Windows mplay32 buffer overflow

Microsoft is aware of the vulnerability.

Since this successful remote exploitation of this vulnerability depends
on other mitigating factors, Microsoft believes it is not worthy of a
bulletin. This overflow will be fixed in XP service pack 1.

I will explain my understanding of the vulnerability. Perhaps someone
can discover another way to exploit this executable without the other
mitigating factors…

mplay32.exe – found in system32 directory – suffers from a buffer
overflow. If the exe is called with a file name equal to or longer than
279 characters, EIP is overwritten.

Exploit:

Open a command prompt.
mplay32.exe A<x279>.mp3

Note: This is a unicode overflow. EIP now equals 0x00410041.

The executable runs in the user context. Privilege escalation is not an
issue. Count out the possibility of a local vulnerability.

Can this be executed remotely? With certain mitigating factors.

On an unpatched IIS server we can call

/scripts/…%255c…%255cwinnt/system32.exe?/A<x279>.mp3

and set EIP to 0x00410041. (I'm not giving further details of what to do
next, but the information is available on the internet.)

I tried to load mplay32.exe with the <object> tags but could not get it
to parse the file extension. Perhaps others will have better luck. :)

I leave everyone with the exciting possibility that there is potential
for this to be remotely exploitable. Good luck.

'ken'@FTU

–
"I grew convinced that truth, sincerity and integrity in dealings
between man and man were of the utmost importance to the felicity of
life, and I formed a written resolution to practise them ever while I
lived."
-Benjamin Franklin, The Autobiography of Benjamin Franklin