CVE-2009-1437: RCE in CoolPlayer+ <= 2.19.6 (Windows 10 Pro)


While doing my preperation for the OSCE i found an exploit for the coolpalyer+ version 2.19.1 from 2009.
I decided to check this vulnerability in the recent software version (2.19.6) on my Windows 10 machine. The following post descripes the exploit development.

1. Create PoC

I created a small python script, which creates a .m3u file with 5000 „A“ characters.

After attaching the programm to a debugger and loading the file into the coolplayer, it crashed. The EIP and some registers are overwritten with my characters -> The vulnerability still exists.

2. Determine the Offsets

For the next step i created a pattern via

pattern_create -l 5000

replaced the „A“ characters with it and checked the offsets in immunity debugger with mona via

!mona findmsp

To check this result i changed my exploit script and reload the new file into the coolplayer.

 

The EIP is overwritten with my „B“ in hexformat \x42.

3. Looking for jumps into my code cave

I examined the space for the registers and noticed that the ebx register would be a perfect place to jump. Using mona i found a suitable address via

!mona jmp -r ebx

I converted the adress in reverse hex format and replaced my four „B“s with it.

Loading my new „malicious“ file and setting a breakpoint at the call ebx function leading to my capital „A“ buffer.

4. Checking the possible Space

Now i checked the possible space for my shellcode in ebx.

Just 240 bytes -> Too small for a payload such as a reverse shell. I noticed my buffer of capital „C“ after some instruction in the end of my first buffer. So i decided to take a short jmp at the end of my first buffer.

5. Final Exploit

Finally i used a nop sled and placed my shellcode (starting with \xd9\xeb\x9b\xd9\x74\x24).

And Code-Execution !

You can find the final exploit here.


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht.

17 Gedanken zu “CVE-2009-1437: RCE in CoolPlayer+ <= 2.19.6 (Windows 10 Pro)

  • PaltroxRx Male Enhancement

    I don’t even know the way I finished up here, but I thought this post was once
    good. I do not realize who you might be but certainly
    you’re going to a well-known blogger for those who aren’t already.

    Cheers!

  • 바카라사이트추천

    I do agree with all of the ideas you’ve offered for your post.
    They are really convincing and can certainly work. Nonetheless, the posts are too short
    for starters. Could you please prolong them a little from
    next time? Thank you for the post.

  • keo nha cai

    Thanks for one’s marvelous posting! I seriously enjoyed reading it,
    you happen to be a great author. I will make sure
    to bookmark your blog and will eventually come back sometime soon. I want
    to encourage you to ultimately continue your great work, have a
    nice afternoon!

  • EnvytaLyfe

    Excellent read, I just passed this onto a colleague who was doing a little research on that.
    And he just bought me lunch because I found it for him smile So
    let me rephrase that: Thank you for lunch!

  • Primacin XL Review

    Hello, Neat post. There is a problem with your site in internet explorer,
    could check this? IE still is the marketplace chief and a big component of other folks
    will miss your magnificent writing due to this problem.

  • 3dcgstore 3d models

    Wonderful goods from you, man. I have take into account your stuff prior to and you are simply extremely magnificent.
    I actually like what you’ve bought right here, really like what you are saying and the way
    in which in which you assert it. You make it enjoyable and you still take care of to stay it smart.
    I cant wait to read much more from you. This is actually a wonderful site.

  • taxi hire London

    If some one wants to be updated with most up-to-date technoloogies then he must be pay a visit this site and be up to date all the time.

  • cat hat

    That is a good tip especially to those new to the blogosphere.
    Brief but very accurate information? Many thanks for sharing this one.
    A must read article!

  • bet on Cheltenham gold cup

    I really like your blog..verynice colors & theme.
    Didd you create this website yourself or did you hire someone to do it for you?

    Plz respond as I’m lookng to create my own blog and
    would like to find out where u got this from. appreciate it

  • 카지노사이트

    I think that what you posted made a great deal of sense. However, what about this?
    suppose you were to write a awesome title? I am
    not saying your content is not solid., but what if
    you added something to maybe get a person’s attention? I mean CVE-2009-1437:
    RCE in CoolPlayer+ – HanseSecure is kinda boring.
    You could peek at Yahoo’s home page and see how they create news headlines to get
    viewers interested. You might add a video or a picture or two to get readers excited about everything’ve got to say.
    In my opinion, it could make your website a little livelier.

    • Flo @HanseSecure Autor des Beitrags

      Very thank you for the kind feedback. You are totally right with that point, i try to find some time to optimize this!

      Regards
      Flo

  • cat hat

    Wow, wonderful blog layout! How long have you been blogging for?
    you make blogging look easy. The overall look of your site is magnificent, let
    alone the content!