VideoLAN VLC Media Player 2.0.4 – ‘.swf’ Crash (PoC)

• Exploit Database
• 12 阅读

• 作者： coolkaveh
  日期： 2012-12-07
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/23201/

• Title:VLC media player 2.0.4 buffer overflow POC
  Version:2.0.4 Twoflower
  Date :2012-12-06
  Vendor :www.videolan.org/vlc/
  Impact :Med/High
  Contact:coolkaveh [at] rocketmail.com
  Twitter:@coolkaveh
  tested :windows XP SP3
  Author :coolkaveh
  #####################################################################################################################
  VLC media player (also known as VLC) is a highly portable free and open-source media player and streaming 
  media server written by the VideoLAN project. It is a cross-platform media player, with versions for 
  Microsoft Windows, OS X, GNU/Linux, Android, BSD, Solaris, iOS, Syllable, BeOS, MorphOS, QNX and eComStation
  #####################################################################################################################
  Bug :
  ----
  buffer overflow during the handling of the swf file
  context-dependent
  Successful exploits can allow attackers to execute arbitrary code
  ----
  ######################################################################################################################
  (7b4.a14): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=75737574 ebx=00e44c20 ecx=7ffd5000 edx=00e44e84 esi=038488c8 edi=000007c0
  eip=75737574 esp=0196fb5c ebp=00000002 iopl=0 nv up ei pl nz na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00210206
  Missing image name, possible paged-out or corrupt data.
  75737574 ?????
  0:009>!exploitable -v
  eax=75737574 ebx=00e44c20 ecx=7ffd5000 edx=00e44e84 esi=038488c8 edi=000007c0
  eip=75737574 esp=0196fb5c ebp=00000002 iopl=0 nv up ei pl nz na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00210206
  75737574 ?????
  HostMachine\HostUser
  Executing Processor Architecture is x86
  Debuggee is in User Mode
  Debuggee is a live user mode debugging session on the local machine
  Event Type: Exception
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for ntdll.dll - 
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\libvlccore.dll - 
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll - 
  Exception Faulting Address: 0x75737574
  First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
  Exception Sub-Type: Data Execution Protection (DEP) Violation
  
  Exception Hash (Major/Minor): 0x307d391a.0x6f0f1537
  
  Stack Trace:
  Unknown
  libvlccore!vout_ReleasePicture+0x32
  libavcodec_plugin!vlc_entry_license__1_2_0l+0xe09
  libavcodec_plugin!vlc_entry_license__1_2_0l+0xdf26b
  libavcodec_plugin!vlc_entry_license__1_2_0l+0xdee0e
  libavcodec_plugin!vlc_entry_license__1_2_0l+0xdf37b
  ntdll!RtlFreeHeap+0x18b
  Instruction Address: 0x0000000075737574
  
  Description: Data Execution Prevention Violation
  Short Description: DEPViolation
  Exploitability Classification: EXPLOITABLE
  Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000075737574 called from libvlccore!vout_ReleasePicture+0x0000000000000032 (Hash=0x307d391a.0x6f0f1537)
  
  User mode DEP access violations are exploitable.
  ################################################################################
  Proof of concept included.
  
  http://www39.zippyshare.com/v/91522221/file.html
  Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23201.rar