VideoLAN VLC Media Player 2.1.3 – ‘.avs’ Crash (PoC)

• Exploit Database
• 10 阅读

• 作者： kw4
  日期： 2014-02-25
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/31899/

• # Exploit Title:VLC2.1.3WriteAV Vulnerability, Decoders
  # Date: 2014/02/20
  # Exploit Author: kw4
  # Software Link: http://www.videolan.org/vlc/index.html
  # Version: 2.1.3
  # Impact Med/High
  # Tested on: Windows 7 64 bits
  
  Memory corruption when VLC tries to load crafted .avs files.
  
  (2b10.2750): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=1a6fdbf8 ebx=15778b88 ecx=00000310 edx=1a2843c0 esi=1a284360
  edi=00000311
  eip=540716b4 esp=1b34fd50 ebp=00000480 iopl=0 nv up ei pl nz na po
  nc
  
  HostMachine\HostUser
  Executing Processor Architecture is x86
  Debuggee is in User Mode
  Debuggee is a live user mode debugging session on the local machine
  Event Type: Exception
  Exception Faulting Address: 0x1a285000
  First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
  Exception Sub-Type: Write Access Violation
  
  Faulting Instruction:540716b4 fstp dword ptr [edx+ecx*4]
  
  Exception Hash (Major/Minor): 0xf1ffd179.0x98f1d37c
  
   Hash Usage : Stack Trace:
  Major+Minor : libmpgatofixed32_plugin+0x16b4
  Major+Minor : libvlccore!vlc_getProxyUrl+0x411
  Major+Minor : libvlccore!aout_FiltersPlay+0x7a
  Major+Minor : libvlccore!aout_CheckChannelExtraction+0x17f3
  Major+Minor : libvlccore!input_Control+0x1431
  Minor : libvlccore!input_Control+0x1708
  Minor : libvlccore!input_Control+0x33c5
  Minor : ntdll!RtlImageNtHeader+0x30e
  Minor : libvlccore!vlc_threadvar_set+0x24
  Minor : libvlccore!vlc_threadvar_delete+0x128
  Minor : msvcrt!endthreadex+0x6c
  Minor : kernel32!BaseThreadInitThunk+0x12
  Excluded: ntdll!RtlInitializeExceptionChain+0x63
  Excluded: ntdll!RtlInitializeExceptionChain+0x36
  Instruction Address: 0x00000000540716b4
  
  Description: User Mode Write AV
  Short Description: WriteAV
  Exploitability Classification: EXPLOITABLE
  Exploitable - User Mode Write AV starting at
  libmpgatofixed32_plugin+0x00000000000016b4 (Hash=0xf1ffd179.0x98f1d37c)
  
  
  0:010> kd
  176efd6800000102
  176efd6c573a5f11 libvlccore!vlc_getProxyUrl+0x411
  176efd7000000001
  176efd747efde000
  176efd78176efd98
  176efd7c1a1d2fc8
  176efd801a1d2fd8
  176efd8400000001
  176efd8800000001
  176efd8c5737dcca libvlccore!aout_FiltersPlay+0x7a
  176efd9015a9cd44
  176efd941a16ab88
  176efd9800000002
  176efd9c00000000
  176efda000000000
  176efda400002710
  176efda800000000
  176efdac1a16ab88
  176efdb0000283e4
  176efdb4000003e8
  
  
  Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/31899.avs