VUPlayer 2.49 M3U Playlist File Remote Buffer Overflow Exploit

Title: VUPlayer 2.49 M3U Playlist File Remote Buffer Overflow Exploit
Advisory ID: ZSL-2008-4893
Type: Local/Remote
Impact: System Access
Risk: (3/5)
Release Date: 18.08.2008
Summary
VUPlayer is a freeware multi-format audio player for Windows.
Description
VUPlayer 2.49 suffers from a buffer overflow vulnerability that can be exploited remotely using user interaction and/or crafting. It fails to perform adequate boundry checking of the user input file (.m3u playlist, 1016 bytes), allowing us to overwrite the EIP, ECX and EBP registers.

--------------------------------------------------------------------------------

(e7c.c40): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000001 ecx=41414141 edx=00da5c98 esi=0050b460 edi=0012ee24
eip=41414141 esp=0012eab8 ebp=41414141 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
41414141 ?? ???

--------------------------------------------------------------------------------

Vendor
James Chapman - http://www.vuplayer.com
Affected Version
2.49
Tested On
Microsoft Windows XP Professional SP2 (English)
Vendor Status
N/A
PoC
vuplayer_bof.pl
Credits
Vulnerability discovered by Greg Linares & Expanders in version 2.44 (2006)
Exploit coded by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.securityfocus.com/bid/21363
[2] http://www.packetstormsecurity.org/filedesc/vuplayer_bof.pl.txt.html
[3] http://www.securityhome.eu/exploits/exploit.php?eid=13259671948aa1b65ce1f13.77636425
[4] http://www.youtube.com/watch?v=WajNe92FT5Y
[5] http://it.com.mk/index.php/Gjoko-Krstic/Sigurnost/eksploatacija-na-VUPlayer-2.49-+-Demonstracija
Changelog
[18.08.2008] - Initial release
[25.08.2008] - Added reference [4]
[01.09.2008] - Added reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk