Flash Movie Player v1.5 File Magic Crash

vendor:

Flash Movie Player

by:

Matthew Bergin

9,3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Flash Movie Player

Affected Version From: 1.5

Affected Version To: 1.5

Patch Exists: YES

Related CWE: N/A

CPE: a:eolsoft:flash_movie_player

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2010

Flash Movie Player v1.5 File Magic Crash

Flash Movie Player is a free stand-alone player for ShockWave Flash (SWF) animations, based on the Macromedia Flash Player plugin. A buffer overflow vulnerability exists in the software when a specially crafted SWF file is processed, allowing an attacker to execute arbitrary code. The vulnerability is triggered when the first byte of a SWF file is replaced with any other character.

Mitigation:

Update to the latest version of Flash Movie Player.

Source

Exploit-DB raw data:

Flash Movie Player v1.5 File Magic Crash
http://www.eolsoft.com/
http://www.eolsoft.com/freeware/flash_movie_player/

Author: Matthew Bergin
Website: http://berginpentesting.com
Date: August 25, 2010

Description: Flash Movie Player is a free stand-alone player for ShockWave Flash (SWF) animations, based on the Macromedia Flash Player plugin. In addition to all Macromedia Flash Player abilities, it has some extended features, such as animation rewinding, advanced full screen mode, playlists, browser cache integration and exe projectors support. 

The software is provided "AS IS" without any warranty, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The author will not be liable for any special, incidental, consequential or indirect damages due to loss of data or any other reason. You are welcome to use this software without paying any kind of fee.

Flash Information
Plugin: Adobe Flash Player 10.1 r52
Version: 10.1.52.14
File: C:\WINDOWS\system32\Macromed\Flash\Flash10g.ocx
Operating System: Windows XP SP3

Bug Information:
Exception at UNKNOWN_VALUE: 0x0EEDFADE
0x0EEDFADE - Delphi exception was caught by one of the RTL's default C++ exception handlers.
#1 7C812AFB : RaiseException (RaiseException) 00491EFE (0012E8B0/00000000) C:\WINDOWS\system32\advapi32.dll
#2 00491EFE : 00491F34 (0012E908/00000000) 
#3 00491F34 : 0049552E (0012E914/00000000) 
#4 0049552E : 004953BE (0012E954/00000000) 
#5 004953BE : 004B99BA (0012E96C/00000000) 
#6 004B99BA : 00495925 (0012E9A4/00000000) 
#7 00495925 : 004947AE (0012E9DC/00000000) 
#8 004947AE : 1018D704 (0012E9F0/00000000) 
#9 1018D704 : 10193E91 (0012EA38/00000000) .text
#10 10193E91 : FFFFFFFF (0012EADC/00000000) .text
#11 FFFFFFFF : 00000000 (FFFF4000/00000000) C:\WINDOWS\system32\kernel32.dll

Reproducing this bug:

Reproduction is very simple. The first 3 bytes of any SWF file is FWS, to reproduce the issue we need to replace the first byte 'F' with an '`' to make the magic look like '`WS' and load this file into Flash Movie Player.

POC: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14767.tar.gz