Elecard MPEG Player 5.7 Local Buffer Overflow PoC (SEH)

Title: Elecard MPEG Player 5.7 Local Buffer Overflow PoC (SEH)
Advisory ID: ZSL-2011-4998
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 24.02.2011
Summary
Elecard MPEG Player is a high-quality full-featured multimedia player supporting the newest formats, designed to provide you with video and audio playback.
Description
The program suffers from a buffer overflow (with SEH overwrite) vulnerability when opening playlist file (.m3u), as a result of adding extra bytes.

--------------------------------------------------------------------------------

(d08.33c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000104 ebx=000037bb ecx=0000002a edx=00000104 esi=0013c73c edi=0013ffff
eip=0045563e esp=0013c6c0 ebp=0013cb14 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x5563e:
0045563e f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:000> g
(d08.33c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=44444444 edx=7c9032bc esi=00000000 edi=00000000
eip=44444444 esp=0013c2f0 ebp=0013c310 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
+0x44444443:
44444444 ?? ???
0:000> !exchain
0013c304: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc)
0013cb04: +44444443 (44444444)
Invalid exception stack at 43434343

--------------------------------------------------------------------------------

Vendor
Elecard Group - http://www.elecard.com
Affected Version
5.7.100629
Tested On
Microsoft Windows XP Professional SP3 (EN)
Vendor Status
N/A
PoC
elecardmpeg_bof.py
Credits
Vulnerability discovered by Dame Jovanoski - <jovanoski@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/16237/
[2] http://securityreason.com/exploitalert/10044
[3] http://packetstormsecurity.org/files/98708
[4] http://www.securityfocus.com/bid/46559
Changelog
[24.02.2011] - Initial release
[25.02.2011] - Added reference [2], [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk