CVE-2007-0949
published 2007-02-15CVE-2007-0949: Stack-based buffer overflow in iTinySoft Studio Total Video Player 1.03, and possibly earlier, allows remote attackers to execute arbitrary code via a M3U…
PriorityP348critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
16.26%
96.6th percentile
Stack-based buffer overflow in iTinySoft Studio Total Video Player 1.03, and possibly earlier, allows remote attackers to execute arbitrary code via a M3U playlist file that contains a long file name. NOTE: it was later reported that 1.20 and 1.30 are also affected.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| itinysoft_studio | total_video_player | <= 1.03 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Total Video Player 1.20 - '.m3u' File Local Stack Buffer Overflow
exploitdb·2008-02-07
CVE-2007-0949 Total Video Player 1.20 - '.m3u' File Local Stack Buffer Overflow
Total Video Player 1.20 - '.m3u' File Local Stack Buffer Overflow
---
/*0day Total Video Player V1.20 .M3u File Local Stack Buffer Overflow
This exploit spawns Calc.exe or binds a port and spawns a shell and tested on Windows Xp sp 2.
I got the ideea to look in a prior version of TVP and
surprinse vuln to ,just as V1.30.
When parsing a crafted .m3u file stack gets corrupted,due a
long string,and causes a stack overflow.We get control of the EBP and
EIP registers.The ESP register points exactly after the retaddress position.
[corrupted stack] [EIP->points here][ESP->points here]
So do a jmp back and a JMP ESP and it points to a specific part of
the stack that I want.Credits to finding this bug && sploit go to fl0 fl0w.
Vendor not informed yet.
Special THANKS to Expanders !!!!
*/
#include
Exploit-DB
Total Video Player 1.03 - '.m3u' File Local Buffer Overflow
exploitdb·2008-02-01
CVE-2007-0949 Total Video Player 1.03 - '.m3u' File Local Buffer Overflow
Total Video Player 1.03 - '.m3u' File Local Buffer Overflow
---
/*0day Total Video Player V1.03 .m3u file Local Buffer Overflow
In this exploit you chose to bind a port or to spawn calc.exe.
After I crafted a playlist I observed that the stack got corrupted.
The corruption accured in some points,and overwriten a seh handler.
I managed to get control of the ECX register after a ~800 byte buffer
overflowed.The EIP register was overwriten after 849 bytes,and if more
you ca get control to ESI as also.I think that this is the correct
order,anyways to overwrite the EIP register was enought to can exploit
the program and modifie execution.
Credits for finding this bug go to fl0 fl0w,exploit by fl0 fl0w.
Special thanks to Expanders !!!!
Usage
You can chose a RET address ,I put some addresses f
No writeups or analysis indexed.
http://osvdb.org/33187http://secunia.com/advisories/23999http://www.securityfocus.com/bid/22553https://exchange.xforce.ibmcloud.com/vulnerabilities/32479https://www.exploit-db.com/exploits/5032https://www.exploit-db.com/exploits/5077http://osvdb.org/33187http://secunia.com/advisories/23999http://www.securityfocus.com/bid/22553https://exchange.xforce.ibmcloud.com/vulnerabilities/32479https://www.exploit-db.com/exploits/5032https://www.exploit-db.com/exploits/5077
2007-02-15
Published