exploit the possibilities

J. River Media Jukebox 12 Heap Overflow

J. River Media Jukebox 12 Heap Overflow
Posted Mar 5, 2010
Authored by LiquidWorm

J. River Media Jukebox 12 suffers from a MP3 file handling remote heap overflow vulnerability.

tags | advisory, remote, overflow
MD5 | 4ef3d7f8666627eda39eb3258ecd945a

J. River Media Jukebox 12 Heap Overflow

Change Mirror Download

J. River Media Jukebox 12 MP3 File Handling Remote Heap Overflow PoC


Summary: Media Jukebox 12 is a media player application for playing various media
files on a Windows machine.

Desc: Media Jukebox 12 suffers from a heap overflow vulnerability when processing
.mp3 files and its metadata (ID3 tags). When a malicious .mp3 file is played
the application pops out an error message and crashes. The ECX register gets
overwritten allowing the attacker the possibility of system access remotely
or localy.

Product web page: http://www.mediajukebox.com

Vendor: J.River, Inc.

Tested on: Microsoft Windows Professional XP SP3 (English)

Version tested: 12.0.49



Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

gjoko ! zeroscience ! mk

Zero Science Lab - http://www.zeroscience.mk

Advisory: http://zeroscience.mk/en/vulnerabilities/ZSL-2010-4930.php

Vulnerability discovered on: 28.02.1010


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-windbg-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


(8c0.858): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=03643868 ecx=0b1d6000 edx=0b2e7d5c esi=00000000 edi=0b323468
eip=0ae2545f esp=0012dc80 ebp=0012dda0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
in_mp3!GetFileInfo+0x3bfcf:
0ae2545f 668901 mov word ptr [ecx],ax ds:0023:0b1d6000=????
0:000> g
Heap corruption detected at 0B1D5018
(8c0.858): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0b1d3008 ebx=06f40178 ecx=41414141 edx=8b5f0000 esi=0b1d3000 edi=06f40000
eip=7c9108d3 esp=0012d1d8 ebp=0012d294 iopl=0 nv up ei pl nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010203
ntdll!wcsncpy+0x374:
7c9108d3 8902 mov dword ptr [edx],eax ds:0023:8b5f0000=????????


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-windbg-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


PoC:

http://zeroscience.mk/codes/aimp2_evil.mp3
[mirror] http://milw0rm.com/sploits/2009-aimp2_evil.mp3
[mirror] http://securityreason.com/download/11/13


Note: Same old PoC code used in: AIMP, Mp3 Tag Assistant, Audio Editor Pro,
Zortam ID3 Tag Editor, Zortam MP3 Media Studio, Zortam Media Player,
Music Tag Editor, BS.Player, VLC Player, etc ;).

//EOF
Login or Register to add favorites

File Archive:

May 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    14 Files
  • 2
    May 2nd
    3 Files
  • 3
    May 3rd
    1 Files
  • 4
    May 4th
    18 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    21 Files
  • 7
    May 7th
    15 Files
  • 8
    May 8th
    19 Files
  • 9
    May 9th
    1 Files
  • 10
    May 10th
    2 Files
  • 11
    May 11th
    18 Files
  • 12
    May 12th
    39 Files
  • 13
    May 13th
    15 Files
  • 14
    May 14th
    17 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    2 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    21 Files
  • 20
    May 20th
    15 Files
  • 21
    May 21st
    15 Files
  • 22
    May 22nd
    6 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close