CVE-2009-1437: RCE in CoolPlayer+ <= 2.19.6 (Windows 10 Pro)


While doing my preperation for the OSCE i found an exploit for the coolpalyer+ version 2.19.1 from 2009.
I decided to check this vulnerability in the recent software version (2.19.6) on my Windows 10 machine. The following post descripes the exploit development.

1. Create PoC

I created a small python script, which creates a .m3u file with 5000 „A“ characters.

After attaching the programm to a debugger and loading the file into the coolplayer, it crashed. The EIP and some registers are overwritten with my characters -> The vulnerability still exists.

2. Determine the Offsets

For the next step i created a pattern via

pattern_create -l 5000

replaced the „A“ characters with it and checked the offsets in immunity debugger with mona via

!mona findmsp

To check this result i changed my exploit script and reload the new file into the coolplayer.

 

The EIP is overwritten with my „B“ in hexformat \x42.

3. Looking for jumps into my code cave

I examined the space for the registers and noticed that the ebx register would be a perfect place to jump. Using mona i found a suitable address via

!mona jmp -r ebx

I converted the adress in reverse hex format and replaced my four „B“s with it.

Loading my new „malicious“ file and setting a breakpoint at the call ebx function leading to my capital „A“ buffer.

4. Checking the possible Space

Now i checked the possible space for my shellcode in ebx.

Just 240 bytes -> Too small for a payload such as a reverse shell. I noticed my buffer of capital „C“ after some instruction in the end of my first buffer. So i decided to take a short jmp at the end of my first buffer.

5. Final Exploit

Finally i used a nop sled and placed my shellcode (starting with \xd9\xeb\x9b\xd9\x74\x24).

And Code-Execution !

You can find the final exploit here.


Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht.

11 Gedanken zu “CVE-2009-1437: RCE in CoolPlayer+ <= 2.19.6 (Windows 10 Pro)

  • PaltroxRx Male Enhancement

    I don’t even know the way I finished up here, but I thought this post was once
    good. I do not realize who you might be but certainly
    you’re going to a well-known blogger for those who aren’t already.

    Cheers!

  • 바카라사이트추천

    I do agree with all of the ideas you’ve offered for your post.
    They are really convincing and can certainly work. Nonetheless, the posts are too short
    for starters. Could you please prolong them a little from
    next time? Thank you for the post.

  • keo nha cai

    Thanks for one’s marvelous posting! I seriously enjoyed reading it,
    you happen to be a great author. I will make sure
    to bookmark your blog and will eventually come back sometime soon. I want
    to encourage you to ultimately continue your great work, have a
    nice afternoon!

  • EnvytaLyfe

    Excellent read, I just passed this onto a colleague who was doing a little research on that.
    And he just bought me lunch because I found it for him smile So
    let me rephrase that: Thank you for lunch!

  • Primacin XL Review

    Hello, Neat post. There is a problem with your site in internet explorer,
    could check this? IE still is the marketplace chief and a big component of other folks
    will miss your magnificent writing due to this problem.

  • 3dcgstore 3d models

    Wonderful goods from you, man. I have take into account your stuff prior to and you are simply extremely magnificent.
    I actually like what you’ve bought right here, really like what you are saying and the way
    in which in which you assert it. You make it enjoyable and you still take care of to stay it smart.
    I cant wait to read much more from you. This is actually a wonderful site.