1FF010D8
1FF26AD4 : 1FF3EFA6()
1FF26AE0 : Kernel32!0x77F127E6() 1FF0108C
1FF26AFE : 1FF3F3E8()
1FF26B44 : 1FF3F2B4()
1FF26B5C : 1FF3F260()
1FF26BB5 : Wininet!0x702079AB() 1FF012F0
1FF26BF3 : Kernel32!0x77F1297C() 1FF010D8
1FF26BFB : 1FF3EFA6()
1FF26C0C : Kernel32!0x77F127E6() 1FF0108C
1FF26C19 : } <- Let the parties begin!
1FF26741 :
1D319898 :
1D3612C0 :
--8<------------------------Cut-here---------------------------8<-------------
Execution path of DXMASF.DLL (Time stamp 0x382cbe58.) in detail follows.
1D319895 : DXMASF!UtilLoadImage( ? ) {
1FF26716 :
1FF2674A : 1FF26AAF( x ) {
1FF26ADA : Kernel32!0x77F1297C( x ) 1FF010D8
1FF26AE2 : 1FF3EFB6()
1FF26AEE : Kernel32!0x77F127E6() 1FF0108C
1FF26B0C : 1FF3F3F8() (retrieve the string address at heap?)
1FF26B3B : movs
1FF26B52 : 1FF3F2C4:7801FAAD:fopen() (fails)
1FF26B6A : 1FF3F270:780252FE:strrchr() (strip "C:\")
1FF26BAC : movs
1FF26BC3 : WININET!0x702079AB() 1FF012F0 (try if it's an URL?)
1FF26BE8 : movs (copy back the stripped string)
1FF26C01 : Kernel32!0x77F1297C() 1FF010D8
1FF26C09 : 1FF3EFB6:780037CA:new()
1FF26C1A : Kernel32!0x77F127E6() 1FF0108C
1FF26C27 : } <- Let the parties begin!
1FF2674F :
}
1D319898 :
--8<------------------------Cut-here---------------------------8<-------------
Execution path of DXMASF.DLL (Time stamp 0x35ed5d3d.) in detail follows.
This is the SP4 one.
1D319895 : DXMASF!UtilLoadImage=1FF34CCD() {
1FF34CF6 : 1FF3505C() (dummy init)
1FF34D01 : 1FF35066( 0x0006F13C ) {
1FF3507A : 1FF351BF()
1FF35091 : Kernel32!0x77F1297C( 0x0006F13C ) 1FF010E8
1FF35099 : 1FF368A6:780037CA:new( 0x178 ) 1FF011E8
1FF350A5 : Kernel32!0x77F127E6( heapbuf(0x002A8C90), 0x0006F13C
)1FF01080
{
77F1282F : movs
}
1FF350AB :
1FF350C4 : URLMON!0x702B7BC2( 0, 0x2A8C90, 0x6EFA0, 0x104 ) 1FF01328 {
702B7BE0 : Kernel32!0x77F1297C() (strlen)
702B7BF1 : URLMON!0x702B753C( 0x44 )
702B7C15 : to_wide_char( 0, 0, 0x2A8FD0, -1, 0x6EDF0 ) 702712B8
702B7C26 : OLE32!0x77B2122C( 0x208, 0x6EDF0 )
702B7C44 : 702B77F8()
702B7C65 : Kernel32!0x77F12AE7()
702B7C72 : Kernel32!0x77F350A3()
}
1FF350EB : 1FF36D9E:7801FAAD:fopen( 0x6EFA0, 0x1FF057A0 )
1FF350CF : 1FF368A0:78003C6E:delete( 0x2A8C90 ) 1FF011E0
}
1D319898 :
--8<------------------------Cut-here---------------------------8<-------------
Money_is_wrong.asx
