forked from liquidworm/advisory
-
Notifications
You must be signed in to change notification settings - Fork 0
/
ZSL-2010-4930
72 lines (45 loc) · 2.48 KB
/
ZSL-2010-4930
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
J. River Media Jukebox 12 MP3 File Handling Remote Heap Overflow PoC
Summary: Media Jukebox 12 is a media player application for playing various media
files on a Windows machine.
Desc: Media Jukebox 12 suffers from a heap overflow vulnerability when processing
.mp3 files and its metadata (ID3 tags). When a malicious .mp3 file is played
the application pops out an error message and crashes. The ECX register gets
overwritten allowing the attacker the possibility of system access remotely
or localy.
Product web page: http://www.mediajukebox.com
Vendor: J.River, Inc.
Tested on: Microsoft Windows Professional XP SP3 (English)
Version tested: 12.0.49
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
gjoko ! zeroscience ! mk
Zero Science Lab - http://www.zeroscience.mk
Advisory: http://zeroscience.mk/en/vulnerabilities/ZSL-2010-4930.php
Vulnerability discovered on: 28.02.1010
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-windbg-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
(8c0.858): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=03643868 ecx=0b1d6000 edx=0b2e7d5c esi=00000000 edi=0b323468
eip=0ae2545f esp=0012dc80 ebp=0012dda0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
in_mp3!GetFileInfo+0x3bfcf:
0ae2545f 668901 mov word ptr [ecx],ax ds:0023:0b1d6000=????
0:000> g
Heap corruption detected at 0B1D5018
(8c0.858): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0b1d3008 ebx=06f40178 ecx=41414141 edx=8b5f0000 esi=0b1d3000 edi=06f40000
eip=7c9108d3 esp=0012d1d8 ebp=0012d294 iopl=0 nv up ei pl nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010203
ntdll!wcsncpy+0x374:
7c9108d3 8902 mov dword ptr [edx],eax ds:0023:8b5f0000=????????
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-windbg-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
PoC:
http://www.zeroscience.mk/codes/aimp2_evil.mp3
[mirror] http://milw0rm.com/sploits/2009-aimp2_evil.mp3
[mirror] http://securityreason.com/download/11/13
Note: Same old PoC code used in: AIMP, Mp3 Tag Assistant, Audio Editor Pro,
Zortam ID3 Tag Editor, Zortam MP3 Media Studio, Zortam Media Player,
Music Tag Editor, BS.Player, VLC Player, etc ;).
//EOF